From bd5f871fee12c40f6fa5904057d754873eba65f7 Mon Sep 17 00:00:00 2001 From: Yuvraj Date: Wed, 3 Jun 2020 17:02:02 -0700 Subject: [PATCH 1/5] helm docs added for helm repository --- charts/kyverno/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 2c34eba456..ea311dc2bd 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -11,6 +11,12 @@ ## TL;DR; ```console +## Add the nirmata Helm repository +$ helm repo add kyverno https://nirmata.github.io/kyverno/helm-charts/ + +## Install the kyverno helm chart +$ helm install --name my-release --namespace kyverno nirmata/kyverno + $ helm install --create-namespace -n kyverno kyverno ./charts/kyverno ``` From ca2379baab235dcbfda5ed6e0ee4d8b3711d8f3d Mon Sep 17 00:00:00 2001 From: Yuvraj Date: Wed, 3 Jun 2020 17:59:19 -0700 Subject: [PATCH 2/5] added documentation for installing --- documentation/installation.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/documentation/installation.md b/documentation/installation.md index 41fea319b9..52930dcfbd 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -166,6 +166,17 @@ kubectl logs -n kyverno Here is a script that generates a self-signed CA, a TLS certificate-key pair, and the corresponding kubernetes secrets: [helper script](/scripts/generate-self-signed-cert-and-k8secrets.sh) +## Install kyverno using helm + +```sh +## Add the nirmata Helm repository + helm repo add kyverno https://nirmata.github.io/kyverno/helm-charts/ + +## Install the kyverno helm chart +helm install --name my-release --namespace kyverno nirmata/kyverno + +``` + # Configure a namespace admin to access policy violations During Kyverno installation, it creates a ClusterRole `kyverno:policyviolations` which has the `list,get,watch` operations on resource `policyviolations`. To grant access to a namespace admin, configure the following YAML file then apply to the cluster. @@ -225,7 +236,6 @@ data: To modify the `ConfigMap`, either directly edit the `ConfigMap` `init-config` in the default configuration [install.yaml] and redeploy it or modify the `ConfigMap` use `kubectl`. Changes to the `ConfigMap` through `kubectl` will automatically be picked up at runtime. - --- *Read Next >> [Writing Policies](/documentation/writing-policies.md)* From 7e2dd0d35e9d72cecd1025e68b27ba549b797b8f Mon Sep 17 00:00:00 2001 From: Yuvraj <10830562+evalsocket@users.noreply.github.com> Date: Wed, 3 Jun 2020 18:13:42 -0700 Subject: [PATCH 3/5] documentation fixed --- documentation/installation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/installation.md b/documentation/installation.md index 52930dcfbd..cdb6be2fcb 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -166,7 +166,7 @@ kubectl logs -n kyverno Here is a script that generates a self-signed CA, a TLS certificate-key pair, and the corresponding kubernetes secrets: [helper script](/scripts/generate-self-signed-cert-and-k8secrets.sh) -## Install kyverno using helm +## Install Kyverno using Helm ```sh ## Add the nirmata Helm repository From ffe6f9c19c63f911bc14e8fea1ec85956d5a7c4b Mon Sep 17 00:00:00 2001 From: Yuvraj <10830562+evalsocket@users.noreply.github.com> Date: Wed, 3 Jun 2020 18:15:07 -0700 Subject: [PATCH 4/5] alignment changes --- documentation/installation.md | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/documentation/installation.md b/documentation/installation.md index cdb6be2fcb..ed4af1bb10 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -4,9 +4,20 @@ The Kyverno policy engine runs as an admission webhook and requires a CA-signed certificate and key to setup secure TLS communication with the kube-apiserver (the CA can be self-signed). +## Install Kyverno using Helm + +```sh +## Add the nirmata Helm repository + helm repo add kyverno https://nirmata.github.io/kyverno/helm-charts/ + +## Install the kyverno helm chart +helm install --name my-release --namespace kyverno nirmata/kyverno + +``` + There are 2 ways to configure the secure communications link between Kyverno and the kube-apiserver. -## Option 1: Use kube-controller-manager to generate a CA-signed certificate +### Option 1: Use kube-controller-manager to generate a CA-signed certificate Kyverno can request a CA signed certificate-key pair from `kube-controller-manager`. This