From 053202fc8467cf3569114235e891ee4046d63bb8 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Thu, 22 Aug 2019 12:48:27 -0700 Subject: [PATCH] update install.yaml --- definitions/install.yaml | 49 ++++++ definitions/install_debug.yaml | 3 +- definitions/new_install.yaml | 285 --------------------------------- 3 files changed, 50 insertions(+), 287 deletions(-) delete mode 100644 definitions/new_install.yaml diff --git a/definitions/install.yaml b/definitions/install.yaml index e06d4f49f9..8096b78a95 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -175,6 +175,55 @@ spec: data: AnyValue: {} --- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: policyviolations.kyverno.io +spec: + group: kyverno.io + versions: + - name: v1alpha1 + served: true + storage: true + scope: Cluster + names: + kind: PolicyViolation + plural: policyviolations + singular: policyviolation + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + required: + - policy + - resource + - rules + properties: + policy: + type: string + resource: + type: object + required: + - kind + - name + properties: + kind: + type: string + name: + type: string + namespace: + type: string + rules: + type: array + items: + type: object + required: + - name + - type + - message +--- kind: Namespace apiVersion: v1 metadata: diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 918da0c354..f25c2d6bfa 100644 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -222,5 +222,4 @@ spec: required: - name - type - - message ---- \ No newline at end of file + - message \ No newline at end of file diff --git a/definitions/new_install.yaml b/definitions/new_install.yaml deleted file mode 100644 index a2a8ab724c..0000000000 --- a/definitions/new_install.yaml +++ /dev/null @@ -1,285 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: policies.kyverno.io -spec: - group: kyverno.io - versions: - - name: v1alpha1 - served: true - storage: true - scope: Cluster - names: - kind: Policy - plural: policies - singular: policy - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - required: - - rules - properties: - # default values to be handled by user - validationFailureAction: - type: string - enum: - - enforce # blocks the resorce api-reques if a rule fails. Default behavior - - audit # allows resource creationg and reports the failed validation rules as violations - rules: - type: array - items: - type: object - required: - - name - - match - properties: - name: - type: string - match: - type: object - required: - - resources - properties: - resources: - type: object - required: - - kinds - properties: - kinds: - type: array - items: - type: string - name: - type: string - namespace: - type: string - selector: - properties: - matchLabels: - type: object - additionalProperties: - type: string - matchExpressions: - type: array - items: - type: object - required: - - key - - operator - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - exclude: - type: object - required: - - resources - properties: - resources: - type: object - properties: - kinds: - type: array - items: - type: string - name: - type: string - namespace: - type: string - selector: - properties: - matchLabels: - type: object - additionalProperties: - type: string - matchExpressions: - type: array - items: - type: object - required: - - key - - operator - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - mutate: - type: object - properties: - overlay: - AnyValue: {} - patches: - type: array - items: - type: object - required: - - path - - op - properties: - path: - type: string - op: - type: string - enum: - - add - - replace - - remove - value: - AnyValue: {} - validate: - type: object - required: - - pattern - properties: - message: - type: string - pattern: - AnyValue: {} - generate: - type: object - required: - - kind - - name - properties: - kind: - type: string - name: - type: string - clone: - type: object - required: - - namespace - - name - properties: - namespace: - type: string - name: - type: string - data: - AnyValue: {} ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: policyviolations.kyverno.io -spec: - group: kyverno.io - versions: - - name: v1aplha1 - served: true - storage: true - scope: Cluster - names: - kind: PolicyViolation - plural: policyviolations - singular: policyviolation - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - required: - - policyName - - resource - - rules - properties: - policyName: - type: string - resource: - type: object - required: - - kind - - name - properties: - kind: - type: string - name: - type: string - namespace: - type: string - rules: - type: array - items: - type: object - required: - - name - - type - - status - - message ---- -kind: Namespace -apiVersion: v1 -metadata: - name: "kyverno" ---- -apiVersion: v1 -kind: Service -metadata: - namespace: kyverno - name: kyverno-svc - labels: - app: kyverno -spec: - ports: - - port: 443 - targetPort: 443 - selector: - app: kyverno ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kyverno-service-account - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: kyverno-admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: kyverno-service-account - namespace: kyverno ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - namespace: kyverno - name: kyverno - labels: - app: kyverno -spec: - replicas: 1 - template: - metadata: - labels: - app: kyverno - spec: - serviceAccountName: kyverno-service-account - containers: - - name: kyverno - image: nirmata/kyverno:latest - args: ["--filterK8Resources","[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*]Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"] - ports: - - containerPort: 443 - securityContext: - privileged: true -