CR fixes

2024-12-14 11:57:48 +00:00 · 2020-02-18 17:10:15 -08:00 · 2020-02-18 17:10:15 -08:00 · c402b5602c
commit c402b5602c
parent 70ac8b1d20
2 changed files with 97 additions and 11 deletions
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@ -470,22 +470,74 @@ metadata:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
-  name: kyverno-admin
+  name: kyverno:webhook
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: kyvernoRole
+  name: kyverno:webhook
 subjects:
 - kind: ServiceAccount
  name: kyverno-service-account
  namespace: kyverno
 ---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: kyverno:userinfo
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kyverno:userinfo
+subjects:
+- kind: ServiceAccount
+  name: kyverno-service-account
+  namespace: kyverno
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: kyverno:customresources
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kyverno:customresources
+subjects:
+- kind: ServiceAccount
+  name: kyverno-service-account
+  namespace: kyverno 
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: kyverno:policycontroller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kyverno:policycontroller
+subjects:
+- kind: ServiceAccount
+  name: kyverno-service-account
+  namespace: kyverno 
+---  
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: kyverno:generatecontroller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kyverno:generatecontroller
+subjects:
+- kind: ServiceAccount
+  name: kyverno-service-account
+  namespace: kyverno 
+---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
-  name: kyvernoRole
+  name: kyverno:webhook
 rules:
-# Dynamic creation of webhooks and events 
+# Dynamic creation of webhooks, events & certs
 - apiGroups:
  - '*'
  resources:
@ -502,15 +554,27 @@ rules:
  - patch
  - update
  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kyverno:userinfo
+rules:
 # get the roleRef for incoming api-request user
 - apiGroups:
-  - '*'
+  - "*"
  resources:
  - rolebindings
  - clusterrolebindings
  - configmaps
  verbs:
  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kyverno:customresources
+rules:
 # Kyverno CRs
 - apiGroups:
  - '*'
@ -531,8 +595,12 @@ rules:
  - patch
  - update
  - watch
-# auto rule gen for pod-controllers using annotations will be under same user
-
+---  
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kyverno:policycontroller
+rules:
 # background processing, identify all existing resources
 - apiGroups:
  - '*'
@ -541,9 +609,15 @@ rules:
  verbs:
  - get
  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kyverno:generatecontroller
+rules:
 # process generate rules to generate resources
 - apiGroups:
-  - '*'
+  - "*"
  resources:
  - namespaces
  - networkpolicies
--- a/documentation/installation.md
+++ b/documentation/installation.md
@ -82,20 +82,32 @@ Secret | Data | Content
 Kyverno uses secrets created above to setup TLS communication with the kube-apiserver and specify the CA bundle to be used to validate the webhook server's certificate in the admission webhook configurations.

 ### 3. Configure Kyverno Role
-Kyverno, in `foreground` mode, leverages admission webhooks to manage incoming api-requests, and `background` mode applies the policies on existing resources. It uses ServiceAccount `kyverno-service-account`, which is bound to ClusterRole `kyvernoRole`, which defines the default resources and operations that are permitted.
+Kyverno, in `foreground` mode, leverages admission webhooks to manage incoming api-requests, and `background` mode applies the policies on existing resources. It uses ServiceAccount `kyverno-service-account`, which is bound to multiple ClusterRole, which defines the default resources and operations that are permitted.

-The `generate` rule creates a new resource, and to allow kyverno to create resource kyverno ClusterRole needs access to them. This can be done by adding the resource to default ClusterRole used by kyverno or by creating a new ClusterRole and a ClusterRoleBinding to kyverno's default ServiceAccount.
+ClusterRoles used by kyverno:
+- kyverno:webhook
+- kyverno:userinfo
+- kyverno:customresources
+- kyverno:policycontroller
+- kyverno:generatecontroller

+The `generate` rule creates a new resource, and to allow kyverno to create resource kyverno ClusterRole needs permissions to create/update/delete. This can be done by adding the resource to the ClusterRole `kyverno:generatecontroller` used by kyverno or by creating a new ClusterRole and a ClusterRoleBinding to kyverno's default ServiceAccount.

 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
-  name: kyvernoRoleGenerate
+  name: kyverno:generatecontroller
 rules:
 - apiGroups:
  - "*"
  resources:
+  - namespaces
+  - networkpolicies
+  - secrets
+  - configmaps
+  - resourcequotas
+  - limitranges
  - ResourceA # new Resource to be generated
  - ResourceB
  verbs: