1
0
Fork 0
mirror of https://github.com/kyverno/policy-reporter.git synced 2024-12-15 17:50:58 +00:00

Add static manifest setup for E-Mail Summary Reports

Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
This commit is contained in:
Frank Jogeleit 2022-07-04 12:20:05 +02:00
parent 3e443f126a
commit 03bbebed79
7 changed files with 162 additions and 9 deletions

View file

@ -63,8 +63,6 @@ spec:
- --config=/app/config.yaml
- --template-dir=/app/templates
volumeMounts:
- name: sqlite
mountPath: /sqlite
- name: config-file
mountPath: /app/config.yaml
subPath: config.yaml
@ -73,8 +71,6 @@ spec:
- name: NAMESPACE
value: {{ .Release.Namespace }}
volumes:
- name: sqlite
emptyDir: {}
- name: config-file
secret:
secretName: {{ include "policyreporter.fullname" . }}-config-email-reports

View file

@ -63,8 +63,6 @@ spec:
- --config=/app/config.yaml
- --template-dir=/app/templates
volumeMounts:
- name: sqlite
mountPath: /sqlite
- name: config-file
mountPath: /app/config.yaml
subPath: config.yaml
@ -73,8 +71,6 @@ spec:
- name: NAMESPACE
value: {{ .Release.Namespace }}
volumes:
- name: sqlite
emptyDir: {}
- name: config-file
secret:
secretName: {{ include "policyreporter.fullname" . }}-config-email-reports

View file

@ -55,7 +55,7 @@ kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/
## Policy Reporter Configuration
To configure policy-reporter, for exomaple your notification targets for Policy Reporter create a secret called `policy-reporter-targets` in the `policy-reporter` namespace with an key `config.yaml` as key and the following structure as value:
To configure policy-reporter, for example your notification targets for Policy Reporter create a secret called `policy-reporter-targets` in the `policy-reporter` namespace with an key `config.yaml` as key and the following structure as value:
```yaml
priorityMap: {}
@ -134,3 +134,29 @@ reportFilter:
The `kyverno-policy-reporter-ui` and `default-policy-reporter-ui` installation has an optional preconfigured `target-security.yaml` to apply. This secret configures the Policy Reporter UI as target for Policy Reporter.
When you change the secret while Policy Reporter is already running, you have to delete the current `policy-reporter` Pod.
## Policy Reporter Summary Email Report
The `violations-email-report` folder can be used to install Policy Reporter only for the matter of sending E-Mail Summary Reports. You can install the Email Summary Report without the requirement of the Policy Reporter core application. If you already have Policy Reporter installed, you can just apply `config-secret.yaml` and `cronjob.yaml` to add the email report feature. It will reuse the existing `ServiceAccount` and `Namespace`.
To configure your SMTP server and receiver emails use the following configuration template and replace the `config.yaml` value of `config-secret.yaml` with your base64 encoded configuration.
```yaml
emailReports:
clusterName: '' # optional clustername shown in the Report
smtp:
host: ''
port: 465
username: ''
password: ''
from: '' # from E-Mail address
encryption: '' # default is none, supports ssl/tls and starttls
violations:
to: []
filter:
namespaces:
include: []
exclude: []
sources: []
channels: []
```

View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Secret
metadata:
name: policy-reporter-config-email-reports
namespace: policy-reporter
labels:
app.kubernetes.io/name: policy-reporter
type: Opaque
data:
config.yaml: ZW1haWxSZXBvcnRzOgogIGNsdXN0ZXJOYW1lOgogIHNtdHA6CiAgICBob3N0OgogICAgcG9ydDoKICAgIHVzZXJuYW1lOgogICAgcGFzc3dvcmQ6CiAgICBmcm9tOgogICAgZW5jcnlwdGlvbjoKICBzdW1tYXJ5OgogICAgdG86IFtdCiAgICBmaWx0ZXI6CiAgICAgIG5hbWVzcGFjZXM6CiAgICAgICAgaW5jbHVkZTogW10KICAgICAgICBleGNsdWRlOiBbXQogICAgICBzb3VyY2VzOiBbXQogIHZpb2xhdGlvbnM6CiAgICB0bzogW10KICAgIGZpbHRlcjoKICAgICAgbmFtZXNwYWNlczoKICAgICAgICBpbmNsdWRlOiBbXQogICAgICAgIGV4Y2x1ZGU6IFtdCiAgICAgIHNvdXJjZXM6IFtd

View file

@ -0,0 +1,61 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: policy-reporter-summary-report
namespace: policy-reporter
labels:
app.kubernetes.io/name: policy-reporter
app.kubernetes.io/part-of: policy-reporter
spec:
schedule: "* * * * *"
jobTemplate:
spec:
activeDeadlineSeconds: 300
backoffLimit: 1
ttlSecondsAfterFinished: 60
template:
metadata:
labels:
app.kubernetes.io/name: policy-reporter
app.kubernetes.io/part-of: policy-reporter
spec:
serviceAccountName: policy-reporter
automountServiceAccountToken: true
securityContext:
fsGroup: 1234
restartPolicy: Never
containers:
- name: policy-reporter
image: "ghcr.io/kyverno/policy-reporter:2.7.0"
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1234
seccompProfile:
type: RuntimeDefault
command:
- /app/policyreporter
- send
- violations
args:
- --config=/app/config.yaml
- --template-dir=/app/templates
volumeMounts:
- name: config-file
mountPath: /app/config.yaml
subPath: config.yaml
readOnly: true
env:
- name: NAMESPACE
value: kyverno
volumes:
- name: config-file
secret:
secretName: policy-reporter-config-email-reports
optional: true

View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: policy-reporter
spec: {}
status: {}

View file

@ -0,0 +1,57 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: policy-reporter
namespace: policy-reporter
labels:
app.kubernetes.io/name: policy-reporter
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: policy-reporter
rules:
- apiGroups:
- '*'
resources:
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: policy-reporter
roleRef:
kind: ClusterRole
name: policy-reporter
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: "ServiceAccount"
name: policy-reporter
namespace: policy-reporter
---
apiVersion: v1
kind: Service
metadata:
name: policy-reporter
namespace: policy-reporter
labels:
app.kubernetes.io/name: policy-reporter
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: policy-reporter