mirror of
https://github.com/kyverno/policy-reporter.git
synced 2024-12-14 11:57:32 +00:00
Policy Reporter v3 (#482)
Policy Reporter v3 Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
This commit is contained in:
parent
b8a658463a
commit
78f24497fa
277 changed files with 15718 additions and 11040 deletions
10
.github/dependabot.yaml
vendored
Normal file
10
.github/dependabot.yaml
vendored
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
version: 2
|
||||||
|
updates:
|
||||||
|
- package-ecosystem: gomod
|
||||||
|
directory: /
|
||||||
|
schedule:
|
||||||
|
interval: daily
|
||||||
|
- package-ecosystem: github-actions
|
||||||
|
directory: /
|
||||||
|
schedule:
|
||||||
|
interval: daily
|
59
.github/workflows/ci.yaml
vendored
59
.github/workflows/ci.yaml
vendored
|
@ -4,7 +4,7 @@ on:
|
||||||
push:
|
push:
|
||||||
branches:
|
branches:
|
||||||
- main
|
- main
|
||||||
- development
|
- 3.x
|
||||||
|
|
||||||
paths-ignore:
|
paths-ignore:
|
||||||
- README.md
|
- README.md
|
||||||
|
@ -14,25 +14,62 @@ on:
|
||||||
pull_request:
|
pull_request:
|
||||||
branches:
|
branches:
|
||||||
- main
|
- main
|
||||||
|
- 3.x
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
coverage:
|
coverage:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Set up Go 1.22
|
- name: Checkout
|
||||||
uses: actions/setup-go@v2
|
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
|
||||||
|
|
||||||
|
- name: Set up Go
|
||||||
|
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.2.0
|
||||||
with:
|
with:
|
||||||
go-version: 1.22
|
go-version-file: go.mod
|
||||||
- name: Checkout code
|
cache-dependency-path: go.sum
|
||||||
uses: actions/checkout@v2
|
|
||||||
- name: Get dependencies
|
- name: Check go.mod
|
||||||
run: go get -v -t -d ./...
|
run: |
|
||||||
|
set -e
|
||||||
|
go mod tidy && git diff --exit-code
|
||||||
|
|
||||||
|
- name: Check code format
|
||||||
|
run: |
|
||||||
|
set -e
|
||||||
|
make fmt
|
||||||
|
git diff --exit-code
|
||||||
|
|
||||||
|
- name: Run Trivy vulnerability scanner in repo mode
|
||||||
|
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
|
||||||
|
with:
|
||||||
|
scan-type: 'fs'
|
||||||
|
ignore-unfixed: true
|
||||||
|
format: 'sarif'
|
||||||
|
output: 'trivy-results.sarif'
|
||||||
|
severity: 'CRITICAL,HIGH'
|
||||||
|
|
||||||
- name: Calc coverage
|
- name: Calc coverage
|
||||||
run: make coverage
|
run: make coverage
|
||||||
|
|
||||||
- name: Convert coverage to lcov
|
- name: Convert coverage to lcov
|
||||||
uses: jandelgado/gcov2lcov-action@v1.0.9
|
uses: jandelgado/gcov2lcov-action@c680c0f7c7442485f1749eb2a13e54a686e76eb5 #v1.0.9
|
||||||
|
|
||||||
- name: Coveralls
|
- name: Coveralls
|
||||||
uses: coverallsapp/github-action@v2.0.0
|
uses: coverallsapp/github-action@643bc377ffa44ace6394b2b5d0d3950076de9f63 # v2.3.0
|
||||||
with:
|
with:
|
||||||
github-token: ${{ secrets.github_token }}
|
github-token: ${{ secrets.github_token }}
|
||||||
file: coverage.lcov
|
file: coverage.lcov
|
||||||
|
|
||||||
|
check-actions:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
|
||||||
|
- name: Ensure SHA pinned actions
|
||||||
|
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b8f9a25a51fe633d9215ac7734854dc11cd299cb # v3.0.13
|
||||||
|
with:
|
||||||
|
# slsa-github-generator requires using a semver tag for reusable workflows.
|
||||||
|
# See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
|
||||||
|
allowlist: |
|
||||||
|
slsa-framework/slsa-github-generator
|
29
.github/workflows/cr.yaml
vendored
29
.github/workflows/cr.yaml
vendored
|
@ -1,29 +0,0 @@
|
||||||
name: Release Charts
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
paths:
|
|
||||||
- 'charts/**'
|
|
||||||
- 'manifests/**'
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
release:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v2
|
|
||||||
|
|
||||||
- name: Configure Git
|
|
||||||
run: |
|
|
||||||
git config user.name "$GITHUB_ACTOR"
|
|
||||||
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
|
|
||||||
|
|
||||||
- name: Install Helm
|
|
||||||
uses: azure/setup-helm@v1
|
|
||||||
|
|
||||||
- name: Run chart-releaser
|
|
||||||
uses: helm/chart-releaser-action@v1.2.1
|
|
||||||
env:
|
|
||||||
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
|
|
7
.github/workflows/docs.yaml
vendored
7
.github/workflows/docs.yaml
vendored
|
@ -10,10 +10,10 @@ jobs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@master
|
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
|
||||||
|
|
||||||
- name: Setup node env
|
- name: Setup node env
|
||||||
uses: actions/setup-node@v2.1.2
|
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 #v4.0.4
|
||||||
with:
|
with:
|
||||||
node-version: 16
|
node-version: 16
|
||||||
|
|
||||||
|
@ -32,9 +32,8 @@ jobs:
|
||||||
cp index.yaml ./dist/index.yaml
|
cp index.yaml ./dist/index.yaml
|
||||||
cp artifacthub-repo.yml ./dist/artifacthub-repo.yml
|
cp artifacthub-repo.yml ./dist/artifacthub-repo.yml
|
||||||
|
|
||||||
|
|
||||||
- name: Deploy
|
- name: Deploy
|
||||||
uses: peaceiris/actions-gh-pages@v3
|
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e #v4.0.0
|
||||||
with:
|
with:
|
||||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
publish_dir: ./dist
|
publish_dir: ./dist
|
||||||
|
|
16
.github/workflows/helm-chart.yaml
vendored
16
.github/workflows/helm-chart.yaml
vendored
|
@ -5,7 +5,6 @@ on:
|
||||||
# run pipeline on push on master
|
# run pipeline on push on master
|
||||||
branches:
|
branches:
|
||||||
- main
|
- main
|
||||||
- development
|
|
||||||
paths:
|
paths:
|
||||||
- "charts/**"
|
- "charts/**"
|
||||||
|
|
||||||
|
@ -18,16 +17,19 @@ jobs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
|
||||||
with:
|
with:
|
||||||
fetch-depth: "0"
|
fetch-depth: "0"
|
||||||
|
|
||||||
- name: chart-testing (ct lint)
|
- name: chart-testing (ct lint)
|
||||||
uses: helm/chart-testing-action@v2.0.1
|
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
|
||||||
|
|
||||||
- name: Run Helm Chart lint
|
- name: Run Helm Chart lint
|
||||||
run: |
|
run: |
|
||||||
ct lint --lint-conf=.github/ct_lintconf.yaml \
|
set -e
|
||||||
--chart-yaml-schema=.github/ct_chart_schema.yaml \
|
ct lint --lint-conf=.github/ct_lintconf.yaml \
|
||||||
--target-branch=main --validate-maintainers=false \
|
--chart-yaml-schema=.github/ct_chart_schema.yaml \
|
||||||
--chart-dirs charts
|
--target-branch=main \
|
||||||
|
--validate-maintainers=false \
|
||||||
|
--check-version-increment=false \
|
||||||
|
--chart-dirs charts
|
||||||
|
|
65
.github/workflows/release-chart.yaml
vendored
Normal file
65
.github/workflows/release-chart.yaml
vendored
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
name: release-chart
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
tags:
|
||||||
|
- 'policy-reporter-chart-v*'
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
helm-chart:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
|
pages: write
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
|
||||||
|
with:
|
||||||
|
fetch-depth: 0
|
||||||
|
|
||||||
|
- name: Verify Helm Docs
|
||||||
|
run: |
|
||||||
|
set -e
|
||||||
|
make verify-helm-docs
|
||||||
|
|
||||||
|
- name: Configure Git
|
||||||
|
run: |
|
||||||
|
git config user.name "$GITHUB_ACTOR"
|
||||||
|
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
|
||||||
|
|
||||||
|
- name: Install Helm
|
||||||
|
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
|
||||||
|
with:
|
||||||
|
version: v3.16.1
|
||||||
|
|
||||||
|
- name: Prepare GPG key
|
||||||
|
run: |
|
||||||
|
gpg_dir=.cr-gpg
|
||||||
|
mkdir "$gpg_dir"
|
||||||
|
keyring="$gpg_dir/secring.gpg"
|
||||||
|
base64 -d <<< "$GPG_KEYRING_BASE64" > "$keyring"
|
||||||
|
passphrase_file="$gpg_dir/passphrase"
|
||||||
|
echo "$GPG_PASSPHRASE" > "$passphrase_file"
|
||||||
|
echo "CR_PASSPHRASE_FILE=$passphrase_file" >> "$GITHUB_ENV"
|
||||||
|
echo "CR_KEYRING=$keyring" >> "$GITHUB_ENV"
|
||||||
|
env:
|
||||||
|
GPG_KEYRING_BASE64: "${{ secrets.GPG_KEYRING_BASE64 }}" #Referring secrets of github above
|
||||||
|
GPG_PASSPHRASE: "${{ secrets.GPG_PASSPHRASE }}"
|
||||||
|
|
||||||
|
- name: Run chart-releaser
|
||||||
|
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
|
||||||
|
id: cr
|
||||||
|
env:
|
||||||
|
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
|
||||||
|
CR_KEY: "${{ secrets.CR_KEY }}"
|
||||||
|
CR_SIGN: true
|
||||||
|
|
||||||
|
