mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-04-18 02:06:52 +00:00
Code Activity

remove duplicate clusterroles

Browse source
This commit is contained in:
Shuting Zhao 2020-11-19 14:22:54 -08:00
parent 44f356d1f4
commit a542c937ab
6 changed files with 194 additions and 371 deletions

155
definitions/install.yaml
View file

@ -2689,6 +2689,51 @@ metadata:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policies
rules:
- apiGroups:
- kyverno.io
resources:
- policies
- clusterpolicies
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- policyreports
- clusterpolicyreports
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-reportchangerequest
rules:
- apiGroups:
- kyverno.io
resources:
- reportchangerequests
- clusterreportchangerequests
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:customresources
rules:
@ -2745,6 +2790,7 @@ rules:
- create
- update
- delete
- list
- get
- apiGroups:
- '*'
@ -2831,70 +2877,6 @@ rules:
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policies
rules:
- apiGroups:
- kyverno.io
resources:
- policies
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- policyreport
- clusterpolicyreport
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: kyverno:edit-policies-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- policyreport
- clusterpolicyreport
- policies
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:policyreport
rules:
- apiGroups:
- '*'
resources:
- policyreports
- clusterpolicyreports
- pods
verbs:
- get
- list
- watch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:policyviolations
rules:
@ -2908,38 +2890,6 @@ rules:
- watch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:view-clusterpolicyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- clusterpolicyreport
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: kyverno:view-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- policyreport
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@ -2981,19 +2931,6 @@ subjects:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:policyreport
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policyreport
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:policyviolations
roleRef:

155
definitions/install_debug.yaml
View file

@ -2689,6 +2689,51 @@ metadata:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policies
rules:
- apiGroups:
- kyverno.io
resources:
- policies
- clusterpolicies
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- policyreports
- clusterpolicyreports
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-reportchangerequest
rules:
- apiGroups:
- kyverno.io
resources:
- reportchangerequests
- clusterreportchangerequests
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:customresources
rules:
@ -2745,6 +2790,7 @@ rules:
- create
- update
- delete
- list
- get
- apiGroups:
- '*'
@ -2831,70 +2877,6 @@ rules:
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policies
rules:
- apiGroups:
- kyverno.io
resources:
- policies
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- policyreport
- clusterpolicyreport
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: kyverno:edit-policies-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- policyreport
- clusterpolicyreport
- policies
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:policyreport
rules:
- apiGroups:
- '*'
resources:
- policyreports
- clusterpolicyreports
- pods
verbs:
- get
- list
- watch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:policyviolations
rules:
@ -2908,38 +2890,6 @@ rules:
- watch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:view-clusterpolicyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- clusterpolicyreport
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: kyverno:view-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- policyreport
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@ -2981,19 +2931,6 @@ subjects:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:policyreport
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policyreport
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:policyviolations
roleRef:

78
definitions/k8s-resource/clusterrolebindings.yaml Normal file
View file

@ -0,0 +1,78 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:policyviolations
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policyviolations
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:webhook
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:userinfo
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:userinfo
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:customresources
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:customresources
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:policycontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policycontroller
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:generatecontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:generatecontroller
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno

172
definitions/k8s-resource/rbac.yaml → definitions/k8s-resource/clusterroles.yaml
View file

@ -34,84 +34,6 @@ rules:
- policyviolations
verbs: ["get", "list", "watch", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:webhook
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:userinfo
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:userinfo
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:customresources
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:customresources
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:policyviolations
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policyviolations
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:policycontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policycontroller
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:generatecontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:generatecontroller
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
@ -251,6 +173,7 @@ rules:
- create
- update
- delete
- list
- get
# dynamic watches on trigger resources for generate rules
# re-evaluate the policy if the resource is updated
@ -261,7 +184,7 @@ rules:
verbs:
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
@ -272,79 +195,11 @@ rules:
- kyverno.io
resources:
- policies
- clusterpolicies
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:policyreport
rules:
- apiGroups: ["*"]
resources:
- policyreports
- clusterpolicyreports
- pods
verbs: ["get", "list", "watch", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:policyreport
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policyreport
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:view-policyreport
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: [ "wgpolicyk8s.io/v1alpha1" ]
resources:
- policyreport
verbs: [ "get", "list", "watch" ]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:view-clusterpolicyreport
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["wgpolicyk8s.io/v1alpha1"]
resources:
- clusterpolicyreport
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: kyverno:edit-policies-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- policyreport
- clusterpolicyreport
- policies
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
@ -354,7 +209,22 @@ rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- policyreport
- clusterpolicyreport
- policyreports
- clusterpolicyreports
verbs:
- '*'
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-reportchangerequest
rules:
- apiGroups:
- kyverno.io
resources:
- reportchangerequests
- clusterreportchangerequests
verbs:
- "*"

3
definitions/k8s-resource/kustomization.yaml
View file

@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./rbac.yaml
- ./clusterroles.yaml
- ./clusterrolebindings.yaml
- ./configmap.yaml

2
pkg/generate/cleanup/cleanup.go
View file

@ -43,7 +43,7 @@ func deleteGeneratedResources(log logr.Logger, client *dclient.Client, gr kyvern
for _, genResource := range gr.Status.GeneratedResources {
err := client.DeleteResource("", genResource.Kind, genResource.Namespace, genResource.Name, false)
if apierrors.IsNotFound(err) {
log.Error(err, "resource not foundl will not delete", "genKind", gr.Spec.Resource.Kind, "genNamespace", gr.Spec.Resource.Namespace, "genName", gr.Spec.Resource.Name)
log.Error(err, "resource not found will not delete", "genKind", gr.Spec.Resource.Kind, "genNamespace", gr.Spec.Resource.Namespace, "genName", gr.Spec.Resource.Name)
continue
}
if err != nil {