mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

tighten and clarify Kyverno roles and permissions (#2799)

Browse source 
* update roles and rolebindings

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* revert label and fix perms

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update role

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* restrict role

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix whitespace

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests and roles

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove ingress extensions/v1beta1

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix chart

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix role

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* tighten and clarify Kyverno roles and permissions

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fake commit to trigger workflows

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* revert tests and update test role

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add newlines

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove update role

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove invalid param

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* cleanup roles in Helm templates

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove `mutate` cluster role binding

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
Jim Bugwadia 2021-12-09 20:34:06 -08:00 committed by GitHub
parent 911bebcf4d
commit b17e76493e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
21 changed files with 5410 additions and 5359 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Makefile
View file

@ -335,3 +335,4 @@ fmt: goimports
vet:
go vet ./...

50
charts/kyverno/templates/aggregateroles.yaml Normal file
View file

@ -0,0 +1,50 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:admin-policies
labels: {{ include "kyverno.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
rules:
- apiGroups:
- kyverno.io
resources:
- policies
- clusterpolicies
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
name: {{ template "kyverno.fullname" . }}:admin-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha2
resources:
- policyreport
- clusterpolicyreport
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
name: {{ template "kyverno.fullname" . }}:admin-reportchangerequest
rules:
- apiGroups:
- kyverno.io
resources:
- reportchangerequests
- clusterreportchangerequests
verbs:
- "*"
{{- end }}

332
charts/kyverno/templates/clusterrole.yaml
View file

@ -2,20 +2,148 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:leaderelection
name: {{ template "kyverno.fullname" . }}:userinfo
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
- apiGroups:
- coordination.k8s.io
- "rbac.authorization.k8s.io"
resources:
- leases
- roles
- clusterroles
- rolebindings
- clusterrolebindings
verbs:
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:policies
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
- apiGroups:
- "kyverno.io"
resources:
- policies
- policies/status
- clusterpolicies
- clusterpolicies/status
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
- generaterequests
- generaterequests/status
- reportchangerequests
- reportchangerequests/status
- clusterreportchangerequests
- clusterreportchangerequests/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:view
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:generate
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
verbs:
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- namespaces
- configmaps
- secrets
verbs:
- create
- update
- patch
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- update
- patch
- delete
- apiGroups:
- "quota"
resources:
- resourcequotas
- limitranges
verbs:
- create
- update
- patch
- delete
{{- if .Values.generatecontrollerExtraResources }}
- apiGroups:
- "*"
resources:
{{- range .Values.generatecontrollerExtraResources }}
- {{ . }}
{{- end }}
verbs:
- create
- update
- delete
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:events
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
- apiGroups:
- "*"
resources:
- events
verbs:
- create
- delete
- get
- patch
- update
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@ -24,15 +152,11 @@ metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
# Dynamic creation of webhooks, events & certs
- apiGroups:
- '*'
- 'admissionregistration.k8s.io'
resources:
- events
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
- certificatesigningrequests
- certificatesigningrequests/approval
verbs:
- create
- delete
@ -41,189 +165,5 @@ rules:
- patch
- update
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
- certificatesigningrequests/approval
- certificatesigningrequests/status
resourceNames:
- kubernetes.io/legacy-unknown
verbs:
- create
- delete
- get
- update
- watch
- apiGroups:
- certificates.k8s.io
resources:
- signers
resourceNames:
- kubernetes.io/legacy-unknown
verbs:
- approve
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:userinfo
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
# get the roleRef for incoming api-request user
- apiGroups:
- "*"
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
- configmaps
- namespaces
verbs:
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:customresources
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
# Kyverno CRs
- apiGroups:
- '*'
resources:
- policies
- policies/status
- clusterpolicies
- clusterpolicies/status
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
- generaterequests
- generaterequests/status
- reportchangerequests
- reportchangerequests/status
- clusterreportchangerequests
- clusterreportchangerequests/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- 'apiextensions.k8s.io'
resources:
- customresourcedefinitions
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:policycontroller
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
# background processing, identify all existing resources
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:generatecontroller
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
# process generate rules to generate resources
- apiGroups:
- "*"
resources:
- namespaces
- networkpolicies
- secrets
- configmaps
- resourcequotas
- limitranges
{{- range .Values.generatecontrollerExtraResources }}
- {{ . }}
{{- end }}
verbs:
- create
- update
- delete
- list
- get
# dynamic watches on trigger resources for generate rules
# re-evaluate the policy if the resource is updated
- apiGroups:
- '*'
resources:
- namespaces
verbs:
- watch
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:admin-policies
labels: {{ include "kyverno.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
rules:
- apiGroups:
- kyverno.io
resources:
- policies
- clusterpolicies
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
name: {{ template "kyverno.fullname" . }}:admin-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha2
resources:
- policyreport
- clusterpolicyreport
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
name: {{ template "kyverno.fullname" . }}:admin-reportchangerequest
rules:
- apiGroups:
- kyverno.io
resources:
- reportchangerequests
- clusterreportchangerequests
verbs:
- "*"

