apiVersion: v1 kind: Namespace metadata: name: kyverno --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicies.kyverno.io spec: group: kyverno.io names: kind: ClusterPolicy plural: clusterpolicies shortNames: - cpol singular: clusterpolicy scope: Cluster subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: background: type: boolean rules: items: properties: exclude: properties: clusterRoles: items: type: string type: array resources: properties: kinds: items: type: string type: array name: type: string namespaces: items: type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string type: object type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object type: array type: object generate: properties: apiVersion: type: string clone: properties: name: type: string namespace: type: string required: - namespace - name type: object data: AnyValue: {} kind: type: string name: type: string namespace: type: string synchronize: type: boolean required: - kind - name type: object match: properties: clusterRoles: items: type: string type: array resources: minProperties: 1 properties: kinds: items: type: string type: array name: type: string namespaces: items: type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string type: object type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object type: array required: - resources type: object mutate: properties: overlay: AnyValue: {} patchStrategicMerge: AnyValue: {} patches: items: properties: op: enum: - add - replace - remove type: string path: type: string value: AnyValue: {} required: - path - op type: object type: array patchesJson6902: type: string type: object name: type: string preconditions: items: required: - key - operator - value type: object type: array validate: properties: anyPattern: AnyValue: {} deny: properties: conditions: items: properties: key: type: string operator: enum: - Equal - Equals - NotEqual - NotEquals - In - NotIn type: string value: anyOf: - type: string - items: {} type: array required: - key - operator - value type: object type: array message: type: string pattern: AnyValue: {} type: object required: - name - match type: object type: array validationFailureAction: enum: - enforce - audit type: string required: - rules status: {} versions: - name: v1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicyviolations.kyverno.io spec: additionalPrinterColumns: - JSONPath: .spec.policy description: The policy that resulted in the violation name: Policy type: string - JSONPath: .spec.resource.kind description: The resource kind that cause the violation name: ResourceKind type: string - JSONPath: .spec.resource.name description: The resource name that caused the violation name: ResourceName type: string - JSONPath: .metadata.creationTimestamp name: Age type: date group: kyverno.io names: kind: ClusterPolicyViolation plural: clusterpolicyviolations shortNames: - cpolv singular: clusterpolicyviolation scope: Cluster subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: policy: type: string resource: properties: kind: type: string name: type: string required: - kind - name type: object rules: items: properties: message: type: string name: type: string type: type: string required: - name - type - message type: object type: array required: - policy - resource - rules versions: - name: v1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: generaterequests.kyverno.io spec: additionalPrinterColumns: - JSONPath: .spec.policy description: The policy that resulted in the violation name: Policy type: string - JSONPath: .spec.resource.kind description: The resource kind that cause the violation name: ResourceKind type: string - JSONPath: .spec.resource.name description: The resource name that caused the violation name: ResourceName type: string - JSONPath: .spec.resource.namespace description: The resource namespace that caused the violation name: ResourceNamespace type: string - JSONPath: .status.state description: Current state of generate request name: status type: string - JSONPath: .metadata.creationTimestamp name: Age type: date group: kyverno.io names: kind: GenerateRequest plural: generaterequests shortNames: - gr singular: generaterequest scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: policy: type: string resource: properties: kind: type: string name: type: string namespace: type: string required: - kind - name type: object required: - policy - resource versions: - name: v1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: policyviolations.kyverno.io spec: additionalPrinterColumns: - JSONPath: .spec.policy description: The policy that resulted in the violation name: Policy type: string - JSONPath: .spec.resource.kind description: The resource kind that cause the violation name: ResourceKind type: string - JSONPath: .spec.resource.name description: The resource name that caused the violation name: ResourceName type: string - JSONPath: .metadata.creationTimestamp name: Age type: date group: kyverno.io names: kind: PolicyViolation plural: policyviolations shortNames: - polv singular: policyviolation scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: policy: type: string resource: properties: kind: type: string name: type: string required: - kind - name type: object rules: items: properties: message: type: string name: type: string type: type: string required: - name - type - message type: object type: array required: - policy - resource - rules versions: - name: v1 served: true storage: true --- apiVersion: v1 kind: ServiceAccount metadata: name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:customresources rules: - apiGroups: - '*' resources: - clusterpolicies - clusterpolicies/status - clusterpolicyviolations - clusterpolicyviolations/status - policyviolations - policyviolations/status - generaterequests - generaterequests/status verbs: - create - delete - get - list - patch - update - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:generatecontroller rules: - apiGroups: - '*' resources: - namespaces - networkpolicies - secrets - configmaps - resourcequotas - limitranges - clusterroles - rolebindings - clusterrolebindings verbs: - create - update - delete - get - apiGroups: - '*' resources: - namespaces verbs: - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:policycontroller rules: - apiGroups: - '*' resources: - '*' verbs: - get - list - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:userinfo rules: - apiGroups: - '*' resources: - roles - clusterroles - rolebindings - clusterrolebindings - configmaps verbs: - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:webhook rules: - apiGroups: - '*' resources: - events - mutatingwebhookconfigurations - validatingwebhookconfigurations - certificatesigningrequests - certificatesigningrequests/approval verbs: - create - delete - get - list - patch - update - watch - apiGroups: - certificates.k8s.io resourceNames: - kubernetes.io/legacy-unknown resources: - certificatesigningrequests - certificatesigningrequests/approval - certificatesigningrequests/status verbs: - create - delete - get - update - watch - apiGroups: - certificates.k8s.io resourceNames: - kubernetes.io/legacy-unknown resources: - signers verbs: - approve --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: kyverno:policyviolations rules: - apiGroups: - kyverno.io resources: - policyviolations verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:view-clusterpolicyviolations rules: - apiGroups: - kyverno.io resources: - clusterpolicyviolations verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-view: "true" name: kyverno:view-policyviolations rules: - apiGroups: - kyverno.io resources: - policyviolations verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:customresources roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:customresources subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:generatecontroller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:generatecontroller subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:policycontroller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:policycontroller subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:userinfo subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:webhook subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: v1 data: excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]' kind: ConfigMap metadata: name: init-config namespace: kyverno --- apiVersion: v1 kind: Service metadata: labels: app: kyverno name: kyverno-svc namespace: kyverno spec: ports: - port: 443 targetPort: 443 selector: app: kyverno --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: kyverno name: kyverno namespace: kyverno spec: replicas: 1 selector: matchLabels: app: kyverno template: metadata: labels: app: kyverno spec: containers: - args: - --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*] - --excludeGroupRole="system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler" - -v=2 env: - name: INIT_CONFIG value: init-config - name: KYVERNO_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: KYVERNO_SVC value: kyverno-svc image: nirmata/kyverno:v1.1.9 imagePullPolicy: Always livenessProbe: failureThreshold: 4 httpGet: path: /health/liveness port: 443 scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 name: kyverno ports: - containerPort: 443 readinessProbe: failureThreshold: 4 httpGet: path: /health/readiness port: 443 scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 resources: limits: memory: 128Mi requests: cpu: 100m memory: 50Mi initContainers: - image: nirmata/kyvernopre:v1.1.9 imagePullPolicy: Always name: kyverno-pre serviceAccountName: kyverno-service-account