1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
kyverno/definitions/install_debug.yaml
2020-06-26 12:48:45 +05:30

744 lines
19 KiB
YAML

apiVersion: v1
kind: Namespace
metadata:
name: kyverno
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
names:
kind: ClusterPolicy
plural: clusterpolicies
shortNames:
- cpol
singular: clusterpolicy
scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
background:
type: boolean
rules:
items:
properties:
exclude:
properties:
clusterRoles:
items:
type: string
type: array
resources:
properties:
kinds:
items:
type: string
type: array
name:
type: string
namespaces:
items:
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
type: object
generate:
properties:
clone:
properties:
name:
type: string
namespace:
type: string
required:
- namespace
- name
type: object
data:
AnyValue: {}
kind:
type: string
name:
type: string
namespace:
type: string
synchronize:
type: boolean
required:
- kind
- name
type: object
match:
properties:
clusterRoles:
items:
type: string
type: array
resources:
minProperties: 1
properties:
kinds:
items:
type: string
type: array
name:
type: string
namespaces:
items:
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
required:
- resources
type: object
mutate:
properties:
overlay:
AnyValue: {}
patches:
items:
properties:
op:
enum:
- add
- replace
- remove
type: string
path:
type: string
value:
AnyValue: {}
required:
- path
- op
type: object
type: array
type: object
name:
type: string
preconditions:
items:
required:
- key
- operator
- value
type: object
type: array
validate:
properties:
anyPattern:
AnyValue: {}
deny:
properties:
conditions:
items:
properties:
key:
type: string
operator:
enum:
- Equal
- Equals
- NotEqual
- NotEquals
- In
- NotIn
type: string
value:
anyOf:
- type: string
- type: array
items: {}
required:
- key
- operator
- value
type: object
type: array
message:
type: string
pattern:
AnyValue: {}
type: object
required:
- name
- match
type: object
type: array
validationFailureAction:
enum:
- enforce
- audit
type: string
required:
- rules
status: {}
versions:
- name: v1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicyviolations.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.policy
description: The policy that resulted in the violation
name: Policy
type: string
- JSONPath: .spec.resource.kind
description: The resource kind that cause the violation
name: ResourceKind
type: string
- JSONPath: .spec.resource.name
description: The resource name that caused the violation
name: ResourceName
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kyverno.io
names:
kind: ClusterPolicyViolation
plural: clusterpolicyviolations
shortNames:
- cpolv
singular: clusterpolicyviolation
scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
policy:
type: string
resource:
properties:
kind:
type: string
name:
type: string
required:
- kind
- name
type: object
rules:
items:
properties:
message:
type: string
name:
type: string
type:
type: string
required:
- name
- type
- message
type: object
type: array
required:
- policy
- resource
- rules
versions:
- name: v1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: generaterequests.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.policy
description: The policy that resulted in the violation
name: Policy
type: string
- JSONPath: .spec.resource.kind
description: The resource kind that cause the violation
name: ResourceKind
type: string
- JSONPath: .spec.resource.name
description: The resource name that caused the violation
name: ResourceName
type: string
- JSONPath: .spec.resource.namespace
description: The resource namespace that caused the violation
name: ResourceNamespace
type: string
- JSONPath: .status.state
description: Current state of generate request
name: status
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kyverno.io
names:
kind: GenerateRequest
plural: generaterequests
shortNames:
- gr
singular: generaterequest
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
policy:
type: string
resource:
properties:
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
required:
- policy
- resource
versions:
- name: v1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: policyviolations.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.policy
description: The policy that resulted in the violation
name: Policy
type: string
- JSONPath: .spec.resource.kind
description: The resource kind that cause the violation
name: ResourceKind
type: string
- JSONPath: .spec.resource.name
description: The resource name that caused the violation
name: ResourceName
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kyverno.io
names:
kind: PolicyViolation
plural: policyviolations
shortNames:
- polv
singular: policyviolation
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
policy:
type: string
resource:
properties:
kind:
type: string
name:
type: string
required:
- kind
- name
type: object
rules:
items:
properties:
message:
type: string
name:
type: string
type:
type: string
required:
- name
- type
- message
type: object
type: array
required:
- policy
- resource
- rules
versions:
- name: v1
served: true
storage: true
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:customresources
rules:
- apiGroups:
- '*'
resources:
- clusterpolicies
- clusterpolicies/status
- clusterpolicyviolations
- clusterpolicyviolations/status
- policyviolations
- policyviolations/status
- generaterequests
- generaterequests/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:generatecontroller
rules:
- apiGroups:
- '*'
resources:
- namespaces
- networkpolicies
- secrets
- configmaps
- resourcequotas
- limitranges
- clusterroles
- rolebindings
- clusterrolebindings
verbs:
- create
- update
- delete
- get
- apiGroups:
- '*'
resources:
- namespaces
verbs:
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:policycontroller
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:userinfo
rules:
- apiGroups:
- '*'
resources:
- rolebindings
- clusterrolebindings
- configmaps
verbs:
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:webhook
rules:
- apiGroups:
- '*'
resources:
- events
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
- certificatesigningrequests
- certificatesigningrequests/approval
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/legacy-unknown
resources:
- certificatesigningrequests
- certificatesigningrequests/approval
- certificatesigningrequests/status
verbs:
- create
- delete
- get
- update
- watch
- apiGroups:
- certificates.k8s.io
resourceNames:
- kubernetes.io/legacy-unknown
resources:
- signers
verbs:
- approve
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:policyviolations
rules:
- apiGroups:
- kyverno.io
resources:
- policyviolations
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:view-clusterpolicyviolations
rules:
- apiGroups:
- kyverno.io
resources:
- clusterpolicyviolations
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: kyverno:view-policyviolations
rules:
- apiGroups:
- kyverno.io
resources:
- policyviolations
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:customresources
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:customresources
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:generatecontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:generatecontroller
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:policycontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policycontroller
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:userinfo
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:userinfo
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kyverno:webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:webhook
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: v1
data:
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]'
kind: ConfigMap
metadata:
name: init-config
namespace: kyverno
---
apiVersion: v1
kind: Service
metadata:
labels:
app: kyverno
name: kyverno-svc
namespace: kyverno
spec:
ports:
- port: 443
targetPort: 443
selector:
app: kyverno