apiVersion: v1 kind: Namespace metadata: name: kyverno --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicies.kyverno.io spec: group: kyverno.io names: kind: ClusterPolicy plural: clusterpolicies shortNames: - cpol singular: clusterpolicy scope: Cluster subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: background: type: boolean rules: items: properties: exclude: properties: clusterRoles: items: type: string type: array resources: properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string namespaces: items: type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string type: object type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object type: array type: object generate: properties: apiVersion: type: string clone: properties: name: type: string namespace: type: string required: - namespace - name type: object data: {} kind: type: string name: type: string namespace: type: string synchronize: type: boolean required: - kind - name type: object match: properties: clusterRoles: items: type: string type: array resources: minProperties: 1 properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string namespaces: items: type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string type: object type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object type: array required: - resources type: object mutate: properties: overlay: {} patchStrategicMerge: {} patches: items: properties: op: enum: - add - replace - remove type: string path: type: string value: {} required: - path - op type: object type: array patchesJson6902: type: string type: object name: type: string preconditions: items: required: - key - operator - value type: object type: array validate: properties: anyPattern: {} deny: properties: conditions: items: properties: key: type: string operator: enum: - Equal - Equals - NotEqual - NotEquals - In - NotIn type: string value: anyOf: - type: string - items: {} type: array required: - key - operator - value type: object type: array message: type: string pattern: {} type: object required: - name - match type: object type: array validationFailureAction: enum: - enforce - audit type: string required: - rules status: {} versions: - name: v1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.2.5 creationTimestamp: null name: clusterpolicyreports.policy.kubernetes.io spec: additionalPrinterColumns: - JSONPath: .scope.kind name: Kind priority: 1 type: string - JSONPath: .scope.name name: Name priority: 1 type: string - JSONPath: .summary.pass name: Pass type: integer - JSONPath: .summary.fail name: Fail type: integer - JSONPath: .summary.warn name: Warn type: integer - JSONPath: .summary.error name: Error type: integer - JSONPath: .summary.skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp name: Age type: date group: policy.kubernetes.io names: kind: ClusterPolicyReport listKind: ClusterPolicyReportList plural: clusterpolicyreports singular: clusterpolicyreport scope: Namespaced subresources: {} validation: openAPIV3Schema: description: ClusterPolicyReport is the Schema for the clusterpolicyreports API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: description: PolicyReportResult provides the result for an individual policy or rule properties: data: additionalProperties: type: string description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resource: description: Resource is an optional reference to the resource check bu the policy rule properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object rule: description: Rule is the name of the policy rule type: string scored: description: Scored indicates if this policy rule is scored type: boolean status: description: Status indicates the result of the policy rule check enum: - Pass - Fail - Warn - Error - Skip type: string required: - policy type: object type: array scope: description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object summary: description: PolicyReportSummary provides a summary of results properties: error: type: integer fail: type: integer pass: type: integer skip: type: integer warn: type: integer required: - error - fail - pass - skip - warn type: object type: object version: v1alpha1 versions: - name: v1alpha1 served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicyviolations.kyverno.io spec: additionalPrinterColumns: - JSONPath: .spec.policy description: The policy that resulted in the violation name: Policy type: string - JSONPath: .spec.resource.kind description: The resource kind that cause the violation name: ResourceKind type: string - JSONPath: .spec.resource.name description: The resource name that caused the violation name: ResourceName type: string - JSONPath: .metadata.creationTimestamp name: Age type: date group: kyverno.io names: kind: ClusterPolicyViolation plural: clusterpolicyviolations shortNames: - cpolv singular: clusterpolicyviolation scope: Cluster subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: policy: type: string resource: properties: kind: type: string name: type: string required: - kind - name type: object rules: items: properties: message: type: string name: type: string type: type: string required: - name - type - message type: object type: array required: - policy - resource - rules versions: - name: v1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: generaterequests.kyverno.io spec: additionalPrinterColumns: - JSONPath: .spec.policy description: The policy that resulted in the violation name: Policy type: string - JSONPath: .spec.resource.kind description: The resource kind that cause