mirror of
https://github.com/kyverno/policy-reporter.git
synced 2024-12-15 17:50:58 +00:00
Add static manifest setup for E-Mail Summary Reports
Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
This commit is contained in:
parent
3e443f126a
commit
03bbebed79
7 changed files with 162 additions and 9 deletions
|
@ -63,8 +63,6 @@ spec:
|
|||
- --config=/app/config.yaml
|
||||
- --template-dir=/app/templates
|
||||
volumeMounts:
|
||||
- name: sqlite
|
||||
mountPath: /sqlite
|
||||
- name: config-file
|
||||
mountPath: /app/config.yaml
|
||||
subPath: config.yaml
|
||||
|
@ -73,8 +71,6 @@ spec:
|
|||
- name: NAMESPACE
|
||||
value: {{ .Release.Namespace }}
|
||||
volumes:
|
||||
- name: sqlite
|
||||
emptyDir: {}
|
||||
- name: config-file
|
||||
secret:
|
||||
secretName: {{ include "policyreporter.fullname" . }}-config-email-reports
|
||||
|
|
|
@ -63,8 +63,6 @@ spec:
|
|||
- --config=/app/config.yaml
|
||||
- --template-dir=/app/templates
|
||||
volumeMounts:
|
||||
- name: sqlite
|
||||
mountPath: /sqlite
|
||||
- name: config-file
|
||||
mountPath: /app/config.yaml
|
||||
subPath: config.yaml
|
||||
|
@ -73,8 +71,6 @@ spec:
|
|||
- name: NAMESPACE
|
||||
value: {{ .Release.Namespace }}
|
||||
volumes:
|
||||
- name: sqlite
|
||||
emptyDir: {}
|
||||
- name: config-file
|
||||
secret:
|
||||
secretName: {{ include "policyreporter.fullname" . }}-config-email-reports
|
||||
|
|
|
@ -55,7 +55,7 @@ kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/
|
|||
|
||||
## Policy Reporter Configuration
|
||||
|
||||
To configure policy-reporter, for exomaple your notification targets for Policy Reporter create a secret called `policy-reporter-targets` in the `policy-reporter` namespace with an key `config.yaml` as key and the following structure as value:
|
||||
To configure policy-reporter, for example your notification targets for Policy Reporter create a secret called `policy-reporter-targets` in the `policy-reporter` namespace with an key `config.yaml` as key and the following structure as value:
|
||||
|
||||
```yaml
|
||||
priorityMap: {}
|
||||
|
@ -134,3 +134,29 @@ reportFilter:
|
|||
The `kyverno-policy-reporter-ui` and `default-policy-reporter-ui` installation has an optional preconfigured `target-security.yaml` to apply. This secret configures the Policy Reporter UI as target for Policy Reporter.
|
||||
|
||||
When you change the secret while Policy Reporter is already running, you have to delete the current `policy-reporter` Pod.
|
||||
|
||||
## Policy Reporter Summary Email Report
|
||||
|
||||
The `violations-email-report` folder can be used to install Policy Reporter only for the matter of sending E-Mail Summary Reports. You can install the Email Summary Report without the requirement of the Policy Reporter core application. If you already have Policy Reporter installed, you can just apply `config-secret.yaml` and `cronjob.yaml` to add the email report feature. It will reuse the existing `ServiceAccount` and `Namespace`.
|
||||
|
||||
To configure your SMTP server and receiver emails use the following configuration template and replace the `config.yaml` value of `config-secret.yaml` with your base64 encoded configuration.