- name: Install Cosign
|
||||||
|
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
|
||||||
|
|
||||||
|
- name: Push to OCI
|
||||||
|
run: |
|
||||||
|
set -e
|
||||||
|
output=$(helm push .cr-release-packages/policy-reporter-{{ steps.cr.outputs.chart_version }}.tgz oci://ghcr.io/kyverno/charts 2>&1)
|
||||||
|
digest=$( echo "$output" | grep Digest | cut -c9-)
|
||||||
|
cosign sign --yes ghcr.io/kyverno/charts/policy-reporter@$digest
|
|
@ -1,9 +1,16 @@
|
||||||
name: image
|
name: release-image
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
|
||||||
tags:
|
tags:
|
||||||
- v*
|
- 'v*'
|
||||||
- dev
|
|
||||||
|
paths-ignore:
|
||||||
|
- README.md
|
||||||
|
- charts/**
|
||||||
|
- manifest/**
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
|
@ -15,58 +22,58 @@ jobs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v2
|
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
|
||||||
|
|
||||||
- name: Push image
|
- name: Push image
|
||||||
id: params
|
id: params
|
||||||
run: |
|
run: |
|
||||||
# Strip git ref prefix from version
|
# Strip git ref prefix from version
|
||||||
VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
|
VERSION=$(git rev-parse --short "$GITHUB_SHA")
|
||||||
# Strip "v" prefix from tag name
|
# Strip "v" prefix from tag name
|
||||||
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
|
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
|
||||||
echo VERSION=$VERSION
|
echo VERSION=$VERSION
|
||||||
echo "::set-output name=version::$VERSION"
|
echo "VERSION=$VERSION" >> "$GITHUB_ENV"
|
||||||
|
|
||||||
- name: Login to Github Packages
|
- name: Login to Github Packages
|
||||||
uses: docker/login-action@v2
|
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
|
||||||
with:
|
with:
|
||||||
registry: ghcr.io
|
registry: ghcr.io
|
||||||
username: ${{ github.repository_owner }}
|
username: ${{ github.repository_owner }}
|
||||||
password: ${{ secrets.CR_PAT }}
|
password: ${{ secrets.CR_PAT }}
|
||||||
|
|
||||||
- name: Set up QEMU
|
- name: Set up QEMU
|
||||||
uses: docker/setup-qemu-action@v2
|
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
|
||||||
|
|
||||||
- name: Set up Docker Buildx
|
- name: Set up Docker Buildx
|
||||||
uses: docker/setup-buildx-action@v2
|
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 #v3.7.1
|
||||||
id: buildx
|
id: buildx
|
||||||
with:
|
with:
|
||||||
install: true
|
install: true
|
||||||
version: latest
|
version: latest
|
||||||
|
|
||||||
- name: Build image and push to GitHub Container Registry
|
- name: Build image and push to GitHub Container Registry
|
||||||
uses: docker/build-push-action@v3
|
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
|
||||||
id: push
|
id: push
|
||||||
with:
|
with:
|
||||||
push: true
|
push: true
|
||||||
platforms: linux/arm64,linux/amd64,linux/s390x
|
platforms: linux/arm64,linux/amd64
|
||||||
cache-from: type=registry,ref=ghcr.io/kyverno/policy-reporter:buildcache
|
cache-from: type=registry,ref=ghcr.io/kyverno/policy-reporter:buildcache
|
||||||
cache-to: type=registry,ref=ghcr.io/kyverno/policy-reporter:buildcache,mode=max
|
cache-to: type=registry,ref=ghcr.io/kyverno/policy-reporter:buildcache,mode=max
|
||||||
tags: |
|
tags: |
|
||||||
ghcr.io/kyverno/policy-reporter:latest
|
ghcr.io/kyverno/policy-reporter:${{ env.VERSION }}
|
||||||
ghcr.io/kyverno/policy-reporter:${{ steps.params.outputs.version }}
|
|
||||||
|
|
||||||
- name: Set up Go 1.22
|
- name: Set up Go
|
||||||
uses: actions/setup-go@v2
|
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.2.0
|
||||||
with:
|
with:
|
||||||
go-version: 1.22
|
go-version-file: go.mod
|
||||||
|
cache-dependency-path: go.sum
|
||||||
|
|
||||||
- uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
|
- uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
|
||||||
with:
|
with:
|
||||||
version: v1
|
version: v1
|
||||||
args: app -licenses -json -output policy-reporter-bom.cdx.json -main .
|
args: app -licenses -json -output policy-reporter-bom.cdx.json -main .
|
||||||
|
|
||||||
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
- uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
|
||||||
with:
|
with:
|
||||||
name: policy-reporter-bom-cdx
|
name: policy-reporter-bom-cdx
|
||||||
path: policy-reporter-bom.cdx.json
|
path: policy-reporter-bom.cdx.json
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -6,6 +6,7 @@ build
|
||||||
/test.yaml
|
/test.yaml
|
||||||
*.db
|
*.db
|
||||||
values*.yaml
|
values*.yaml
|
||||||
|
monitoring.yaml
|
||||||
coverage.out*
|
coverage.out*
|
||||||
heap*
|
heap*
|
||||||
/.env*
|
/.env*
|
||||||
|
|
|
@ -309,7 +309,7 @@
|
||||||
* Policy Reporter
|
* Policy Reporter
|
||||||
* New `certificate` config for `loki`, `elasticsearch`, `teams`, `webhook` and `ui`, to set the path to your custom certificate for the related client.
|
* New `certificate` config for `loki`, `elasticsearch`, `teams`, `webhook` and `ui`, to set the path to your custom certificate for the related client.
|
||||||
* New `skipTLS` config for `loki`, `elasticsearch`, `teams`, `webhook` and `ui`, to skip tls if needed for the given target.
|
* New `skipTLS` config for `loki`, `elasticsearch`, `teams`, `webhook` and `ui`, to skip tls if needed for the given target.
|
||||||
* New `secretRef` for targets to reference a secret with the related `username`, `password`, `webhook`, `host`, `accessKeyID`, `secretAccessKey` information of the given target, instead of configure your credentials directly.
|
* New `secretRef` for targets to reference a secret with the related `username`, `password`, `webhook`, `host`, `accessKeyId`, `secretAccessKey` information of the given target, instead of configure your credentials directly.
|
||||||
* Policy Reporter UI
|
* Policy Reporter UI
|
||||||
* New value `refreshInterval` to configure the default refresh interval for API polling. Set `0` to disable polling.
|
* New value `refreshInterval` to configure the default refresh interval for API polling. Set `0` to disable polling.
|
||||||
* Policy Reporter Kyverno Plugin
|
* Policy Reporter Kyverno Plugin
|
||||||
|
|
144
DEMO.md
Normal file
144
DEMO.md
Normal file
|
@ -0,0 +1,144 @@
|
||||||
|
# Demo Instructions
|
||||||
|
|
||||||
|
## Kind Cluster
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make kind-create-cluster
|
||||||
|
```
|
||||||
|
|
||||||
|
## Kyverno
|
||||||
|
|
||||||
|
### Add Repository
|
||||||
|
|
||||||
|
```bash
|
||||||
|
helm repo add kyverno https://kyverno.github.io/kyverno
|
||||||
|
```
|
||||||
|
|
||||||
|
### Install
|
||||||
|
|
||||||
|
```bash
|
||||||
|
helm upgrade --install kyverno kyverno/kyverno -n kyverno --create-namespace
|
||||||
|
helm upgrade --install kyverno-policies kyverno/kyverno-policies --set podSecurityStandard=restricted
|
||||||
|
```
|
||||||
|
|
||||||
|
## Falco
|
||||||
|
|
||||||
|
### Add Repository
|
||||||
|
|
||||||
|
```bash
|
||||||
|
helm repo add falcosecurity https://falcosecurity.github.io/charts
|
||||||
|
```
|
||||||
|
|
||||||
|
### Install
|
||||||
|
|
||||||
|
```bash
|
||||||
|
helm upgrade --install falco falcosecurity/falco --set falcosidekick.enabled=true --set falcosidekick.config.policyreport.enabled=true --set falcosidekick.image.tag=latest --namespace falco --create-namespace
|
||||||
|
```
|
||||||
|
|
||||||
|
## Trivy Operator
|
||||||
|
|
||||||
|
### Add Repository
|
||||||
|
|
||||||
|
```bash
|
||||||
|
helm repo add aqua https://aquasecurity.github.io/helm-charts/
|
||||||
|
helm repo add trivy-operator-polr-adapter https://fjogeleit.github.io/trivy-operator-polr-adapter
|
||||||
|
```
|
||||||
|
|
||||||
|
### Install
|
||||||
|
|
||||||
|
```bash
|
||||||
|
helm upgrade --install trivy-operator aqua/trivy-operator -n trivy-system --create-namespace --set="trivy.ignoreUnfixed=true"
|
||||||
|
helm upgrade --install trivy-operator-polr-adapter trivy-operator-polr-adapter/trivy-operator-polr-adapter -n trivy-system
|
||||||
|
```
|
||||||
|
|
||||||
|
## Policy Reporter
|
||||||
|
|
||||||
|
### Add Repository
|
||||||
|
|
||||||
|
```bash
|
||||||
|
helm repo add policy-reporter https://kyverno.github.io/policy-reporter
|
||||||
|
```
|
||||||
|
|
||||||
|
### Install
|
||||||
|
|
||||||
|
#### Slack Secret
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: webhook-secret
|
||||||
|
namespace: policy-reporter
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
webhook: aHR0cHM6Ly9ob29rcy5z...