the violation name: ResourceKind type: string - JSONPath: .spec.resource.name description: The resource name that caused the violation name: ResourceName type: string - JSONPath: .spec.resource.namespace description: The resource namespace that caused the violation name: ResourceNamespace type: string - JSONPath: .status.state description: Current state of generate request name: status type: string - JSONPath: .metadata.creationTimestamp name: Age type: date group: kyverno.io names: kind: GenerateRequest plural: generaterequests shortNames: - gr singular: generaterequest scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: policy: type: string resource: properties: kind: type: string name: type: string namespace: type: string required: - kind - name type: object required: - policy - resource versions: - name: v1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: policies.kyverno.io spec: group: kyverno.io names: kind: Policy plural: policies shortNames: - pol singular: policy scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: background: type: boolean rules: items: properties: exclude: properties: clusterRoles: items: type: string type: array resources: properties: kinds: items: type: string type: array name: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string type: object type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object type: array type: object generate: properties: apiVersion: type: string clone: properties: name: type: string namespace: type: string required: - namespace - name type: object data: AnyValue: {} kind: type: string name: type: string namespace: type: string synchronize: type: boolean required: - kind - name type: object match: properties: clusterRoles: items: type: string type: array resources: minProperties: 1 properties: kinds: items: type: string type: array name: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string type: object type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object type: array required: - resources type: object mutate: properties: overlay: AnyValue: {} patchStrategicMerge: AnyValue: {} patches: items: properties: op: enum: - add - replace - remove type: string path: type: string value: AnyValue: {} required: - path - op type: object type: array patchesJson6902: type: string type: object name: type: string preconditions: items: required: - key - operator - value type: object type: array validate: properties: anyPattern: AnyValue: {} deny: properties: conditions: items: properties: key: type: string operator: enum: - Equal - Equals - NotEqual - NotEquals - In - NotIn type: string value: anyOf: - type: string - items: {} type: array required: - key - operator - value type: object type: array message: type: string pattern: AnyValue: {} type: object required: - name - match type: object type: array validationFailureAction: enum: - enforce - audit type: string required: - rules status: {} versions: - name: v1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.2.5 creationTimestamp: null name: policyreports.policy.kubernetes.io spec: additionalPrinterColumns: - JSONPath: .scope.kind name: Kind priority: 1 type: string - JSONPath: .scope.name name: Name priority: 1 type: string - JSONPath: .summary.pass name: Pass type: integer - JSONPath: .summary.fail name: Fail type: integer - JSONPath: .summary.warn name: Warn type: integer - JSONPath: .summary.error name: Error type: integer - JSONPath: .summary.skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp name: Age type: date group: policy.kubernetes.io names: kind: PolicyReport listKind: PolicyReportList plural: policyreports singular: policyreport scope: Namespaced subresources: {} validation: openAPIV3Schema: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: description: PolicyReportResult provides the result for an individual policy or rule properties: data: additionalProperties: type: string description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resource: description: Resource is an optional reference to the resource check bu the policy rule properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object rule: description: Rule is the name of the policy rule type: string scored: description: Scored indicates if this policy rule is scored type: boolean status: description: Status indicates the result of the policy rule check enum: - Pass - Fail - Warn - Error - Skip type: string required: - policy type: object type: array scope: description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object summary: description: PolicyReportSummary provides a summary of results properties: error: type: integer fail: type: integer pass: type: integer skip: type: integer warn: type: integer required: - error - fail - pass - skip - warn type: object type: object version: v1alpha1 versions: - name: v1alpha1 served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: policyviolations.kyverno.io spec: additionalPrinterColumns: - JSONPath: .spec.policy description: The policy that resulted in the violation name: Policy type: string - JSONPath: .spec.resource.kind description: The resource kind that cause the violation name: ResourceKind type: string - JSONPath: .spec.resource.name description: The resource name that caused the violation name: ResourceName type: string - JSONPath: .metadata.creationTimestamp name: Age type: date group: kyverno.io names: kind: PolicyViolation plural: policyviolations shortNames: - polv singular: policyviolation scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: policy: type: string resource: properties: kind: type: string name: type: string required: - kind - name type: object rules: items: properties: message: type: string name: type: string type: type: string required: - name - type - message type: object type: array required: - policy - resource - rules versions: - name: v1 served: true storage: true --- apiVersion: v1 kind: ServiceAccount metadata: name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:customresources rules: - apiGroups: - '*' resources: - policies - policies/status - clusterpolicies - clusterpolicies/status - policyreport - policyreport/status - clusterpolicyreport - clusterpolicyreport/status - clusterpolicyviolations - clusterpolicyviolations/status - policyviolations - policyviolations/status - generaterequests - generaterequests/status verbs: - create - delete - get - list - patch - update - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:generatecontroller rules: - apiGroups: - '*' resources: - namespaces - networkpolicies - secrets - configmaps - resourcequotas - limitranges - clusterroles - rolebindings - clusterrolebindings verbs: - create - update - delete - get - apiGroups: - '*' resources: - namespaces verbs: - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:policycontroller rules: - apiGroups: - '*' resources: - '*' verbs: - get - list - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:userinfo rules: - apiGroups: - '*' resources: - roles - clusterroles - rolebindings - clusterrolebindings - configmaps verbs: - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:webhook rules: - apiGroups: - '*' resources: - events - mutatingwebhookconfigurations - validatingwebhookconfigurations - certificatesigningrequests - certificatesigningrequests/approval verbs: - create - delete - get - list - patch - update - watch - apiGroups: - certificates.k8s.io resourceNames: - kubernetes.io/legacy-unknown resources: - certificatesigningrequests - certificatesigningrequests/approval - certificatesigningrequests/status verbs: - create - delete - get - update - watch - apiGroups: - certificates.k8s.io resourceNames: - kubernetes.io/legacy-unknown resources: - signers verbs: - approve --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: - apiGroups: - kyverno.io resources: - policies verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" name: kyverno:edit-policies-policyreports rules: - apiGroups: - policy.kubernetes.io resources: - policyreports - clusterpolicyreports - policies verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" name: kyverno:edit-policies-policyviolations rules: - apiGroups: - kyverno.io resources: - policyviolations - policies verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: kyverno:policyreport rules: - apiGroups: - policy.kubernetes.io resources: - policyreport - clusterpolicyreport verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: kyverno:policyviolations rules: - apiGroups: - kyverno.io resources: - policyviolations verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:view-clusterpolicyreports rules: - apiGroups: - policy.kubernetes.io resources: - clusterpolicyreports verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:view-clusterpolicyviolations rules: - apiGroups: - kyverno.io resources: - clusterpolicyviolations verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-view: "true" name: kyverno:view-policies-policyviolations rules: - apiGroups: - kyverno.io resources: - policyviolations - policies verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-view: "true" name: kyverno:view-policyreports rules: - apiGroups: - policy.kubernetes.io resources: - policyreports verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:customresources roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:customresources subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:generatecontroller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:generatecontroller subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:policycontroller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:policycontroller subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:userinfo subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:webhook subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: v1 data: excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]' kind: ConfigMap metadata: name: init-config namespace: kyverno --- apiVersion: v1 kind: Service metadata: labels: app: kyverno name: kyverno-svc namespace: kyverno spec: ports: - port: 443 targetPort: 443 selector: app: kyverno --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: kyverno name: kyverno namespace: kyverno spec: replicas: 1 selector: matchLabels: app: kyverno template: metadata: labels: app: kyverno spec: containers: - args: - --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*] - -v=2 env: - name: INIT_CONFIG value: init-config - name: KYVERNO_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: KYVERNO_SVC value: kyverno-svc image: nirmata/kyverno:v1.1.10 imagePullPolicy: Always livenessProbe: failureThreshold: 4 httpGet: path: /health/liveness port: 443 scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 name: kyverno ports: - containerPort: 443 readinessProbe: failureThreshold: 4 httpGet: path: /health/readiness port: 443 scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 resources: limits: memory: 128Mi requests: cpu: 100m memory: 50Mi initContainers: - image: nirmata/kyvernopre:v1.1.10 imagePullPolicy: Always name: kyverno-pre serviceAccountName: kyverno-service-account