apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicies.kyverno.io spec: group: kyverno.io versions: - name: v1alpha1 served: true storage: true scope: Cluster names: kind: ClusterPolicy plural: clusterpolicies singular: clusterpolicy subresources: status: {} validation: openAPIV3Schema: properties: spec: required: - rules properties: # default values to be handled by user validationFailureAction: type: string enum: - enforce # blocks the resorce api-reques if a rule fails. - audit # allows resource creation and reports the failed validation rules as violations. Default rules: type: array items: type: object required: - name - match properties: name: type: string match: type: object required: - resources properties: resources: type: object required: - kinds properties: kinds: type: array items: type: string name: type: string namespaces: type: array items: type: string selector: properties: matchLabels: type: object additionalProperties: type: string matchExpressions: type: array items: type: object required: - key - operator properties: key: type: string operator: type: string values: type: array items: type: string exclude: type: object required: - resources properties: resources: type: object properties: kinds: type: array items: type: string name: type: string namespaces: type: array items: type: string selector: properties: matchLabels: type: object additionalProperties: type: string matchExpressions: type: array items: type: object required: - key - operator properties: key: type: string operator: type: string values: type: array items: type: string mutate: type: object properties: overlay: AnyValue: {} patches: type: array items: type: object required: - path - op properties: path: type: string op: type: string enum: - add - replace - remove value: AnyValue: {} validate: type: object properties: message: type: string pattern: AnyValue: {} anyPattern: AnyValue: {} generate: type: object required: - kind - name properties: kind: type: string name: type: string clone: type: object required: - namespace - name properties: namespace: type: string name: type: string data: AnyValue: {} --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicyviolations.kyverno.io spec: group: kyverno.io versions: - name: v1alpha1 served: true storage: true scope: Cluster names: kind: ClusterPolicyViolation plural: clusterpolicyviolations singular: clusterpolicyviolation subresources: status: {} validation: openAPIV3Schema: properties: spec: required: - policy - resource - rules properties: policy: type: string resource: type: object required: - kind - name properties: kind: type: string name: type: string namespace: type: string rules: type: array items: type: object required: - name - type - message properties: name: type: string type: type: string message: type: string managedResource: type: object properties: kind: type: string namespace: type: string creationBlocked: type: boolean --- kind: Namespace apiVersion: v1 metadata: name: "kyverno" --- apiVersion: v1 kind: Service metadata: namespace: kyverno name: kyverno-svc labels: app: kyverno spec: ports: - port: 443 targetPort: 443 selector: app: kyverno --- apiVersion: v1 kind: ServiceAccount metadata: name: kyverno-service-account namespace: kyverno --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: kyverno-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: v1 kind: ConfigMap metadata: name: init-config namespace: kyverno data: # resource types to be skipped by kyverno policy engine resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" --- apiVersion: apps/v1 kind: Deployment metadata: namespace: kyverno name: kyverno labels: app: kyverno spec: selector: matchLabels: app: kyverno replicas: 1 template: metadata: labels: app: kyverno spec: serviceAccountName: kyverno-service-account containers: - name: kyverno image: nirmata/kyverno:v0.11.0 args: - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" # customize webhook timout # - "--webhooktimeout=4" # open one of the profiling flag here # - "--cpu=true" ports: - containerPort: 443 env: - name: INIT_CONFIG value: init-config