From 5593918a46516ca14fcb956ebd6fc2b322ef8d8d Mon Sep 17 00:00:00 2001 From: Frank Jogeleit Date: Fri, 7 May 2021 19:48:57 +0200 Subject: [PATCH] Add Kyverno Plugin to Helm Chart (#34) --- CHANGELOG.md | 3 + charts/policy-reporter/Chart.lock | 9 ++- charts/policy-reporter/Chart.yaml | 8 +- .../charts/kyvernoPlugin/Chart.yaml | 7 ++ .../kyvernoPlugin/templates/_helpers.tpl | 55 +++++++++++++ .../kyvernoPlugin/templates/clusterrole.yaml | 20 +++++ .../templates/clusterrolebinding.yaml | 14 ++++ .../kyvernoPlugin/templates/deployment.yaml | 74 +++++++++++++++++ .../kyvernoPlugin/templates/service.yaml | 28 +++++++ .../templates/serviceaccount.yaml | 12 +++ .../charts/kyvernoPlugin/values.yaml | 81 +++++++++++++++++++ .../templates/kyverno-servicemonitor.yaml | 16 ++++ .../charts/monitoring/values.yaml | 3 + charts/policy-reporter/charts/ui/Chart.yaml | 4 +- .../charts/ui/templates/deployment.yaml | 3 + charts/policy-reporter/charts/ui/values.yaml | 5 +- charts/policy-reporter/values.yaml | 4 + 17 files changed, 338 insertions(+), 8 deletions(-) create mode 100644 charts/policy-reporter/charts/kyvernoPlugin/Chart.yaml create mode 100644 charts/policy-reporter/charts/kyvernoPlugin/templates/_helpers.tpl create mode 100644 charts/policy-reporter/charts/kyvernoPlugin/templates/clusterrole.yaml create mode 100644 charts/policy-reporter/charts/kyvernoPlugin/templates/clusterrolebinding.yaml create mode 100644 charts/policy-reporter/charts/kyvernoPlugin/templates/deployment.yaml create mode 100644 charts/policy-reporter/charts/kyvernoPlugin/templates/service.yaml create mode 100644 charts/policy-reporter/charts/kyvernoPlugin/templates/serviceaccount.yaml create mode 100644 charts/policy-reporter/charts/kyvernoPlugin/values.yaml create mode 100644 charts/policy-reporter/charts/monitoring/templates/kyverno-servicemonitor.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 723e975a..06d9f796 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog +# 1.4.0 +* Add Kyverno Plugins to the Helm Chart + ## 1.3.4 * Configure Debounce Time in seconds for Cleanup Events over Helm Chart diff --git a/charts/policy-reporter/Chart.lock b/charts/policy-reporter/Chart.lock index 0ff89a07..3018e8c3 100644 --- a/charts/policy-reporter/Chart.lock +++ b/charts/policy-reporter/Chart.lock @@ -4,6 +4,9 @@ dependencies: version: 1.1.0 - name: ui repository: "" - version: 1.3.1 -digest: sha256:9d4e26e7bdc5a7feaab8bbdf23568151506640645da104afece06a27d1608560 -generated: "2021-04-30T11:40:03.769829+02:00" + version: 1.4.0 +- name: kyvernoPlugin + repository: "" + version: 0.1.0 +digest: sha256:46c55d020bbcd87622d72e7eb01a9eabd9284be7c7762b5aedd3f927aa774b7d +generated: "2021-05-07T18:39:08.48668+02:00" diff --git a/charts/policy-reporter/Chart.yaml b/charts/policy-reporter/Chart.yaml index 8bb5235a..477ae805 100644 --- a/charts/policy-reporter/Chart.yaml +++ b/charts/policy-reporter/Chart.yaml @@ -5,7 +5,7 @@ description: | It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord type: application -version: 1.3.4 +version: 1.4.0 appVersion: 1.3.4 dependencies: @@ -16,4 +16,8 @@ dependencies: - name: ui condition: ui.enabled repository: "" - version: "1.3.1" + version: "1.4.0" + - name: kyvernoPlugin + condition: kyvernoPlugin.enabled + repository: "" + version: "0.1.0" diff --git a/charts/policy-reporter/charts/kyvernoPlugin/Chart.yaml b/charts/policy-reporter/charts/kyvernoPlugin/Chart.yaml new file mode 100644 index 00000000..1843ad11 --- /dev/null +++ b/charts/policy-reporter/charts/kyvernoPlugin/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: kyvernoPlugin +description: Policy Reporter Kyverno Plugin + +type: application +version: 0.1.0 +appVersion: 0.1.0 \ No newline at end of file diff --git a/charts/policy-reporter/charts/kyvernoPlugin/templates/_helpers.tpl b/charts/policy-reporter/charts/kyvernoPlugin/templates/_helpers.tpl new file mode 100644 index 00000000..f267152d --- /dev/null +++ b/charts/policy-reporter/charts/kyvernoPlugin/templates/_helpers.tpl @@ -0,0 +1,55 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kyvernoplugin.fullname" -}} +{{- $name := "kyverno-plugin" }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + +{{- define "kyvernoplugin.name" -}} +{{- "kyverno-plugin" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kyvernoplugin.chart" -}} +{{- printf "kyverno-plugin-%s" .