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Values
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
plugin:
|
||||||
|
kyverno:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
trivy:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
ui:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
annotations:
|
||||||
|
nginx.ingress.kubernetes.io/rewrite-target: /$1
|
||||||
|
className: nginx
|
||||||
|
hosts:
|
||||||
|
- host: localhost
|
||||||
|
paths:
|
||||||
|
- path: "/ui/(.*)"
|
||||||
|
pathType: ImplementationSpecific
|
||||||
|
|
||||||
|
sources:
|
||||||
|
- name: Trivy ConfigAudit
|
||||||
|
type: severity
|
||||||
|
excludes:
|
||||||
|
results:
|
||||||
|
- pass
|
||||||
|
- error
|
||||||
|
|
||||||
|
- name: Trivy Vulnerability
|
||||||
|
type: severity
|
||||||
|
excludes:
|
||||||
|
results:
|
||||||
|
- pass
|
||||||
|
- error
|
||||||
|
|
||||||
|
- name: Falco
|
||||||
|
excludes:
|
||||||
|
results:
|
||||||
|
- pass
|
||||||
|
- skip
|
||||||
|
|
||||||
|
target:
|
||||||
|
slack:
|
||||||
|
name: Kyverno Channel
|
||||||
|
channel: kyverno
|
||||||
|
secretRef: webhook-secret
|
||||||
|
minimumSeverity: warning
|
||||||
|
skipExistingOnStartup: true
|
||||||
|
sources: [kyverno]
|
||||||
|
filter:
|
||||||
|
namespaces:
|
||||||
|
exclude: ['trivy-system']
|
||||||
|
channels:
|
||||||
|
- name: Trivy Operator
|
||||||
|
channel: trivy-operator
|
||||||
|
sources: [Trivy Vulnerability]
|
||||||
|
filter:
|
||||||
|
namespaces:
|
||||||
|
exclude: ['trivy-system']
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash
|
||||||
|
helm upgrade --install policy-reporter policy-reporter/policy-reporter --create-namespace -n policy-reporter -f values.yaml --devel
|
||||||
|
```
|
|
@ -1,4 +1,4 @@
|
||||||
FROM golang:1.22 as builder
|
FROM golang:1.23 AS builder
|
||||||
|
|
||||||
ARG LD_FLAGS='-s -w -linkmode external -extldflags "-static"'
|
ARG LD_FLAGS='-s -w -linkmode external -extldflags "-static"'
|
||||||
ARG TARGETPLATFORM
|
ARG TARGETPLATFORM
|
||||||
|
|
153
Makefile
153
Makefile
|
@ -1,9 +1,142 @@
|
||||||
GO ?= go
|
############
|
||||||
BUILD ?= build
|
# DEFAULTS #
|
||||||
REPO ?= ghcr.io/kyverno/policy-reporter
|
############
|
||||||
IMAGE_TAG ?= 2.20.1
|
|
||||||
LD_FLAGS=-s -w -linkmode external -extldflags "-static"
|
KIND_IMAGE ?= kindest/node:v1.30.2
|
||||||
PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x
|
KIND_NAME ?= kyverno
|
||||||
|
USE_CONFIG ?= standard,no-ingress,in-cluster,all-read-rbac
|
||||||
|
KUBECONFIG ?= ""
|
||||||
|
PIP ?= "pip3"
|
||||||
|
GO ?= go
|
||||||
|
BUILD ?= build
|
||||||
|
IMAGE_TAG ?= 3.0.0
|
||||||
|
|
||||||
|
#############
|
||||||
|
# VARIABLES #
|
||||||
|
#############
|
||||||
|
|
||||||
|
GIT_SHA := $(shell git rev-parse HEAD)
|
||||||
|
TIMESTAMP := $(shell date '+%Y-%m-%d_%I:%M:%S%p')
|
||||||
|
GOOS ?= $(shell go env GOOS)
|
||||||
|
GOARCH ?= $(shell go env GOARCH)
|
||||||
|
REGISTRY ?= ghcr.io
|
||||||
|
OWNER ?= kyverno
|
||||||
|
KO_REGISTRY := ko.local
|
||||||
|
IMAGE ?= policy-reporter
|
||||||
|
LD_FLAGS := -s -w -linkmode external -extldflags "-static"
|
||||||
|
LOCAL_PLATFORM := linux/$(GOARCH)
|
||||||
|
PLATFORMS := linux/arm64,linux/amd64,linux/s390x
|
||||||
|
REPO := $(REGISTRY)/$(OWNER)/$(IMAGE)
|
||||||
|
COMMA := ,
|
||||||
|
|
||||||
|
ifndef VERSION
|
||||||
|
APP_VERSION := $(GIT_SHA)
|
||||||
|
else
|
||||||
|
APP_VERSION := $(VERSION)
|
||||||
|
endif
|
||||||
|
|
||||||
|
#########
|
||||||
|
# TOOLS #
|
||||||
|
#########
|
||||||
|
|
||||||
|
TOOLS_DIR := $(PWD)/.tools
|
||||||
|
KIND := $(TOOLS_DIR)/kind
|
||||||
|
KIND_VERSION := v0.24.0
|
||||||
|
KO := $(TOOLS_DIR)/ko
|
||||||
|
KO_VERSION := v0.15.1
|
||||||
|
HELM := $(TOOLS_DIR)/helm
|
||||||
|
HELM_VERSION := v3.10.1
|
||||||
|
HELM_DOCS := $(TOOLS_DIR)/helm-docs
|
||||||
|
HELM_DOCS_VERSION := v1.11.0
|
||||||
|
GCI := $(TOOLS_DIR)/gci
|
||||||
|
GCI_VERSION := v0.9.1
|
||||||
|
GOFUMPT := $(TOOLS_DIR)/gofumpt
|
||||||
|
GOFUMPT_VERSION := v0.4.0
|
||||||
|
TOOLS := $(HELM) $(HELM_DOCS) $(GCI) $(GOFUMPT)
|
||||||
|
|
||||||
|
$(HELM):
|
||||||
|
@echo Install helm... >&2
|
||||||
|
@GOBIN=$(TOOLS_DIR) go install helm.sh/helm/v3/cmd/helm@$(HELM_VERSION)
|
||||||
|
|
||||||
|
$(HELM_DOCS):
|
||||||
|
@echo Install helm-docs... >&2
|
||||||
|
@GOBIN=$(TOOLS_DIR) go install github.com/norwoodj/helm-docs/cmd/helm-docs@$(HELM_DOCS_VERSION)
|
||||||
|
|
||||||
|
$(GCI):
|
||||||
|
@echo Install gci... >&2
|
||||||
|
@GOBIN=$(TOOLS_DIR) go install github.com/daixiang0/gci@$(GCI_VERSION)
|
||||||
|
|
||||||
|
$(GOFUMPT):
|
||||||
|
@echo Install gofumpt... >&2
|
||||||
|
@GOBIN=$(TOOLS_DIR) go install mvdan.cc/gofumpt@$(GOFUMPT_VERSION)
|
||||||
|
|
||||||
|
$(KIND):
|
||||||
|
@echo Install kind... >&2
|
||||||
|
@GOBIN=$(TOOLS_DIR) go install sigs.k8s.io/kind@$(KIND_VERSION)
|
||||||
|
|
||||||
|
$(KO):
|
||||||
|
@echo Install ko... >&2
|
||||||
|
@GOBIN=$(TOOLS_DIR) go install github.com/google/ko@$(KO_VERSION)
|
||||||
|
|
||||||
|
.PHONY: gci
|
||||||
|
gci: $(GCI)
|
||||||
|
@echo "Running gci"
|
||||||
|
@$(GCI) write -s standard -s default -s "prefix(github.com/kyverno/policy-reporter)" .
|
||||||
|
|
||||||
|
.PHONY: gofumpt
|
||||||
|
gofumpt: $(GOFUMPT)
|
||||||
|
@echo "Running gofumpt"
|
||||||
|
@$(GOFUMPT) -w .
