--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:leaderelection labels: app: kyverno rules: - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - delete - get - patch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno name: kyverno:webhook rules: # Dynamic creation of webhooks, events & certs - apiGroups: - '*' resources: - events - mutatingwebhookconfigurations - validatingwebhookconfigurations - certificatesigningrequests - certificatesigningrequests/approval verbs: - create - delete - get - list - patch - update - watch - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests - certificatesigningrequests/approval - certificatesigningrequests/status resourceNames: - kubernetes.io/legacy-unknown verbs: - create - delete - get - update - watch - apiGroups: - certificates.k8s.io resources: - signers resourceNames: - kubernetes.io/legacy-unknown verbs: - approve --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno name: kyverno:userinfo rules: # get the roleRef for incoming api-request user - apiGroups: - "*" resources: - roles - clusterroles - rolebindings - clusterrolebindings - configmaps - namespaces verbs: - watch - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno name: kyverno:customresources rules: # Kyverno CRs - apiGroups: - '*' resources: - policies - policies/status - clusterpolicies - clusterpolicies/status - policyreports - policyreports/status - clusterpolicyreports - clusterpolicyreports/status - generaterequests - generaterequests/status - reportchangerequests - reportchangerequests/status - clusterreportchangerequests - clusterreportchangerequests/status verbs: - create - delete - get - list - patch - update - watch - deletecollection - apiGroups: - 'apiextensions.k8s.io' resources: - customresourcedefinitions verbs: - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno name: kyverno:policycontroller rules: # background processing, identify all existing resources - apiGroups: - '*' resources: - '*' verbs: - get - list - update - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno name: kyverno:generatecontroller rules: # process generate rules to generate resources - apiGroups: - "*" resources: - namespaces - networkpolicies - secrets - configmaps - resourcequotas - limitranges verbs: - create - update - delete - list - get # dynamic watches on trigger resources for generate rules # re-evaluate the policy if the resource is updated - apiGroups: - '*' resources: - namespaces verbs: - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: - apiGroups: - kyverno.io resources: - policies - clusterpolicies verbs: - "*" --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: - apiGroups: - wgpolicyk8s.io/v1alpha2 resources: - policyreports - clusterpolicyreports verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app: kyverno rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-reportchangerequest rules: - apiGroups: - kyverno.io resources: - reportchangerequests - clusterreportchangerequests verbs: - "*"