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kyvernoplugin.labels" -}} +helm.sh/chart: {{ include "kyvernoplugin.chart" . }} +{{ include "kyvernoplugin.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kyvernoplugin.selectorLabels" -}} +app.kubernetes.io/name: {{ include "kyvernoplugin.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "kyvernoplugin.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "kyvernoplugin.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/policy-reporter/charts/kyvernoPlugin/templates/clusterrole.yaml b/charts/policy-reporter/charts/kyvernoPlugin/templates/clusterrole.yaml new file mode 100644 index 00000000..994b377b --- /dev/null +++ b/charts/policy-reporter/charts/kyvernoPlugin/templates/clusterrole.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: {{ include "kyvernoplugin.fullname" . }} +rules: +- apiGroups: + - '*' + resources: + - policies + - policies/status + - clusterpolicies + - clusterpolicies/status + verbs: + - get + - list + - watch +{{- end -}} diff --git a/charts/policy-reporter/charts/kyvernoPlugin/templates/clusterrolebinding.yaml b/charts/policy-reporter/charts/kyvernoPlugin/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..ac3ee30e --- /dev/null +++ b/charts/policy-reporter/charts/kyvernoPlugin/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.serviceAccount.create .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kyvernoplugin.fullname" . }} +roleRef: + kind: ClusterRole + name: {{ include "kyvernoplugin.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: "ServiceAccount" + name: {{ include "kyvernoplugin.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/policy-reporter/charts/kyvernoPlugin/templates/deployment.yaml b/charts/policy-reporter/charts/kyvernoPlugin/templates/deployment.yaml new file mode 100644 index 00000000..b7c51aa9 --- /dev/null +++ b/charts/policy-reporter/charts/kyvernoPlugin/templates/deployment.yaml @@ -0,0 +1,74 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kyvernoplugin.fullname" . }} + labels: + {{- include "kyvernoplugin.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + {{- if .Values.deploymentStrategy }} + strategy: + {{- toYaml .Values.deploymentStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "kyvernoplugin.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "kyvernoplugin.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.podAnnotations }} + annotations: + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "kyvernoplugin.serviceAccountName" . }} + automountServiceAccountToken: true + containers: + - name: "kyverno-plugin" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + args: + - --apiPort=8080 + ports: + - name: http + containerPort: 2113 + protocol: TCP + - name: rest + containerPort: 8080 + protocol: TCP + livenessProbe: + httpGet: + path: /policies + port: rest + readinessProbe: + httpGet: + path: /policies + port: rest + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/policy-reporter/charts/kyvernoPlugin/templates/service.yaml b/charts/policy-reporter/charts/kyvernoPlugin/templates/service.yaml new file mode 100644 index 00000000..7d849bce --- /dev/null +++ b/charts/policy-reporter/charts/kyvernoPlugin/templates/service.yaml @@ -0,0 +1,28 @@ +{{- if .Values.service.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kyvernoplugin.fullname" . }} + labels: + {{- include "kyvernoplugin.labels" . | nindent 4 }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - port: 2113 + targetPort: http + protocol: TCP + name: http + - port: 8080 + targetPort: rest + protocol: TCP + name: rest + selector: + {{- include "kyvernoplugin.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/policy-reporter/charts/kyvernoPlugin/templates/serviceaccount.yaml b/charts/policy-reporter/charts/kyvernoPlugin/templates/serviceaccount.yaml new file mode 100644 index 00000000..5ea56132 --- /dev/null +++ b/charts/policy-reporter/charts/kyvernoPlugin/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kyvernoplugin.serviceAccountName" . }} + labels: + {{- include "kyvernoplugin.