method requires that the kube-controller-manager is configured to act as a certificate signer. To verify that this option is enabled for your cluster, check the command-line args for the kube-controller-manager. If `--cluster-signing-cert-file` and `--cluster-signing-key-file` are passed to the controller manager with paths to your CA's key-pair, then you can proceed to install Kyverno using this method. @@ -36,11 +47,11 @@ kubectl describe pod -n kyverno kubectl logs -n kyverno ```` -## Option 2: Use your own CA-signed certificate +### Option 2: Use your own CA-signed certificate You can install your own CA-signed certificate, or generate a self-signed CA and use it to sign a certifcate. Once you have a CA and X.509 certificate-key pair, you can install these as Kubernetes secrets in your cluster. If Kyverno finds these secrets, it uses them. Otherwise it will request the kube-controller-manager to generate a certificate (see Option 1 above). -### 1. Generate a self-signed CA and signed certificate-key pair +#### 1. Generate a self-signed CA and signed certificate-key pair **Note: using a separate self-signed root CA is difficult to manage and not recommeded for production use.** @@ -61,7 +72,7 @@ Among the files that will be generated, you can use the following files to creat - webhooks.crt - webhooks.key -### 2. Configure secrets for the CA and TLS certificate-key pair +#### 2. Configure secrets for the CA and TLS certificate-key pair To create the required secrets, use the following commands (do not change the secret names): @@ -81,7 +92,7 @@ Secret | Data | Content Kyverno uses secrets created above to setup TLS communication with the kube-apiserver and specify the CA bundle to be used to validate the webhook server's certificate in the admission webhook configurations. -### 3. Configure Kyverno Role +#### 3. Configure Kyverno Role Kyverno, in `foreground` mode, leverages admission webhooks to manage incoming api-requests, and `background` mode applies the policies on existing resources. It uses ServiceAccount `kyverno-service-account`, which is bound to multiple ClusterRole, which defines the default resources and operations that are permitted. ClusterRoles used by kyverno: @@ -131,7 +142,7 @@ subjects: namespace: kyverno ``` -### 4. Install Kyverno +#### 4. Install Kyverno To install a specific version, download [install.yaml] and then change the image tag. @@ -166,16 +177,6 @@ kubectl logs -n kyverno Here is a script that generates a self-signed CA, a TLS certificate-key pair, and the corresponding kubernetes secrets: [helper script](/scripts/generate-self-signed-cert-and-k8secrets.sh) -## Install Kyverno using Helm - -```sh -## Add the nirmata Helm repository - helm repo add kyverno https://nirmata.github.io/kyverno/helm-charts/ - -## Install the kyverno helm chart -helm install --name my-release --namespace kyverno nirmata/kyverno - -``` # Configure a namespace admin to access policy violations From 0c66428640692ab1a7a47760fdb0fe329d0eb838 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Wed, 3 Jun 2020 19:11:14 -0700 Subject: [PATCH 5/5] Fix headings and add note on namespace --- documentation/installation.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/documentation/installation.md b/documentation/installation.md index ed4af1bb10..dc41d0963f 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -2,7 +2,7 @@ # Installation -The Kyverno policy engine runs as an admission webhook and requires a CA-signed certificate and key to setup secure TLS communication with the kube-apiserver (the CA can be self-signed). +You can install Kyverno using the Helm chart or YAML files in this repository. ## Install Kyverno using Helm @@ -15,6 +15,12 @@ helm install --name my-release --namespace kyverno nirmata/kyverno ``` +Note: the namespace must be `kyverno`. + +## Install Kyverno using YAMLs + +The Kyverno policy engine runs as an admission webhook and requires a CA-signed certificate and key to setup secure TLS communication with the kube-apiserver (the CA can be self-signed). + There are 2 ways to configure the secure communications link between Kyverno and the kube-apiserver. ### Option 1: Use kube-controller-manager to generate a CA-signed certificate