|
||||||
|
|
||||||
|
.PHONY: fmt
|
||||||
|
fmt: gci gofumpt
|
||||||
|
|
||||||
|
.PHONY: install-tools
|
||||||
|
install-tools: $(TOOLS) ## Install tools
|
||||||
|
|
||||||
|
.PHONY: clean-tools
|
||||||
|
clean-tools: ## Remove installed tools
|
||||||
|
@echo Clean tools... >&2
|
||||||
|
@rm -rf $(TOOLS_DIR)
|
||||||
|
|
||||||
|
########
|
||||||
|
# KIND #
|
||||||
|
########
|
||||||
|
|
||||||
|
.PHONY: kind-create-cluster
|
||||||
|
kind-create-cluster: $(KIND) ## Create kind cluster
|
||||||
|
@echo Create kind cluster... >&2
|
||||||
|
@$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config ./scripts/kind.yaml
|
||||||
|
@kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
|
||||||
|
@sleep 15
|
||||||
|
@kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=90s
|
||||||
|
|
||||||
|
.PHONY: kind-delete-cluster
|
||||||
|
kind-delete-cluster: $(KIND) ## Delete kind cluster
|
||||||
|
@echo Delete kind cluster... >&2
|
||||||
|
@$(KIND) delete cluster --name $(KIND_NAME)
|
||||||
|
|
||||||
|
.PHONY: kind-load
|
||||||
|
kind-load: $(KIND) ko-build ## Build playground image and load it in kind cluster
|
||||||
|
@echo Load playground image... >&2
|
||||||
|
@$(KIND) load docker-image --name $(KIND_NAME) ko.local/github.com/kyverno/policy-reporter:$(GIT_SHA)
|
||||||
|
|
||||||
|
###########
|
||||||
|
# CODEGEN #
|
||||||
|
###########
|
||||||
|
|
||||||
|
.PHONY: codegen-helm-docs
|
||||||
|
codegen-helm-docs: ## Generate helm docs
|
||||||
|
@echo Generate helm docs... >&2
|
||||||
|
@docker run -v ${PWD}/charts:/work -w /work jnorwood/helm-docs:v1.11.0 -s file
|
||||||
|
|
||||||
|
.PHONY: verify-helm-docs
|
||||||
|
verify-helm-docs: codegen-helm-docs ## Check Helm charts are up to date
|
||||||
|
@echo Checking helm charts are up to date... >&2
|
||||||
|
@git --no-pager diff -- charts
|
||||||
|
@echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-helm-docs".' >&2
|
||||||
|
@echo 'To correct this, locally run "make codegen-helm-docs", commit the changes, and re-run tests.' >&2
|
||||||
|
@git diff --quiet --exit-code -- charts
|
||||||
|
|
||||||
all: build
|
all: build
|
||||||
|
|
||||||
|
@ -41,11 +174,3 @@ docker-push:
|
||||||
.PHONY: docker-push-dev
|
.PHONY: docker-push-dev
|
||||||
docker-push-dev:
|
docker-push-dev:
|
||||||
@docker buildx build --progress plane --platform $(PLATFORMS) --tag $(REPO):dev . --build-arg LD_FLAGS='$(LD_FLAGS) -X main.Version=$(IMAGE_TAG)-dev' --push
|
@docker buildx build --progress plane --platform $(PLATFORMS) --tag $(REPO):dev . --build-arg LD_FLAGS='$(LD_FLAGS) -X main.Version=$(IMAGE_TAG)-dev' --push
|
||||||
|
|
||||||
.PHONY: fmt
|
|
||||||
fmt:
|
|
||||||
$(call print-target)
|
|
||||||
@echo "Running gci"
|
|
||||||
@go run github.com/daixiang0/gci@v0.9.1 write -s standard -s default -s "prefix(github.com/kyverno/policy-reporter)" .
|
|
||||||
@echo "Running gofumpt"
|
|
||||||
@go run mvdan.cc/gofumpt@v0.4.0 -w .
|
|
||||||
|
|
71
README.md
71
README.md
|
@ -1,17 +1,20 @@
|
||||||
# Policy Reporter
|
# Policy Reporter 3.x Preview
|
||||||
[![CI](https://github.com/kyverno/policy-reporter/actions/workflows/ci.yaml/badge.svg)](https://github.com/kyverno/policy-reporter/actions/workflows/ci.yaml) [![Go Report Card](https://goreportcard.com/badge/github.com/kyverno/policy-reporter)](https://goreportcard.com/report/github.com/kyverno/policy-reporter) [![Coverage Status](https://coveralls.io/repos/github/kyverno/policy-reporter/badge.svg?branch=main)](https://coveralls.io/github/kyverno/policy-reporter?branch=main)
|
[![CI](https://github.com/kyverno/policy-reporter/actions/workflows/ci.yaml/badge.svg)](https://github.com/kyverno/policy-reporter/actions/workflows/ci.yaml) [![Go Report Card](https://goreportcard.com/badge/github.com/kyverno/policy-reporter)](https://goreportcard.com/report/github.com/kyverno/policy-reporter) [![Coverage Status](https://coveralls.io/repos/github/kyverno/policy-reporter/badge.svg?branch=main)](https://coveralls.io/github/kyverno/policy-reporter?branch=main)
|
||||||
|
|
||||||
## Motivation
|
|
||||||
|
|
||||||
Kyverno ships with two types of validation. You can either enforce a rule or audit it. If you don't want to block developers or if you want to try out a new rule, you can use the audit functionality. The audit configuration creates [PolicyReports](https://kyverno.io/docs/policy-reports/) which you can access with `kubectl`. Because I can't find a simple solution to get a general overview of this PolicyReports and PolicyReportResults, I created this tool to send information about PolicyReports to different targets like [Grafana Loki](https://grafana.com/oss/loki/), [Elasticsearch](https://www.elastic.co/de/elasticsearch/) or [Slack](https://slack.com/).
|
![Screenshot Policy Reporter UI v2](https://github.com/kyverno/policy-reporter/blob/3.x/docs/images/screen.png)
|
||||||
|
|
||||||
Policy Reporter provides also a Prometheus Metrics API as well as an standalone mode along with the [Policy Reporter UI](https://kyverno.github.io/policy-reporter/guide/getting-started#core--policy-reporter-ui).
|
|
||||||
|
|
||||||
This project is in an early stage. Please let me know if anything did not work as expected or if you want to send your audits to unsupported targets.
|
|
||||||
|
|
||||||
## Documentation
|
## Documentation
|
||||||
|
|
||||||
You can find detailed Information and Screens about Features and Configurations in the [Documentation](https://kyverno.github.io/policy-reporter).
|
Documentation for upcoming features and changes for the new Policy Reporter UI v2 are located in [Docs](https://github.com/kyverno/policy-reporter/tree/3.x/docs)
|
||||||
|
|
||||||
|
* [Installation](https://github.com/kyverno/policy-reporter/blob/3.x/docs/SETUP.md)
|
||||||
|
* [OAUth2 / OpenIDConnect](https://github.com/kyverno/policy-reporter/blob/3.x/docs/UI_AUTH.md)
|
||||||
|
* [UI CustomBoards](https://github.com/kyverno/policy-reporter/blob/3.x/docs/CUSTOM_BOARDS.md)
|
||||||
|
* [Kyverno PolicyExceptions](https://github.com/kyverno/policy-reporter/blob/3.x/docs/EXCEPTIONS.md)
|
||||||
|
|
||||||
|
The new documentation page for Policy Reporter v3 can be found here: [https://kyverno.github.io/policy-reporter-docs/](https://kyverno.github.io/policy-reporter-docs/)
|
||||||
|
|
||||||
## Getting Started
|
## Getting Started
|
||||||
|
|
||||||
|
@ -25,60 +28,10 @@ helm repo add policy-reporter https://kyverno.github.io/policy-reporter
|
||||||
helm repo update
|
helm repo update
|
||||||
```
|
```
|
||||||
|
|
||||||
### Basic Installation
|
|
||||||
|
|
||||||
The basic installation provides optional Prometheus Metrics and/or optional REST APIs, for more details have a look at the [Documentation](https://kyverno.github.io/policy-reporter/guide/getting-started).
|
|
||||||
|
|
||||||
```bash
|
|
||||||
helm install policy-reporter policy-reporter/policy-reporter -n policy-reporter --set metrics.enabled=true --set rest.enabled=true --create-namespace
|
|
||||||
```
|
|
||||||
|
|
||||||
### Installation without Helm or Kustomize
|
|
||||||
|
|
||||||
To install Policy Reporter without Helm or Kustomize have a look at [manifests](https://github.com/kyverno/policy-reporter/tree/main/manifest).
|
|
||||||
|
|
||||||
## Policy Reporter UI
|
|
||||||
|
|
||||||
You can use the Policy Reporter as standalone Application along with the optional UI SubChart.
|
|
||||||
|
|
||||||
### Installation with Policy Reporter UI and Kyverno Plugin enabled
|
### Installation with Policy Reporter UI and Kyverno Plugin enabled
|
||||||
```bash
|
```bash
|
||||||
helm install policy-reporter policy-reporter/policy-reporter --set kyvernoPlugin.enabled=true --set ui.enabled=true --set ui.plugins.kyverno=true -n policy-reporter --create-namespace
|
helm install policy-reporter policy-reporter/policy-reporter --create-namespace -n policy-reporter --devel --set ui.enabled=true --set kyverno-plugin.enabled=true
|
||||||
kubectl port-forward service/policy-reporter-ui 8082:8080 -n policy-reporter
|
kubectl port-forward service/policy-reporter-ui 8082:8080 -n policy-reporter
|
||||||
```
|
```
|
||||||
Open `http://localhost:8082/` in your browser.
|
|
||||||
|
|
||||||
Check the [Documentation](https://kyverno.github.io/policy-reporter/guide/getting-started#core--policy-reporter-ui) for Screens and additional Information
|
Open `http://localhost:8082/` in your browser.
|
||||||
|
|
||||||
## Targets
|
|
||||||
|
|
||||||
Policy Reporter supports the following [Targets](https://kyverno.github.io/policy-reporter/core/targets) to send new (Cluster)PolicyReport Results too:
|
|
||||||
* [Grafana Loki](https://kyverno.github.io/policy-reporter/core/targets#grafana-loki)
|
|
||||||
* [Elasticsearch](https://kyverno.github.io/policy-reporter/core/targets#elasticsearch)
|
|
||||||
* [Microsoft Teams](https://kyverno.github.io/policy-reporter/core/targets#microsoft-teams)
|
|
||||||
* [Slack](https://kyverno.github.io/policy-reporter/core/targets#slack)
|
|
||||||
* [Discord](https://kyverno.github.io/policy-reporter/core/targets#discord)
|
|
||||||
* [Policy Reporter UI](https://kyverno.github.io/policy-reporter/core/targets#policy-reporter-ui)
|
|
||||||
* [Webhook](https://kyverno.github.io/policy-reporter/core/targets#webhook)
|
|
||||||
* [S3](https://kyverno.github.io/policy-reporter/core/targets#s3-compatible-storage)
|
|
||||||
* [AWS Kinesis compatible Services](https://kyverno.github.io/policy-reporter/core/targets#kinesis-compatible-services)
|
|
||||||
* [AWS SecurityHub](https://kyverno.github.io/policy-reporter/core/targets#aws-securityhub)
|
|
||||||
* [Google Cloud Storage](https://kyverno.github.io/policy-reporter/core/targets/#google-cloud-storage)
|
|
||||||
* [Telegram](https://kyverno.github.io/policy-reporter/core/targets#telegram)
|
|
||||||
* [Google Chat](https://kyverno.github.io/policy-reporter/core/targets#google-chat)
|
|
||||||
|
|
||||||
## Monitoring
|
|
||||||
|
|
||||||
The Helm Chart includes optional SubChart for [Prometheus Operator](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) Integration. The provided Dashboards working without Loki and are only based on the Prometheus Metrics.
|
|
||||||
|
|
||||||
Have a look into the [Documentation](https://kyverno.github.io/policy-reporter/guide/helm-chart-core/#configure-the-servicemonitor) for details.
|
|
||||||
|
|
||||||
### Grafana Dashboard Import
|
|
||||||
|
|
||||||
If you are not using the MonitoringStack you can import the dashboards from [Grafana](https://grafana.com/orgs/policyreporter/dashboards)
|
|
||||||
|
|
||||||
## Resources
|
|
||||||
|
|
||||||
* [[Video] 37. #EveryoneCanContribute cafe: Policy reporter for Kyverno](https://youtu.be/1mKywg9f5Fw)
|
|
||||||
* [[Video] Rawkode Live: Hands on Policy Reporter](https://www.youtube.com/watch?v=ZrOtTELNLyg)
|
|
||||||
* [[Blog] Monitor Security and Best Practices with Kyverno and Policy Reporter](https://blog.webdev-jogeleit.de/blog/monitor-security-with-kyverno-and-policy-reporter/)
|
|
|
@ -1,12 +0,0 @@
|
||||||
dependencies:
|
|
||||||
- name: monitoring
|
|
||||||
repository: ""
|
|
||||||
version: 2.8.2
|
|
||||||
- name: ui
|
|
||||||
repository: ""
|
|
||||||
version: 2.10.5
|
|
||||||
- name: kyvernoPlugin
|
|
||||||
repository: ""
|
|
||||||
version: 1.6.5
|
|
||||||
digest: sha256:5ee2b291bc447466442a8ea81f94fc852352ac8ae15045525778fdea3769c7c2
|
|
||||||
generated: "2024-02-04T10:42:39.448841+01:00"
|
|
|
@ -5,8 +5,8 @@ description: |
|
||||||
It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord
|
It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord
|
||||||
|
|
||||||
type: application
|
type: application
|
||||||
version: 2.24.2
|
version: 3.0.0-rc.1
|
||||||
appVersion: 2.20.2
|
appVersion: 3.0.0-rc.1
|
||||||
|
|
||||||
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
|
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
|
||||||
home: https://kyverno.github.io/policy-reporter
|
home: https://kyverno.github.io/policy-reporter
|
||||||
|
@ -14,14 +14,3 @@ sources:
|
||||||
- https://github.com/kyverno/policy-reporter
|
- https://github.com/kyverno/policy-reporter
|
||||||
maintainers:
|
maintainers:
|
||||||
- name: Frank Jogeleit
|
- name: Frank Jogeleit
|
||||||
|
|
||||||
dependencies:
|
|
||||||
- name: monitoring
|
|
||||||
condition: monitoring.enabled
|
|
||||||
version: "2.8.2"
|
|
||||||
- name: ui
|
|
||||||
condition: ui.enabled
|
|
||||||
version: "2.10.5"
|
|
||||||
- name: kyvernoPlugin
|
|
||||||
condition: kyvernoPlugin.enabled
|
|
||||||
version: "1.6.5"
|
|
||||||
|
|
|
@ -1,16 +1,13 @@
|
||||||
# Policy Reporter
|
# policy-reporter
|
||||||
|
|
||||||
![Version: v2.24.1](https://img.shields.io/badge/Version-v2.24.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.20.1](https://img.shields.io/badge/AppVersion-v2.20.1-informational?style=flat-square)
|
Policy Reporter watches for PolicyReport Resources.
|
||||||
|
It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord
|
||||||
|
|
||||||
## Motivation
|
![Version: 3.0.0-rc.1](https://img.shields.io/badge/Version-3.0.0--rc.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.0.0-rc.1](https://img.shields.io/badge/AppVersion-3.0.0--rc.1-informational?style=flat-square)
|
||||||
|
|
||||||
Kyverno ships with two types of validation. You can either enforce a rule or audit it. If you don't want to block developers or if you want to try out a new rule, you can use the audit functionality. The audit configuration creates [PolicyReports](https://kyverno.io/docs/policy-reports/) which you can access with `kubectl`. Because I can't find a simple solution to get a general overview of this PolicyReports and PolicyReportResults, I created this tool to send information about PolicyReports to different targets like [Grafana Loki](https://grafana.com/oss/loki/), [Elasticsearch](https://www.elastic.co/de/elasticsearch/) or [Slack](https://slack.com/).
|
|
||||||
|
|
||||||
## Documentation
|
## Documentation
|
||||||
|
|
||||||
You can find detailed Information and Screens about Features and Configurations in the [Documentation](https://kyverno.github.io/policy-reporter/guide/02-getting-started#core--policy-reporter-ui).
|
You can find detailed Information and Screens about Features and Configurations in the [Documentation](https://kyverno.github.io/policy-reporter-docs).
|
||||||
|
|
||||||
## Getting Started
|
|
||||||
|
|
||||||
## Installation with Helm v3
|
## Installation with Helm v3
|
||||||
|
|
||||||
|
@ -35,16 +32,549 @@ helm install policy-reporter policy-reporter/policy-reporter -n policy-reporter
|
||||||
You can use the Policy Reporter as standalone Application along with the optional UI SubChart.
|
You can use the Policy Reporter as standalone Application along with the optional UI SubChart.
|
||||||
|
|
||||||
### Installation with Policy Reporter UI and Kyverno Plugin enabled
|
### Installation with Policy Reporter UI and Kyverno Plugin enabled
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
helm install policy-reporter policy-reporter/policy-reporter --set kyvernoPlugin.enabled=true --set ui.enabled=true --set ui.plugins.kyverno=true -n policy-reporter --create-namespace
|
helm install policy-reporter policy-reporter/policy-reporter --set plugin.kyverno.enabled=true --set ui.enabled=true -n policy-reporter --create-namespace
|
||||||
kubectl port-forward service/policy-reporter-ui 8082:8080 -n policy-reporter
|
kubectl port-forward service/policy-reporter-ui 8082:8080 -n policy-reporter
|
||||||
```
|
```
|
||||||
Open `http://localhost:8082/` in your browser.
|
Open `http://localhost:8082/` in your browser.
|
||||||
|
|
||||||
Check the [Documentation](https://kyverno.github.io/policy-reporter/guide/02-getting-started#core--policy-reporter-ui) for Screens and additional Information
|
## Values
|
||||||
|
|
||||||
## Resources
|
| Key | Type | Default | Description |
|
||||||
|
|-----|------|---------|-------------|
|
||||||
|
| nameOverride | string | `""` | Override the chart name used for all resources |
|
||||||
|
| fullnameOverride | string | `"policy-reporter"` | Overwrite the fullname of all resources |
|
||||||
|
| namespaceOverride | string | `""` | Overwrite the namespace of all resources |
|
||||||
|
| image.registry | string | `"ghcr.io"` | Image registry |
|
||||||
|
| image.repository | string | `"kyverno/policy-reporter"` | Image repository |
|
||||||
|
| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy |
|
||||||
|
| image.tag | string | `"12da466"` | Image tag |
|
||||||
|
| imagePullSecrets | list | `[]` | Image pullSecrets |
|
||||||
|
| priorityClassName | string | `""` | Deployment priorityClassName |
|
||||||
|
| replicaCount | int | `1` | Deployment replica count |
|
||||||
|
| revisionHistoryLimit | int | `10` | The number of revisions to keep |
|
||||||
|
| updateStrategy | object | `{}` | Deployment strategy |
|
||||||
|
| port | object | `{"name":"http","number":8080}` | Container port |
|
||||||
|
| annotations | object | `{}` | Key/value pairs that are attached to all resources. |
|
||||||
|
| rbac.enabled | bool | `true` | Create RBAC resources |
|
||||||
|
| serviceAccount.create | bool | `true` | Create ServiceAccount |
|
||||||
|
| serviceAccount.automount | bool | `true` | Enable ServiceAccount automaount |
|
||||||
|
| serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
|
||||||
|
| serviceAccount.name | string | `""` | The ServiceAccount name |
|
||||||
|
| service.enabled | bool | `true` | Create Service |
|
||||||
|
| service.type | string | `"ClusterIP"` | Service type |
|
||||||
|
| service.port | int | `8080` | Service port |
|
||||||
|
| service.annotations | object | `{}` | Service annotations |
|
||||||
|
| service.labels | object | `{}` | Service labels |
|
||||||
|
| podSecurityContext | object | `{"fsGroup":1234}` | Security context for the pod |
|
||||||
|
| securityContext.runAsUser | int | `1234` | |
|
||||||
|
| securityContext.runAsNonRoot | bool | `true` | |
|
||||||
|
| securityContext.privileged | bool | `false` | |
|
||||||
|
| securityContext.allowPrivilegeEscalation | bool | `false` | |
|
||||||
|
| securityContext.readOnlyRootFilesystem | bool | `true` | |
|
||||||
|
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
||||||
|
| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||||
|
| securityContext.podAnnotations | object | `{}` | Additional annotations to add to each pod |
|
||||||
|
| securityContext.podLabels | object | `{}` | Additional labels to add to each pod |
|
||||||
|
| resources | object | `{}` | Resource constraints |
|
||||||
|
| networkPolicy.enabled | bool | `false` | Create NetworkPolicy |
|
||||||
|
| networkPolicy.egress | list | `[{"ports":[{"port":6443,"protocol":"TCP"}],"to":null}]` | Egress rule to allowe Kubernetes API Server access |
|
||||||
|
| networkPolicy.ingress | list | `[]` | |
|
||||||
|
| ingress.enabled | bool | `false` | Create Ingress This ingress exposes the policy-reporter core app. |
|
||||||
|
| ingress.className | string | `""` | Ingress className |
|
||||||
|
| ingress.labels | object | `{}` | Labels for the Ingress |
|
||||||
|
| ingress.annotations | object | `{}` | Annotations for the Ingress |
|
||||||
|
| ingress.hosts | string | `nil` | Ingress host list |
|
||||||
|
| ingress.tls | list | `[]` | Ingress tls list |
|
||||||
|
| logging.server | bool | `false` | Enables server access logging |
|
||||||
|
| logging.encoding | string | `"console"` | Log encoding possible encodings are console and json |
|
||||||
|
| logging.logLevel | int | `0` | Log level default info |
|
||||||
|
| rest.enabled | bool | `false` | Enables the REST API |
|
||||||
|
| metrics.enabled | bool | `false` | Enables Prometheus Metrics |
|
||||||
|
| metrics.mode | string | `"detailed"` | Metric Mode allowes to customize labels Allowed values: detailed, simple, custom |
|
||||||
|
| metrics.customLabels | list | `[]` | List of used labels in custom mode Supported fields are: ["namespace", "rule", "policy", "report" // PolicyReport name, "kind" // resource kind, "name" // resource name, "status", "severity", "category", "source"] |
|
||||||
|
| metrics.filter | object | `{}` | Filter results to reduce cardinality |
|
||||||
|
| profiling.enabled | bool | `false` | Enable profiling with pprof |
|
||||||
|
| worker | int | `5` | Amount of queue workers for PolicyReport resource processing |
|
||||||
|
| reportFilter | object | `{}` | Filter PolicyReport resources to process |
|
||||||
|
| sourceConfig | list | `[]` | Customize source specific logic like result ID generation |
|
||||||
|
| sourceFilters[0].selector.source | string | `"kyverno"` | select PolicyReport by source |
|
||||||
|
| sourceFilters[0].uncontrolledOnly | bool | `true` | Filter out PolicyReports of controlled Pods and Jobs, only works for PolicyReport with scope resource |
|
||||||
|
| sourceFilters[0].disableClusterReports | bool | `false` | Filter out ClusterPolicyReports |
|
||||||
|
| sourceFilters[0].kinds | object | `{"exclude":["ReplicaSet"]}` | Filter out PolicyReports based on the scope resource kind |
|
||||||
|
| global.labels | object | `{}` | additional labels added on each resource |
|
||||||
|
| basicAuth.username | string | `""` | HTTP BasicAuth username |
|
||||||
|
| basicAuth.password | string | `""` | HTTP BasicAuth password |
|
||||||
|
| basicAuth.secretRef | optional | `""` | Secret reference to get username and/or password from |
|
||||||
|
| emailReports.clusterName | optional | `""` | - Displayed in the email report if configured |
|
||||||
|
| emailReports.titlePrefix | string | `"Report"` | Title prefix in the email subject |
|
||||||
|
| emailReports.resources | object | `{}` | Resource constraints for the created CronJobs |
|
||||||
|
| emailReports.smtp.secret | optional | `""` | Secret reference to provide the complete or partial SMTP configuration |
|
||||||
|
| emailReports.smtp.host | string | `""` | SMTP Server Host |
|
||||||
|
| emailReports.smtp.port | int | `465` | SMTP Server Port |
|
||||||
|
| emailReports.smtp.username | string | `""` | SMTP Username |
|
||||||
|
| emailReports.smtp.password | string | `""` | SMTP Password |
|
||||||
|
| emailReports.smtp.from | string | `""` | Displayed from email address |
|
||||||
|
| emailReports.smtp.encryption | string | `""` | SMTP Encryption Default is none, supports ssl/tls and starttls |
|
||||||
|
| emailReports.smtp.skipTLS | bool | `false` | Skip SMTP TLS verification |
|
||||||
|
| emailReports.smtp.certificate | string | `""` | SMTP Server Certificate file path |
|
||||||
|
| emailReports.summary.enabled | bool | `false` | Enable Summary E-Mail reports |
|
||||||
|
| emailReports.summary.schedule | string | `"0 8 * * *"` | CronJob schedule |
|
||||||
|
| emailReports.summary.activeDeadlineSeconds | int | `300` | CronJob activeDeadlineSeconds |
|
||||||
|
| emailReports.summary.backoffLimit | int | `3` | CronJob backoffLimit |
|
||||||
|
| emailReports.summary.ttlSecondsAfterFinished | int | `0` | CronJob ttlSecondsAfterFinished |
|
||||||
|
| emailReports.summary.restartPolicy | string | `"Never"` | CronJob restartPolicy |
|
||||||
|
| emailReports.summary.to | list | `[]` | List of receiver email addresses |
|
||||||
|
| emailReports.summary.filter | optional | `{}` | Report filter |
|
||||||
|
| emailReports.summary.channels | optional | `[]` | Channels can be used to to send only a subset of namespaces / sources to dedicated email addresses |
|
||||||
|
| emailReports.violations.enabled | bool | `false` | Enable Violation Summary E-Mail reports |
|
||||||
|
| emailReports.violations.schedule | string | `"0 8 * * *"` | CronJob schedule |
|
||||||
|
| emailReports.violations.activeDeadlineSeconds | int | `300` | CronJob activeDeadlineSeconds |
|
||||||
|
| emailReports.violations.backoffLimit | int | `3` | CronJob backoffLimit |
|
||||||
|
| emailReports.violations.ttlSecondsAfterFinished | int | `0` | CronJob ttlSecondsAfterFinished |
|
||||||
|
| emailReports.violations.restartPolicy | string | `"Never"` | CronJob restartPolicy |
|
||||||
|
| emailReports.violations.to | list | `[]` | List of receiver email addresses |
|
||||||
|
| emailReports.violations.filter | optional | `{}` | Report filter |
|
||||||
|
| emailReports.violations.channels | optional | `[]` | Channels can be used to to send only a subset of namespaces / sources to dedicated email addresses |
|
||||||
|
| existingTargetConfig.enabled | bool | `false` | Use an already existing configuration |
|
||||||
|
| existingTargetConfig.name | string | `""` | Name of the secret with the config |
|
||||||
|
| existingTargetConfig.subPath | string | `""` | SubPath within the secret (defaults to config.yaml) |
|
||||||
|
| target.loki.host | string | `""` | Host Address |
|
||||||
|
| target.loki.path | string | `""` | Loki API, defaults to "/loki/api/v1/push" |
|
||||||
|
| target.loki.certificate | string | `""` | Server Certificate file path Can be added under extraVolumes |
|
||||||
|
| target.loki.skipTLS | bool | `false` | Skip TLS verification |
|
||||||
|
| target.loki.secretRef | string | `""` | Read configuration from an already existing Secret |
|
||||||
|
| target.loki.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
|
||||||
|
| target.loki.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
|
||||||
|
| target.loki.sources | list | `[]` | List of sources which should send |
|
||||||
|
| target.loki.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
|
||||||
|
| target.loki.customFields | object | `{}` | Added as additional labels |
|
||||||
|
| target.loki.headers | object | `{}` | Additional HTTP Headers |
|
||||||
|
| target.loki.username | string | `""` | HTTP BasicAuth username |
|
||||||
|
| target.loki.password | string | `""` | HTTP BasicAuth password |
|
||||||
|
| target.loki.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
|
||||||
|
| target.loki.channels | list | `[]` | List of channels to route results to different configurations |
|
||||||
|
| target.elasticsearch.host | string | `""` | Host address |
|
||||||
|
| target.elasticsearch.certificate | string | `""` | Server Certificate file path Can be added under extraVolumes |
|
||||||
|
| target.elasticsearch.skipTLS | bool | `false` | Skip TLS verification |
|
||||||
|
| target.elasticsearch.index | string | `"policy-reporter"` | Elasticsearch index (default: policy-reporter) |
|
||||||
|
| target.elasticsearch.rotation | string | `"daily"` | Elasticsearch index rotation and index suffix Possible values: daily, monthly, annually, none (default: daily) |
|
||||||
|
| target.elasticsearch.typelessApi | bool | `false` | Enables Elasticsearch typless API https://www.elastic.co/blog/moving-from-types-to-typeless-apis-in-elasticsearch-7-0 keeping as false for retrocompatibility. |
|
||||||
|
| target.elasticsearch.username | string | `""` | HTTP BasicAuth username |
|
||||||
|
| target.elasticsearch.password | string | `""` | HTTP BasicAuth password |
|
||||||
|
| target.elasticsearch.apiKey | string | `""` | Elasticsearch API Key for api key authentication |
|
||||||
|
| target.elasticsearch.secretRef | string | `""` | Read configuration from an already existing Secret |
|
||||||
|
| target.elasticsearch.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
|
||||||
|
| target.elasticsearch.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
|
||||||
|
| target.elasticsearch.sources | list | `[]` | List of sources which should send |
|
||||||
|
| target.elasticsearch.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
|
||||||
|
| target.elasticsearch.customFields | object | `{}` | Added as additional labels |
|
||||||
|
| target.elasticsearch.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
|
||||||
|
| target.elasticsearch.channels | list | `[]` | List of channels to route results to different configurations |
|
||||||
|
| target.slack.webhook | string | `""` | Webhook Address |
|
||||||
|
| target.slack.channel | string | `""` | Slack Channel |
|
||||||
|
| target.slack.secretRef | string | `""` | Read configuration from an already existing Secret |
|
||||||
|
| target.slack.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
|
||||||
|
| target.slack.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
|
||||||
|
| target.slack.sources | list | `[]` | List of sources which should send |
|
||||||
|
| target.slack.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
|
||||||
|
| target.slack.customFields | object | `{}` | Added as additional labels |
|
||||||
|
| target.slack.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
|
||||||
|
| target.slack.channels | list | `[]` | List of channels to route results to different configurations |
|
||||||
|
| target.discord.webhook | string | `""` | Webhook Address |
|
||||||
|
| target.discord.secretRef | string | `""` | Read configuration from an already existing Secret |
|
||||||
|
| target.discord.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
|
||||||
|
| target.discord.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
|
||||||
|
| target.discord.sources | list | `[]` | List of sources which should send |
|
||||||
|
| target.discord.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
|
||||||
|
| target.discord.customFields | object | `{}` | Added as additional labels |
|
||||||
|
| target.discord.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
|
||||||
|
| target.discord.channels | list | `[]` | List of channels to route results to different configurations |
|
||||||
|
| target.teams.webhook | string | `""` | Webhook Address |
|
||||||
|
| target.teams.secretRef | string | `""` | Read configuration from an already existing Secret |
|
||||||
|
| target.teams.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
|
||||||
|
| target.teams.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
|
||||||
|
| target.teams.sources | list | `[]` | List of sources which should send |
|
||||||
|
| target.teams.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
|
||||||
|
| target.teams.customFields | object | `{}` | Added as additional labels |
|
||||||
|
| target.teams.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
|
||||||
|
| target.teams.channels | list | `[]` | List of channels to route results to different configurations |
|
||||||
|
| target.webhook.host | string | `""` | Webhook Address |
|
||||||
|
| target.webhook.headers | object | `{}` | Additional HTTP Headers |
|
||||||
|
| target.webhook.secretRef | string | `""` | Read configuration from an already existing Secret |
|
||||||
|
| target.webhook.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
|
||||||
|
| target.webhook.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
|
||||||
|
| target.webhook.sources | list | `[]` | List of sources which should send |
|
||||||
|
| target.webhook.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
|
||||||
|
| target.webhook.customFields | object | `{}` | Added as additional labels |
|
||||||
|
| target.webhook.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
|
||||||
|
| target.webhook.channels | list | `[]` | List of channels to route results to different configurations |
|
||||||
|
| target.telegram.token | string | `""` | Telegram bot token |
|
||||||
|
| target.telegram.chatId | string | `""` | Telegram chat id |
|
||||||
|
| target.telegram.host | optional | `""` | Telegram proxy host |
|
||||||
|
| target.telegram.headers | object | `{}` | Additional HTTP Headers |
|
||||||
|
| target.telegram.secretRef | string | `""` | Read configuration from an already existing Secret |
|
||||||
|
| target.telegram.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
|
||||||
|
| target.telegram.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
|
||||||
|
| target.telegram.sources | list | `[]` | List of sources which should send |
|
||||||
|
| target.telegram.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
|
||||||
|
| target.telegram.customFields | object | `{}` | Added as additional labels |
|
||||||
|
| target.telegram.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
|
||||||
|
| target.telegram.channels | list | `[]` | List of channels to route results to different configurations |
|
||||||
|
| target.googleChat.webhook | string | `""` | Webhook Address |
|
||||||
|
| target.googleChat.headers | object | `{}` | Additional HTTP Headers |
|
||||||
|
| target.googleChat.secretRef | string | `""` | Read configuration from an already existing Secret |
|
||||||
|
| target.googleChat.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
|
||||||
|
| target.googleChat.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
|
||||||
|
| target.googleChat.sources | list | `[]` | List of sources which should send |
|
||||||
|
| target.googleChat.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
|
||||||
|
| target.googleChat.customFields | object | `{}` | Added as additional labels |
|
||||||
|
| target.googleChat.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
|
||||||
|
| target.googleChat.channels | list | `[]` | List of channels to route results to different configurations |
|
||||||
|
| target.s3.accessKeyId | optional | `""` | S3 Access key |
|
||||||
|
| target.s3.secretAccessKey | optional | `""` | S3 SecretAccess key |
|
||||||
|
| target.s3.region | optional | `""` | S3 Storage region |
|
||||||
|
| target.s3.endpoint | optional | `""` | S3 Storage endpoint |
|
||||||
|
| target.s3.bucket | required | `""` | S3 Storage bucket name |
|
||||||
|
| target.s3.bucketKeyEnabled | bool | `false` | S3 Storage to use an S3 Bucket Key for object encryption with SSE-KMS |
|
||||||
|
| target.s3.kmsKeyId | string | `""` | S3 Storage KMS Key ID for object encryption with SSE-KMS |
|
||||||
|
| target.s3.serverSideEncryption | string | `""` | S3 Storage server-side encryption algorithm used when storing this object in Amazon S3, AES256, aws:kms |
|
||||||
|
| target.s3.pathStyle | bool | `false` | S3 Storage, force path style configuration |
|
||||||
|
| target.s3.prefix | string | `""` | Used prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json |
|
||||||
|
| target.s3.secretRef | string | `""` | Read configuration from an already existing Secret |
|
||||||
|
| target.s3.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
|
||||||
|
| target.s3.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
|
||||||
|
| target.s3.sources | list | `[]` | List of sources which should send |
|
||||||
|
| target.s3.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
|
||||||
|
| target.s3.customFields | object | `{}` | Added as additional labels |
|
||||||
|
| target.s3.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
|
||||||
|
| target.s3.channels | list | `[]` | List of channels to route results to different configurations |
|
||||||
|
| target.kinesis.accessKeyId | optional | `""` | Access key |
|
||||||
|
| target.kinesis.secretAccessKey | optional | `""` | SecretAccess key |
|
||||||
|
| target.kinesis.region | optional | `""` | Region |
|
||||||
|
| target.kinesis.endpoint | optional | `""` | Endpoint |
|
||||||
|
| target.kinesis.streamName | required | `""` | StreamName |
|
||||||
|
| target.kinesis.secretRef | string | `""` | Read configuration from an already existing Secret |
|
||||||
|
| target.kinesis.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