125
charts/kyverno/templates/clusterrolebinding.yaml
View file

@ -2,13 +2,73 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:leaderelection
name: {{ template "kyverno.fullname" . }}:userinfo
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:leaderelection
name: {{ template "kyverno.fullname" . }}:userinfo
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:policies
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:policies
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:view
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:view
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:generate
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:generate
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:events
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:events
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
@ -28,64 +88,5 @@ subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:userinfo
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:userinfo
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:customresources
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:customresources
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:policycontroller
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:policycontroller
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:generatecontroller
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:generatecontroller
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}

8987
charts/kyverno/templates/crds.yaml
View file

File diff suppressed because it is too large Load diff

20
charts/kyverno/templates/role.yaml Normal file
View file

@ -0,0 +1,20 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "kyverno.fullname" . }}:leaderelection
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
{{- end }}

17
charts/kyverno/templates/rolebinding.yaml Normal file
View file

@ -0,0 +1,17 @@
{{- if .Values.rbac.create }}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:leaderelection
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "kyverno.fullname" . }}:leaderelection
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}

98
config/github/rbac.yaml
View file

@ -1,81 +1,13 @@
---
# This role is required for e2e tests that generate and update a ClusterRole.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:userinfo
name: kyverno:test-e2e
rules:
# get the roleRef for incoming api-request user
- apiGroups:
- "*"
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
- configmaps
verbs:
- watch
- create
- update
- delete
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:customresources
rules:
# Kyverno CRs
- apiGroups:
- '*'
resources:
- clusterpolicies
- clusterpolicies/status
- generaterequests
- generaterequests/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:policycontroller
rules:
# background processing, identify all existing resources
- apiGroups:
- '*'
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:generatecontroller
rules:
# process generate rules to generate resources
- apiGroups:
- "*"
resources:
- namespaces
- networkpolicies
- secrets
- configmaps
- resourcequotas
- limitranges
- roles
- clusterroles
- rolebindings
- clusterrolebindings
@ -87,11 +19,19 @@ rules:
- patch
- update
- watch
# dynamic watches on trigger resources for generate rules
# re-evaluate the policy if the resource is updated
- apiGroups:
- '*'
resources:
- namespaces
verbs:
- watch
---
# This role binding is required for e2e tests that generate and update a ClusterRole.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
app: kyverno
name: kyverno:test-e2e
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:test-e2e
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno

385
config/install.yaml
View file

@ -7130,6 +7130,31 @@ metadata:
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno:leaderelection
namespace: kyverno
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
@ -7149,7 +7174,13 @@ rules:
- policies
- clusterpolicies
verbs:
- '*'
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@ -7171,7 +7202,13 @@ rules:
- policyreports
- clusterpolicyreports
verbs:
- '*'
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@ -7193,7 +7230,13 @@ rules:
- reportchangerequests
- clusterreportchangerequests
verbs:
- '*'
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@ -7206,11 +7249,90 @@ metadata:
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno:customresources
name: kyverno:events
rules:
- apiGroups:
- '*'
resources:
- events
verbs:
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno:generate
rules:
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
verbs:
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- namespaces
- configmaps
- secrets
verbs:
- create
- update
- patch
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- update
- patch
- delete
- apiGroups:
- quota
resources:
- resourcequotas
- limitranges
verbs:
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno:policies
rules:
- apiGroups:
- kyverno.io
resources:
- policies
- policies/status
- clusterpolicies
@ -7234,94 +7356,6 @@ rules:
- update
- watch
- deletecollection
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno:generatecontroller
rules:
- apiGroups:
- '*'
resources:
- namespaces
- networkpolicies
- secrets
- configmaps
- resourcequotas
- limitranges
verbs:
- create
- update
- delete
- list
- get
- apiGroups:
- '*'
resources:
- namespaces
verbs:
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno:leaderelection
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno:policycontroller
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@ -7337,20 +7371,40 @@ metadata:
name: kyverno:userinfo
rules:
- apiGroups:
- '*'
- rbac.authorization.k8s.io
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
- configmaps
- namespaces
verbs:
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno:view
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
@ -7363,13 +7417,10 @@ metadata:
name: kyverno:webhook
rules:
- apiGroups:
- '*'
- admissionregistration.k8s.io
resources:
- events
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
- certificatesigningrequests
- certificatesigningrequests/approval
verbs:
- create
- delete
@ -7378,73 +7429,9 @@ rules:
- patch
- update
- watch
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/legacy-unknown
resources:
- certificatesigningrequests
- certificatesigningrequests/approval
- certificatesigningrequests/status
verbs:
- create
- delete
- get
- update
- watch
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/legacy-unknown
resources:
- signers
verbs:
- approve
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno:customresources
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:customresources
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno:generatecontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:generatecontroller
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
kind: RoleBinding
metadata:
labels:
app: kyverno
@ -7455,9 +7442,10 @@ metadata:
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno:leaderelection
namespace: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
kind: Role
name: kyverno:leaderelection
subjects:
- kind: ServiceAccount
@ -7475,11 +7463,53 @@ metadata:
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno:policycontroller
name: kyverno:events
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policycontroller
name: kyverno:events
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno:generate
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:generate
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno:policies
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policies
subjects:
- kind: ServiceAccount
name: kyverno-service-account
@ -7508,6 +7538,27 @@ subjects:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno:view
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:view
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno

313
config/install_debug.yaml
View file

@ -7069,6 +7069,25 @@ metadata:
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: kyverno
name: kyverno:leaderelection
namespace: kyverno
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
@ -7082,7 +7101,13 @@ rules:
- policies
- clusterpolicies
verbs:
- '*'
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@ -7098,7 +7123,13 @@ rules:
- policyreports
- clusterpolicyreports
verbs:
- '*'
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@ -7114,18 +7145,91 @@ rules:
- reportchangerequests
- clusterreportchangerequests
verbs:
- '*'
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:customresources
name: kyverno:events
rules:
- apiGroups:
- '*'
resources:
- events
verbs:
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:generate
rules:
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
verbs:
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- namespaces
- configmaps
- secrets
verbs:
- create
- update
- patch
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- update
- patch
- delete
- apiGroups:
- quota
resources:
- resourcequotas
- limitranges
verbs:
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:policies
rules:
- apiGroups:
- kyverno.io
resources:
- policies
- policies/status
- clusterpolicies
@ -7149,76 +7253,6 @@ rules:
- update
- watch
- deletecollection
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:generatecontroller
rules:
- apiGroups:
- '*'
resources:
- namespaces
- networkpolicies
- secrets
- configmaps
- resourcequotas
- limitranges
verbs:
- create
- update
- delete
- list
- get
- apiGroups:
- '*'
resources:
- namespaces
verbs:
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:leaderelection
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:policycontroller
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@ -7228,33 +7262,44 @@ metadata:
name: kyverno:userinfo
rules:
- apiGroups:
- '*'
- rbac.authorization.k8s.io
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
- configmaps
- namespaces
verbs:
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:view
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:webhook
rules:
- apiGroups:
- '*'
- admissionregistration.k8s.io
resources:
- events
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
- certificatesigningrequests
- certificatesigningrequests/approval
verbs:
- create
- delete
@ -7263,68 +7308,17 @@ rules:
- patch
- update
- watch
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/legacy-unknown
resources:
- certificatesigningrequests
- certificatesigningrequests/approval
- certificatesigningrequests/status
verbs:
- create
- delete
- get
- update
- watch
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/legacy-unknown
resources:
- signers
verbs:
- approve
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
name: kyverno:customresources
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:customresources
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
name: kyverno:generatecontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:generatecontroller
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
kind: RoleBinding
metadata:
labels:
app: kyverno
name: kyverno:leaderelection
namespace: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
kind: Role
name: kyverno:leaderelection
subjects:
- kind: ServiceAccount
@ -7336,11 +7330,41 @@ kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
name: kyverno:policycontroller
name: kyverno:events
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policycontroller
name: kyverno:events
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
name: kyverno:generate
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:generate
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
name: kyverno:policies
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policies
subjects:
- kind: ServiceAccount
name: kyverno-service-account
@ -7363,6 +7387,21 @@ subjects:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
name: kyverno:view
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:view
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno

66
config/k8s-resource/aggregateroles.yaml Normal file
View file

@ -0,0 +1,66 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policies
rules:
- apiGroups:
- kyverno.io
resources:
- policies
- clusterpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha2
resources:
- policyreports
- clusterpolicyreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-reportchangerequest
rules:
- apiGroups:
- kyverno.io
resources:
- reportchangerequests
- clusterreportchangerequests
verbs:
- create
- delete
- get
- list
- patch
- update
- watch

68
config/k8s-resource/clusterrolebindings.yaml
View file

@ -2,13 +2,13 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:leaderelection
labels:
app: kyverno
name: kyverno:policies
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:leaderelection
name: kyverno:policies
subjects:
- kind: ServiceAccount
name: kyverno-service-account
@ -18,11 +18,39 @@ apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
app: kyverno
name: kyverno:webhook
name: kyverno:view
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:webhook
name: kyverno:view
subjects:
- kind: ServiceAccount
name: kyverno-service-account
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
app: kyverno
name: kyverno:generate
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:generate
subjects:
- kind: ServiceAccount
name: kyverno-service-account
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
app: kyverno
name: kyverno:events
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:events
subjects:
- kind: ServiceAccount
name: kyverno-service-account
@ -46,39 +74,11 @@ apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
app: kyverno
name: kyverno:customresources
name: kyverno:webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:customresources
subjects:
- kind: ServiceAccount
name: kyverno-service-account
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
app: kyverno
name: kyverno:policycontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policycontroller
subjects:
- kind: ServiceAccount
name: kyverno-service-account
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
app: kyverno
name: kyverno:generatecontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:generatecontroller
name: kyverno:webhook
subjects:
- kind: ServiceAccount
name: kyverno-service-account

225
config/k8s-resource/clusterroles.yaml
View file

@ -1,100 +1,13 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:leaderelection
labels:
app: kyverno
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:webhook
name: kyverno:policies
rules:
# Dynamic creation of webhooks, events & certs
- apiGroups:
- '*'
resources:
- events
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
- certificatesigningrequests
- certificatesigningrequests/approval
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
- certificatesigningrequests/approval
- certificatesigningrequests/status
resourceNames:
- kubernetes.io/legacy-unknown
verbs:
- create
- delete
- get
- update
- watch
- apiGroups:
- certificates.k8s.io
resources:
- signers
resourceNames:
- kubernetes.io/legacy-unknown
verbs:
- approve
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:userinfo
rules:
# get the roleRef for incoming api-request user
- apiGroups:
- "*"
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
- configmaps
- namespaces
verbs:
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:customresources
rules:
# Kyverno CRs
- apiGroups:
- '*'
- "kyverno.io"
resources:
- policies
- policies/status
@ -119,21 +32,14 @@ rules:
- update
- watch
- deletecollection
- apiGroups:
- 'apiextensions.k8s.io'
resources:
- customresourcedefinitions
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:policycontroller
name: kyverno:view
rules:
# background processing, identify all existing resources
- apiGroups:
- '*'
resources:
@ -141,7 +47,6 @@ rules:
verbs:
- get
- list
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
@ -149,77 +54,103 @@ kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:generatecontroller
name: kyverno:generate
rules:
# process generate rules to generate resources
- apiGroups:
- "*"
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
verbs:
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- namespaces
- networkpolicies
- secrets
- configmaps
- secrets
verbs:
- create
- update
- patch
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- update
- patch
- delete
- apiGroups:
- "quota"
resources:
- resourcequotas
- limitranges
verbs:
- create
- update
- patch
- delete
- list
- get
# dynamic watches on trigger resources for generate rules
# re-evaluate the policy if the resource is updated
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:events
rules:
- apiGroups:
- '*'
- "*"
resources:
- namespaces
- events
verbs:
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:userinfo
rules:
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
verbs:
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policies
name: kyverno:webhook
rules:
- apiGroups:
- kyverno.io
- 'admissionregistration.k8s.io'
resources:
- policies
- clusterpolicies
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policyreport
rules:
- apiGroups:
- wgpolicyk8s.io/v1alpha2
resources:
- policyreports
- clusterpolicyreports
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-reportchangerequest
rules:
- apiGroups:
- kyverno.io
resources:
- reportchangerequests
- clusterreportchangerequests
verbs:
- "*"
- create
- delete
- get
- list
- patch
- update
- watch

3
config/k8s-resource/kustomization.yaml
View file

@ -4,6 +4,9 @@ kind: Kustomization
resources:
- ./clusterroles.yaml
- ./clusterrolebindings.yaml
- ./roles.yaml
- ./rolebindings.yaml
- ./aggregateroles.yaml
- ./configmap.yaml
- ./metricsconfigmap.yaml
- ./service.yaml

1
config/k8s-resource/poddisruptionbudget.yaml
View file

@ -4,7 +4,6 @@ metadata:
name: kyverno
labels:
app: kyverno
namespace: kyverno
spec:
minAvailable: 0
selector:

14
config/k8s-resource/rolebindings.yaml Normal file
View file

@ -0,0 +1,14 @@
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:leaderelection
labels:
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kyverno:leaderelection
subjects:
- kind: ServiceAccount
name: kyverno-service-account

19
config/k8s-resource/roles.yaml Normal file
View file

@ -0,0 +1,19 @@
---
# Dynamic management of leader election leases
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kyverno:leaderelection
labels:
app: kyverno
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update

2
scripts/verify-deployment.sh
View file

@ -22,7 +22,7 @@ monitor_timeout() {
echo "Timeout ${timeout} exceeded" >&2
kubectl --namespace "${namespace}" get pods
docker images | grep "kyverno"
kubectl --namespace "${namespace}" describe deployment "${deployment}" -o yaml
kubectl --namespace "${namespace}" describe deployment "${deployment}"
kubectl --namespace "${namespace}" logs -l app=kyverno
kill "${wait_pid}"
}

10
test/e2e/generate/resources.go
View file

@ -84,9 +84,8 @@ spec:
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
kind: Role
name: "ns-role"
namespace: "default"
name: "ns-role"
namespace: "default"
- name: "gen-role-binding"
match:
resources:
@ -98,7 +97,6 @@ spec:
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
kind: RoleBinding
name: "ns-role-binding"
namespace: default
`)
@ -111,8 +109,8 @@ metadata:
namespace: default
name: ns-role
rules:
- apiGroups: ["*"]
resources: ["*"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "watch", "list", "delete", "create"]
`)

10
test/e2e/mutate/config.go
View file

@ -114,7 +114,7 @@ var ingressTests = struct {
resourceName: "kuard-v1",
resource: ingressNetworkingV1,
},
// the following two tests can be removed after 1.22 cluster
// the following test can be removed after 1.22 cluster
{
testName: "test-networking-v1beta1-ingress",
group: "networking.k8s.io",
@ -123,13 +123,5 @@ var ingressTests = struct {
resourceName: "kuard-v1beta1",
resource: ingressNetworkingV1beta1,
},
{
testName: "test-extensions-v1beta1-ingress",
group: "extensions",
version: "v1beta1",
rsc: "ingresses",
resourceName: "kuard-extensions",
resource: ingressExtensionV1beta1,
},
},
}

23
test/e2e/mutate/resources.go
View file

@ -190,29 +190,6 @@ spec:
- kuard
`)
var ingressExtensionV1beta1 = []byte(`
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
labels:
app: kuard
name: kuard-extensions
namespace: test-ingress
spec:
rules:
- host: kuard
http:
paths:
- backend:
serviceName: kuard
servicePort: 8080
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- kuard
`)
var setRunAsNonRootTrue = []byte(`
apiVersion: kyverno.io/v1
kind: ClusterPolicy