apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: policies.kubepolicy.nirmata.io
spec:
  group: kubepolicy.nirmata.io
  versions:
    - name: v1alpha1
      served: true
      storage: true
  scope: Cluster
  names:
    kind: Policy
    plural: policies
    singular: policy
  subresources:
    status: {}
  validation:
    openAPIV3Schema:
      properties:
        spec:
          required:
          - rules
          properties:
            rules:
              type: array
              items:
                type: object
                required:
                - name
                - resource
                properties:
                  name:
                    type: string
                  resource:
                    type: object
                    required:
                    - kind
                    properties:
                      kind:
                        type: string
                        enum:
                        - ConfigMap
                        - CronJob
                        - DaemonSet
                        - Deployment
                        - Endpoints
                        - HorizontalPodAutoscaler
                        - Ingress
                        - Job
                        - LimitRange
                        - Namespace
                        - NetworkPolicy
                        - PersistentVolumeClaim
                        - PodDisruptionBudget
                        - PodTemplate
                        - ResourceQuota
                        - Secret
                        - Service
                        - StatefulSet
                      name:
                        type: string
                      selector:
                        properties:
                          matchLabels:
                            type: object
                            additionalProperties:
                              type: string
                          matchExpressions:
                            type: array
                            items:
                              type: object
                              required:
                              - key
                              - operator
                              properties:
                                key:
                                  type: string
                                operator:
                                  type: string
                                values:
                                  type: array
                                  items:
                                    type: string
                  mutate:
                    type: object
                    properties:
                      overlay:
                        AnyValue: {}
                      patches:
                        type: array
                        items:
                          type: object
                          required:
                          - path
                          - op
                          properties:
                            path:
                              type: string
                            op:
                              type: string
                              enum:
                              - add
                              - replace
                              - remove
                            value:
                              AnyValue: {}
                  validate:
                    type: object
                    required:
                    - pattern
                    properties:
                      message:
                        type: string
                      pattern:
                        AnyValue: {}
                  generate:
                    type: object
                    required:
                    - kind
                    - name
                    properties:
                      kind:
                        type: string
                      name:
                        type: string
                      copyFrom:
                        type: object
                        required:
                        - namespace
                        - name
                        properties:
                          namespace:
                            type: string
                          name:
                            type: string
                      data:
                        type: object
                        additionalProperties:
                          type: string
                      labels:
                        type: object
                        additionalProperties:
                          type: string
---
apiVersion: v1
kind: Service
metadata:
  namespace: kube-system
  name: kube-policy-svc
  labels:
    app: kube-policy
spec:
  ports:
  - port: 443
    targetPort: 443
  selector:
    app: kube-policy
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube-policy-service-account
  namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: kube-policy-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kube-policy-service-account
  namespace: kube-system
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  namespace: kube-system
  name: kube-policy-deployment
  labels:
    app: kube-policy
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: kube-policy
    spec:
      serviceAccountName: kube-policy-service-account
      containers:
        - name: kube-policy
          image: nirmata/kube-policy:latest
          imagePullPolicy: IfNotPresent
          ports:
          - containerPort: 443
          securityContext:
            privileged: true
      imagePullSecrets:
      - name: docker-registry-key