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/policy-reporter/charts/kyvernoPlugin/values.yaml b/charts/policy-reporter/charts/kyvernoPlugin/values.yaml new file mode 100644 index 00000000..3058dbe8 --- /dev/null +++ b/charts/policy-reporter/charts/kyvernoPlugin/values.yaml @@ -0,0 +1,81 @@ +image: + repository: fjogeleit/policy-reporter-kyverno-plugin + pullPolicy: IfNotPresent + tag: 0.1.0 + +imagePullSecrets: [] + +# Deploy not more than one replica +# Policy Reporter doesn't scale yet. +# Each pod will report each change. +replicaCount: 1 + +deploymentStrategy: {} + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + # type: RollingUpdate + +# Key/value pairs that are attached to Deployment. +annotations: {} + +# Create cluster role policies +rbac: + enabled: true + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +service: + enabled: true + ## configuration of service + # key/value + annotations: {} + # key/value + labels: {} + type: ClusterIP + +securityContext: + runAsUser: 1234 + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - all + +# Key/value pairs that are attached to pods. +podAnnotations: {} + +# Key/value pairs that are attached to pods. +podLabels: {} + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # memory: 30Mi + # cpu: 10m + # requests: + # memory: 20Mi + # cpu: 5m + +# Node labels for pod assignment +# ref: https://kubernetes.io/docs/user-guide/node-selection/ +nodeSelector: {} + +# Tolerations for pod assignment +# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +# Anti-affinity to disallow deploying client and master nodes on the same worker node +affinity: {} diff --git a/charts/policy-reporter/charts/monitoring/templates/kyverno-servicemonitor.yaml b/charts/policy-reporter/charts/monitoring/templates/kyverno-servicemonitor.yaml new file mode 100644 index 00000000..f8cf0627 --- /dev/null +++ b/charts/policy-reporter/charts/monitoring/templates/kyverno-servicemonitor.yaml @@ -0,0 +1,16 @@ +{{- if or .Values.plugins.kyverno .Values.global.plugins.kyverno -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "monitoring.fullname" . }}-kyverno-plugin + {{- if .Values.serviceMonitor.labels }} + labels: + {{- toYaml .Values.serviceMonitor.labels | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "kyvernoplugin.selectorLabels" . | nindent 8 }} + endpoints: + - port: http +{{- end }} diff --git a/charts/policy-reporter/charts/monitoring/values.yaml b/charts/policy-reporter/charts/monitoring/values.yaml index e79a4671..874468a0 100644 --- a/charts/policy-reporter/charts/monitoring/values.yaml +++ b/charts/policy-reporter/charts/monitoring/values.yaml @@ -1,5 +1,8 @@ namespace: cattle-dashboards +plugins: + kyverno: false + serviceMonitor: # labels to match the serviceMonitorSelector of the Prometheus Resource labels: {} diff --git a/charts/policy-reporter/charts/ui/Chart.yaml b/charts/policy-reporter/charts/ui/Chart.yaml index b12175d8..21f59cab 100644 --- a/charts/policy-reporter/charts/ui/Chart.yaml +++ b/charts/policy-reporter/charts/ui/Chart.yaml @@ -3,5 +3,5 @@ name: ui description: Policy Reporter UI type: application -version: 1.3.1 -appVersion: 0.9.0 +version: 1.4.0 +appVersion: 0.10.0 diff --git a/charts/policy-reporter/charts/ui/templates/deployment.yaml b/charts/policy-reporter/charts/ui/templates/deployment.yaml index 030b0d26..d9262851 100644 --- a/charts/policy-reporter/charts/ui/templates/deployment.yaml +++ b/charts/policy-reporter/charts/ui/templates/deployment.yaml @@ -44,6 +44,9 @@ spec: args: - -backend=http://{{ .Values.global.backend }}:{{ .Values.global.port }} - -log-size={{ .Values.log.size }} + {{- if or .Values.plugins.kyverno .Values.global.plugins.kyverno -}} + - -kyverno-plugin=http://policy-reporter-kyverno-plugin:8080 + {{- end }} ports: - name: http containerPort: 8080 diff --git a/charts/policy-reporter/charts/ui/values.yaml b/charts/policy-reporter/charts/ui/values.yaml index d8014ea2..96af8254 100644 --- a/charts/policy-reporter/charts/ui/values.yaml +++ b/charts/policy-reporter/charts/ui/values.yaml @@ -4,10 +4,13 @@ log: # holds the latest 200 validation results in the UI Log size: 200 +plugins: + kyverno: false + image: repository: fjogeleit/policy-reporter-ui pullPolicy: IfNotPresent - tag: 0.9.0 + tag: 0.10.0 imagePullSecrets: [] diff --git a/charts/policy-reporter/values.yaml b/charts/policy-reporter/values.yaml index 9c61daad..07449ebf 100644 --- a/charts/policy-reporter/values.yaml +++ b/charts/policy-reporter/values.yaml @@ -84,6 +84,10 @@ monitoring: labels: {} global: + # availale plugins + plugins: + # enable kyverno for Policy Reporter UI and monitoring + keyverno: false # The name of service policy-report. If you changed ReleaseName you have to replace it backend: policy-reporter # Service Port number