|
||||
|
||||
```yaml
|
||||
emailReports:
|
||||
clusterName: '' # optional clustername shown in the Report
|
||||
smtp:
|
||||
host: ''
|
||||
port: 465
|
||||
username: ''
|
||||
password: ''
|
||||
from: '' # from E-Mail address
|
||||
encryption: '' # default is none, supports ssl/tls and starttls
|
||||
violations:
|
||||
to: []
|
||||
filter:
|
||||
namespaces:
|
||||
include: []
|
||||
exclude: []
|
||||
sources: []
|
||||
channels: []
|
||||
```
|
||||
|
|
10
manifest/violations-email-report/config-secret.yaml
Normal file
10
manifest/violations-email-report/config-secret.yaml
Normal file
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: policy-reporter-config-email-reports
|
||||
namespace: policy-reporter
|
||||
labels:
|
||||
app.kubernetes.io/name: policy-reporter
|
||||
type: Opaque
|
||||
data:
|
||||
config.yaml: ZW1haWxSZXBvcnRzOgogIGNsdXN0ZXJOYW1lOgogIHNtdHA6CiAgICBob3N0OgogICAgcG9ydDoKICAgIHVzZXJuYW1lOgogICAgcGFzc3dvcmQ6CiAgICBmcm9tOgogICAgZW5jcnlwdGlvbjoKICBzdW1tYXJ5OgogICAgdG86IFtdCiAgICBmaWx0ZXI6CiAgICAgIG5hbWVzcGFjZXM6CiAgICAgICAgaW5jbHVkZTogW10KICAgICAgICBleGNsdWRlOiBbXQogICAgICBzb3VyY2VzOiBbXQogIHZpb2xhdGlvbnM6CiAgICB0bzogW10KICAgIGZpbHRlcjoKICAgICAgbmFtZXNwYWNlczoKICAgICAgICBpbmNsdWRlOiBbXQogICAgICAgIGV4Y2x1ZGU6IFtdCiAgICAgIHNvdXJjZXM6IFtd
|
61
manifest/violations-email-report/cronjob.yaml
Normal file
61
manifest/violations-email-report/cronjob.yaml
Normal file
|
@ -0,0 +1,61 @@
|
|||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: policy-reporter-summary-report
|
||||
namespace: policy-reporter
|
||||
labels:
|
||||
app.kubernetes.io/name: policy-reporter
|
||||
app.kubernetes.io/part-of: policy-reporter
|
||||
spec:
|
||||
schedule: "* * * * *"
|
||||
jobTemplate:
|
||||
spec:
|
||||
activeDeadlineSeconds: 300
|
||||
backoffLimit: 1
|
||||
ttlSecondsAfterFinished: 60
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: policy-reporter
|
||||
app.kubernetes.io/part-of: policy-reporter
|
||||
spec:
|
||||
serviceAccountName: policy-reporter
|
||||
automountServiceAccountToken: true
|
||||
securityContext:
|
||||
fsGroup: 1234
|
||||
restartPolicy: Never
|
||||
containers:
|
||||
- name: policy-reporter
|
||||
image: "ghcr.io/kyverno/policy-reporter:2.7.0"
|
||||
imagePullPolicy: IfNotPresent
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1234
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
command:
|
||||
- /app/policyreporter
|
||||
- send
|
||||
- violations
|
||||
args:
|
||||
- --config=/app/config.yaml
|
||||
- --template-dir=/app/templates
|
||||
volumeMounts:
|
||||
- name: config-file
|
||||
mountPath: /app/config.yaml
|
||||
subPath: config.yaml
|
||||
readOnly: true
|
||||
env:
|
||||
- name: NAMESPACE
|
||||
value: kyverno
|
||||
volumes:
|
||||
- name: config-file
|
||||
secret:
|
||||
secretName: policy-reporter-config-email-reports
|
||||
optional: true
|
7
manifest/violations-email-report/namespace.yaml
Normal file
7
manifest/violations-email-report/namespace.yaml
Normal file
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: policy-reporter
|
||||
spec: {}
|
||||
status: {}
|
57
manifest/violations-email-report/serviceaccount.yaml
Normal file
57
manifest/violations-email-report/serviceaccount.yaml
Normal file
|
@ -0,0 +1,57 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: policy-reporter
|
||||
namespace: policy-reporter
|
||||
labels:
|
||||
app.kubernetes.io/name: policy-reporter
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||
name: policy-reporter
|
||||
rules:
|
||||
- apiGroups:
|
||||
- '*'
|
||||
resources:
|
||||
- policyreports
|
||||
- policyreports/status
|
||||
- clusterpolicyreports
|
||||
- clusterpolicyreports/status
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: policy-reporter
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: policy-reporter
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
subjects:
|
||||
- kind: "ServiceAccount"
|
||||
name: policy-reporter
|
||||
namespace: policy-reporter
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: policy-reporter
|
||||
namespace: policy-reporter
|
||||
labels:
|
||||
app.kubernetes.io/name: policy-reporter
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- port: 8080
|
||||
targetPort: http
|
||||
protocol: TCP
|
||||
name: http
|
||||
selector:
|
||||
app.kubernetes.io/name: policy-reporter
|
Loading…
Reference in a new issue