apiVersion: v1 kind: Namespace metadata: name: kyverno --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicies.kyverno.io spec: group: kyverno.io names: kind: ClusterPolicy plural: clusterpolicies shortNames: - cpol singular: clusterpolicy scope: Cluster subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: background: type: boolean rules: items: properties: exclude: properties: clusterRoles: items: type: string type: array resources: properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string namespaces: items: type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string type: object type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object type: array type: object generate: properties: apiVersion: type: string clone: properties: name: type: string namespace: type: string required: - namespace - name type: object data: {} kind: type: string name: type: string namespace: type: string synchronize: type: boolean required: - kind - name type: object match: properties: clusterRoles: items: type: string type: array resources: minProperties: 1 properties: annotations: additionalProperties: type: string type: object kinds: items: type: string type: array name: type: string namespaces: items: type: string type: array selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string type: object type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object type: array required: - resources type: object mutate: properties: overlay: {} patchStrategicMerge: {} patches: items: properties: op: enum: - add - replace - remove type: string path: type: string value: {} required: - path - op type: object type: array patchesJson6902: type: string type: object name: type: string preconditions: items: required: - key - operator - value type: object type: array validate: properties: anyPattern: {} deny: properties: conditions: items: properties: key: type: string operator: enum: - Equal - Equals - NotEqual - NotEquals - In - NotIn type: string value: anyOf: - type: string - items: {} type: array required: - key - operator - value type: object type: array message: type: string pattern: {} type: object required: - name - match type: object type: array validationFailureAction: enum: - enforce - audit type: string required: - rules status: {} versions: - name: v1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.2.4 creationTimestamp: null name: clusterpolicyreports.policy.kubernetes.io spec: additionalPrinterColumns: - JSONPath: .scope.kind name: Kind priority: 1 type: string - JSONPath: .scope.name name: Name priority: 1 type: string - JSONPath: .summary.pass name: Pass type: integer - JSONPath: .summary.fail name: Fail type: integer - JSONPath: .summary.warn name: Warn type: integer - JSONPath: .summary.error name: Error type: integer - JSONPath: .summary.skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp name: Age type: date group: policy.kubernetes.io names: kind: ClusterPolicyReport listKind: ClusterPolicyReportList plural: clusterpolicyreports singular: clusterpolicyreport scope: Namespaced subresources: {} validation: openAPIV3Schema: description: ClusterPolicyReport is the Schema for the clusterpolicyreports API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: description: PolicyReportResult provides the result for an individual policy properties: data: additionalProperties: type: string description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: description: Resources is an optional reference to the resource checked by the policy and rule items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object type: array rule: description: Rule is the name of the policy rule type: string scored: description: Scored indicates if this policy rule is scored type: boolean status: description: Status indicates the result of the policy rule check enum: - Pass - Fail - Warn - Error - Skip type: string required: - policy type: object type: array scope: description: Scope is an optional reference to the policy report scope. For example. the report may be for all resources in a namespace, a for a node, or cluster-wide. properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: description: Error provides the count of policies that could not be evaluated type: integer fail: description: Fail provides the count of policies whose requirements were not met type: integer pass: description: Pass provides the count of policies whose requirements were met type: integer skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - error - fail - pass - skip - warn type: object type: object version: v1alpha1 versions: - name: v1alpha1 served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicyviolations.kyverno.io spec: additionalPrinterColumns: - JSONPath: .spec.policy description: The policy that resulted in the violation name: Policy type: string - JSONPath: .spec.resource.kind description: The resource kind that cause the violation name: ResourceKind type: string - JSONPath: .spec.resource.name description: The resource name that caused the violation name: ResourceName type: string - JSONPath: .metadata.creationTimestamp name: Age type: date group: kyverno.io names: kind: ClusterPolicyViolation plural: clusterpolicyviolations shortNames: - cpolv singular: clusterpolicyviolation scope: Cluster subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: policy: type: string resource: properties: kind: type: string name: type: string required: - kind - name type: object rules: items: properties: message: type: string name: type: string type: type: string required: - name - type - message type: object type: array required: - policy - resource - rules versions: - name: v1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: generaterequests.kyverno.io spec: additionalPrinterColumns: - JSONPath: .spec.policy description: The policy that resulted in the violation name: Policy type: string - JSONPath: .spec.resource.kind description: The resource kind that cause the violation name: ResourceKind type: string - JSONPath: .spec.resource.name description: The resource name that caused the violation name: ResourceName type: string - JSONPath: .spec.resource.namespace description: The resource namespace that caused the violation name: ResourceNamespace type: string - JSONPath: .status.state description: Current state of generate request name: status type: string - JSONPath: .metadata.creationTimestamp name: Age type: date group: kyverno.io names: kind: GenerateRequest plural: generaterequests shortNames: - gr singular: generaterequest scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: policy: type: string resource: properties: kind: type: string name: type: string namespace: type: string required: - kind - name type: object required: - policy - resource versions: - name: v1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: policies.kyverno.io spec: group: kyverno.io names: kind: Policy plural: policies shortNames: - pol singular: policy scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: background: type: boolean rules: items: properties: exclude: properties: clusterRoles: items: type: string type: array resources: properties: kinds: items: type: string type: array name: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string type: object type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object type: array type: object generate: properties: apiVersion: type: string clone: properties: name: type: string namespace: type: string required: - namespace - name type: object data: {} kind: type: string name: type: string namespace: type: string synchronize: type: boolean required: - kind - name type: object match: properties: clusterRoles: items: type: string type: array resources: minProperties: 1 properties: kinds: items: type: string type: array name: type: string selector: properties: matchExpressions: items: properties: key: type: string operator: type: string values: items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string type: object type: object roles: items: type: string type: array subjects: items: properties: apiGroup: type: string kind: type: string name: type: string namespace: type: string required: - kind - name type: object type: array required: - resources type: object mutate: properties: overlay: {} patchStrategicMerge: {} patches: items: properties: op: enum: - add - replace - remove type: string path: type: string value: {} required: - path - op type: object type: array patchesJson6902: type: string type: object name: type: string preconditions: items: required: - key - operator - value type: object type: array validate: properties: anyPattern: {} deny: properties: conditions: items: properties: key: type: string operator: enum: - Equal - Equals - NotEqual - NotEquals - In - NotIn type: string value: anyOf: - type: string - items: {} type: array required: - key - operator - value type: object type: array message: type: string pattern: {} type: object required: - name - match type: object type: array validationFailureAction: enum: - enforce - audit type: string required: - rules status: {} versions: - name: v1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.2.4 creationTimestamp: null name: policyreports.policy.kubernetes.io spec: additionalPrinterColumns: - JSONPath: .scope.kind name: Kind priority: 1 type: string - JSONPath: .scope.name name: Name priority: 1 type: string - JSONPath: .summary.pass name: Pass type: integer - JSONPath: .summary.fail name: Fail type: integer - JSONPath: .summary.warn name: Warn type: integer - JSONPath: .summary.error name: Error type: integer - JSONPath: .summary.skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp name: Age type: date group: policy.kubernetes.io names: kind: PolicyReport listKind: PolicyReportList plural: policyreports singular: policyreport scope: Namespaced subresources: {} validation: openAPIV3Schema: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: description: PolicyReportResult provides the result for an individual policy properties: data: additionalProperties: type: string description: Data provides additional information for the policy rule type: object message: description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: description: Resources is an optional reference to the resource checked by the policy and rule items: description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object type: array rule: description: Rule is the name of the policy rule type: string scored: description: Scored indicates if this policy rule is scored type: boolean status: description: Status indicates the result of the policy rule check enum: - Pass - Fail - Warn - Error - Skip type: string required: - policy type: object type: array scope: description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array required: - key - operator type: object type: array matchLabels: additionalProperties: type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: description: Error provides the count of policies that could not be evaluated type: integer fail: description: Fail provides the count of policies whose requirements were not met type: integer pass: description: Pass provides the count of policies whose requirements were met type: integer skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - error - fail - pass - skip - warn type: object type: object version: v1alpha1 versions: - name: v1alpha1 served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: policyviolations.kyverno.io spec: additionalPrinterColumns: - JSONPath: .spec.policy description: The policy that resulted in the violation name: Policy type: string - JSONPath: .spec.resource.kind description: The resource kind that cause the violation name: ResourceKind type: string - JSONPath: .spec.resource.name description: The resource name that caused the violation name: ResourceName type: string - JSONPath: .metadata.creationTimestamp name: Age type: date group: kyverno.io names: kind: PolicyViolation plural: policyviolations shortNames: - polv singular: policyviolation scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: policy: type: string resource: properties: kind: type: string name: type: string required: - kind - name type: object rules: items: properties: message: type: string name: type: string type: type: string required: - name - type - message type: object type: array required: - policy - resource - rules versions: - name: v1 served: true storage: true --- apiVersion: v1 kind: ServiceAccount metadata: name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:customresources rules: - apiGroups: - '*' resources: - policies - policies/status - clusterpolicies - clusterpolicies/status - policyreports - policyreports/status - clusterpolicyreports - clusterpolicyreports/status - clusterpolicyviolations - clusterpolicyviolations/status - policyviolations - policyviolations/status - generaterequests - generaterequests/status verbs: - create - delete - get - list - patch - update - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:generatecontroller rules: - apiGroups: - '*' resources: - namespaces - networkpolicies - secrets - configmaps - jobs - resourcequotas - limitranges - clusterroles - rolebindings - clusterrolebindings verbs: - create - update - delete - get - apiGroups: - '*' resources: - namespaces verbs: - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:policycontroller rules: - apiGroups: - '*' resources: - '*' verbs: - get - list - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:userinfo rules: - apiGroups: - '*' resources: - roles - clusterroles - rolebindings - clusterrolebindings - configmaps - namespaces verbs: - watch - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:webhook rules: - apiGroups: - '*' resources: - events - mutatingwebhookconfigurations - validatingwebhookconfigurations - certificatesigningrequests - certificatesigningrequests/approval verbs: - create - delete - get - list - patch - update - watch - apiGroups: - certificates.k8s.io resourceNames: - kubernetes.io/legacy-unknown resources: - certificatesigningrequests - certificatesigningrequests/approval - certificatesigningrequests/status verbs: - create - delete - get - update - watch - apiGroups: - certificates.k8s.io resourceNames: - kubernetes.io/legacy-unknown resources: - signers verbs: - approve --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: - apiGroups: - kyverno.io resources: - policies verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: - apiGroups: - policy.kubernetes.io resources: - policyreport - clusterpolicyreport verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" name: kyverno:edit-policies-policyreport rules: - apiGroups: - policy.kubernetes.io resources: - policyreport - clusterpolicyreport - policies verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" name: kyverno:edit-policies-policyviolations rules: - apiGroups: - policy.kubernetes.io resources: - policyreport - clusterpolicyreport verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: kyverno:policyreport rules: - apiGroups: - policy.kubernetes.io resources: - policyreport - clusterpolicyreport verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: kyverno:policyviolations rules: - apiGroups: - kyverno.io resources: - policyviolations verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:view-clusterpolicyreport rules: - apiGroups: - policy.kubernetes.io resources: - clusterpolicyreport verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:view-clusterpolicyviolations rules: - apiGroups: - kyverno.io resources: - clusterpolicyviolations verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-view: "true" name: kyverno:view-policies-policyviolations rules: - apiGroups: - kyverno.io resources: - policyviolations - policies verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-view: "true" name: kyverno:view-policyreport rules: - apiGroups: - policy.kubernetes.io resources: - policyreport verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:customresources roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:customresources subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:generatecontroller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:generatecontroller subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:policycontroller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:policycontroller subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:userinfo subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kyverno:webhook subjects: - kind: ServiceAccount name: kyverno-service-account namespace: kyverno --- apiVersion: v1 data: excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]' kind: ConfigMap metadata: name: init-config namespace: kyverno --- apiVersion: v1 data: App: "" kind: ConfigMap metadata: name: kyverno-event namespace: kyverno --- apiVersion: v1 kind: Service metadata: labels: app: kyverno name: kyverno-svc namespace: kyverno spec: ports: - port: 443 targetPort: 443 selector: app: kyverno --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: kyverno name: kyverno namespace: kyverno spec: replicas: 1 selector: matchLabels: app: kyverno template: metadata: labels: app: kyverno spec: containers: - args: - --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*] - -v=2 env: - name: INIT_CONFIG value: init-config - name: KYVERNO_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: KYVERNO_SVC value: kyverno-svc image: nirmata/kyverno:v1.1.11 imagePullPolicy: Always livenessProbe: failureThreshold: 4 httpGet: path: /health/liveness port: 443 scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 name: kyverno ports: - containerPort: 443 readinessProbe: failureThreshold: 4 httpGet: path: /health/readiness port: 443 scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 resources: limits: memory: 128Mi requests: cpu: 100m memory: 50Mi initContainers: - image: nirmata/kyvernopre:v1.1.11 imagePullPolicy: Always name: kyverno-pre serviceAccountName: kyverno-service-account --- apiVersion: batch/v1beta1 kind: CronJob metadata: name: policyreport-background-scan namespace: kyverno spec: concurrencyPolicy: Forbid failedJobsHistoryLimit: 4 jobTemplate: spec: template: spec: containers: - args: - report - all image: evalsocket/kyverno-cli:latest name: policyreport-background-scan restartPolicy: OnFailure schedule: '*/6 * * * *' successfulJobsHistoryLimit: 4 suspend: true