|
||||||
|
| target.kinesis.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
|
||||||
|
| target.kinesis.sources | list | `[]` | List of sources which should send |
|
||||||
|
| target.kinesis.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
|
||||||
|
| target.kinesis.customFields | object | `{}` | Added as additional labels |
|
||||||
|
| target.kinesis.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
|
||||||
|
| target.kinesis.channels | list | `[]` | List of channels to route results to different configurations |
|
||||||
|
| target.securityHub.accessKeyId | optional | `""` | Access key |
|
||||||
|
| target.securityHub.secretAccessKey | optional | `""` | SecretAccess key |
|
||||||
|
| target.securityHub.region | optional | `""` | Region |
|
||||||
|
| target.securityHub.endpoint | optional | `""` | Endpoint |
|
||||||
|
| target.securityHub.accountId | required | `""` | AccountId |
|
||||||
|
| target.securityHub.productName | optional | `""` | Used product name, defaults to "Polilcy Reporter" |
|
||||||
|
| target.securityHub.companyName | optional | `""` | Used company name, defaults to "Kyverno" |
|
||||||
|
| target.securityHub.synchronize | bool | `true` | Enable cleanup listener for SecurityHub |
|
||||||
|
| target.securityHub.delayInSeconds | int | `2` | Delay between AWS GetFindings API calls, to avoid hitting the API RequestLimit |
|
||||||
|
| target.securityHub.secretRef | string | `""` | Read configuration from an already existing Secret |
|
||||||
|
| target.securityHub.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
|
||||||
|
| target.securityHub.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
|
||||||
|
| target.securityHub.sources | list | `[]` | List of sources which should send |
|
||||||
|
| target.securityHub.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
|
||||||
|
| target.securityHub.customFields | object | `{}` | Added as additional labels |
|
||||||
|
| target.securityHub.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
|
||||||
|
| target.securityHub.channels | list | `[]` | List of channels to route results to different configurations |
|
||||||
|
| target.gcs.credentials | optional | `""` | GCS (Google Cloud Storage) Service Accout Credentials |
|
||||||
|
| target.gcs.bucket | required | `""` | GCS Bucket |
|
||||||
|
| target.gcs.secretRef | string | `""` | Read configuration from an already existing Secret |
|
||||||
|
| target.gcs.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
|
||||||
|
| target.gcs.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
|
||||||
|
| target.gcs.sources | list | `[]` | List of sources which should send |
|
||||||
|
| target.gcs.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
|
||||||
|
| target.gcs.customFields | object | `{}` | Added as additional labels |
|
||||||
|
| target.gcs.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
|
||||||
|
| target.gcs.channels | list | `[]` | List of channels to route results to different configurations |
|
||||||
|
| leaderElection.releaseOnCancel | bool | `true` | |
|
||||||
|
| leaderElection.leaseDuration | int | `15` | |
|
||||||
|
| leaderElection.renewDeadline | int | `10` | |
|
||||||
|
| leaderElection.retryPeriod | int | `2` | |
|
||||||
|
| redis.enabled | bool | `false` | Enables Redis as external result cache, uses in memory cache by default |
|
||||||
|
| redis.address | string | `""` | Redis host |
|
||||||
|
| redis.database | int | `0` | Redis database |
|
||||||
|
| redis.prefix | string | `"policy-reporter"` | Redis key prefix |
|
||||||
|
| redis.username | optional | `""` | Username |
|
||||||
|
| redis.password | optional | `""` | Password |
|
||||||
|
| database.type | string | `""` | Use an external Database, supported: mysql, postgres, mariadb |
|
||||||
|
| database.database | string | `""` | Database |
|
||||||
|
| database.username | string | `""` | Username |
|
||||||
|
| database.password | string | `""` | Password |
|
||||||
|
| database.host | string | `""` | Host Address |
|
||||||
|
| database.enableSSL | bool | `false` | Enables SSL |
|
||||||
|
| database.dsn | string | `""` | Instead of configure the individual values you can also provide an DSN string example postgres: postgres://postgres:password@localhost:5432/postgres?sslmode=disable example mysql: root:password@tcp(localhost:3306)/test?tls=false |
|
||||||
|
| database.secretRef | string | `""` | Read configuration from an existing Secret supported fields: username, password, host, dsn, database |
|
||||||
|
| database.mountedSecret | string | `""` | |
|
||||||
|
| podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for policy-reporter disruptions. Cannot be used if `maxUnavailable` is set. |
|
||||||
|
| podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for policy-reporter disruptions. Cannot be used if `minAvailable` is set. |
|
||||||
|
| nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
|
||||||
|
| tolerations | list | `[]` | Tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ |
|
||||||
|
| affinity | object | `{}` | Anti-affinity to disallow deploying client and master nodes on the same worker node |
|
||||||
|
| topologySpreadConstraints | list | `[]` | Topology Spread Constraints to better spread pods |
|
||||||
|
| livenessProbe | object | `{"httpGet":{"path":"/ready","port":"http"}}` | Deployment livenessProbe for policy-reporter |
|
||||||
|
| readinessProbe | object | `{"httpGet":{"path":"/healthz","port":"http"}}` | Deployment readinessProbe for policy-reporter |
|
||||||
|
| extraVolumes.volumeMounts | list | `[]` | Deployment volumeMounts |
|
||||||
|
| extraVolumes.volumes | list | `[]` | Deployment values |
|
||||||
|
| sqliteVolume | object | `{}` | If set the volume for sqlite is freely configurable below "- name: sqlite". If no value is set an emptyDir is used. |
|
||||||
|
| envVars | list | `[]` | Allow additional env variables to be added |
|
||||||
|
| tmpVolume | object | `{}` | Allow custom configuration of the /tmp volume |
|
||||||
|
| ui.enabled | bool | `false` | Enable Policy Reporter UI |
|
||||||
|
| ui.image.registry | string | `"ghcr.io"` | Image registry |
|
||||||
|
| ui.image.repository | string | `"kyverno/policy-reporter-ui"` | Image repository |
|
||||||
|
| ui.image.pullPolicy | string | `"IfNotPresent"` | Image PullPolicy |
|
||||||
|
| ui.image.tag | string | `"2.0.0-rc.1"` | Image tag |
|
||||||
|
| ui.replicaCount | int | `1` | Deployment replica count |
|
||||||
|
| ui.tempDir | string | `"/tmp"` | Temporary Directory to persist session data for authentication |
|
||||||
|
| ui.logging.api | bool | `false` | Enables external api request logging |
|
||||||
|
| ui.logging.server | bool | `false` | Enables server access logging |
|
||||||
|
| ui.logging.encoding | string | `"console"` | Log encoding possible encodings are console and json |
|
||||||
|
| ui.logging.logLevel | int | `0` | Log level default info |
|
||||||
|
| ui.server.port | int | `8080` | Application port |
|
||||||
|
| ui.server.cors | bool | `true` | Enabled CORS header |
|
||||||
|
| ui.server.overwriteHost | bool | `true` | Overwrites Request Host with Proxy Host and adds `X-Forwarded-Host` and `X-Origin-Host` headers |
|
||||||
|
| ui.openIDConnect.enabled | bool | `false` | Enable openID Connect authentication |
|
||||||
|
| ui.openIDConnect.discoveryUrl | string | `""` | OpenID Connect Discovery URL |
|
||||||
|
| ui.openIDConnect.callbackUrl | string | `""` | OpenID Connect Callback URL |
|
||||||
|
| ui.openIDConnect.clientId | string | `""` | OpenID Connect ClientID |
|
||||||
|
| ui.openIDConnect.clientSecret | string | `""` | OpenID Connect ClientSecret |
|
||||||
|
| ui.openIDConnect.scopes | list | `[]` | OpenID Connect allowed Scopes |
|
||||||
|
| ui.openIDConnect.secretRef | string | `""` | Provide OpenID Connect configuration via Secret supported keys: `discoveryUrl`, `clientId`, `clientSecret` |
|
||||||
|
| ui.oauth.enabled | bool | `false` | Enable openID Connect authentication |
|
||||||
|
| ui.oauth.provider | string | `""` | OAuth2 Provider supported: amazon, gitlab, github, apple, google, yandex, azuread |
|
||||||
|
| ui.oauth.callbackUrl | string | `""` | OpenID Connect Callback URL |
|
||||||
|
| ui.oauth.clientId | string | `""` | OpenID Connect ClientID |
|
||||||
|
| ui.oauth.clientSecret | string | `""` | OpenID Connect ClientSecret |
|
||||||
|
| ui.oauth.scopes | list | `[]` | OpenID Connect allowed Scopes |
|
||||||
|
| ui.oauth.secretRef | string | `""` | Provide OpenID Connect configuration via Secret supported keys: `provider`, `clientId`, `clientSecret` |
|
||||||
|
| ui.banner | string | `""` | optional banner text |
|
||||||
|
| ui.displayMode | string | `""` | DisplayMode dark/light/colorblind/colorblinddark uses the OS configured prefered color scheme as default |
|
||||||
|
| ui.customBoards | list | `[]` | Additional customizable dashboards |
|
||||||
|
| ui.sources | list | `[]` | source specific configurations |
|
||||||
|
| ui.name | string | `"Default"` | |
|
||||||
|
| ui.clusters | list | `[]` | Connected Policy Reporter APIs |
|
||||||
|
| ui.imagePullSecrets | list | `[]` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
|
||||||
|
| ui.serviceAccount.create | bool | `true` | Create ServiceAccount |
|
||||||
|
| ui.serviceAccount.automount | bool | `true` | Enable ServiceAccount automaount |
|
||||||
|
| ui.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
|
||||||
|
| ui.serviceAccount.name | string | `""` | The ServiceAccount name |
|
||||||
|
| ui.extraManifests | list | `[]` | list of extra manifests |
|
||||||
|
| ui.sidecarContainers | object | `{}` | Add sidecar containers to the UI deployment sidecarContainers: oauth-proxy: image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 args: - --upstream=http://127.0.0.1:8080 - --http-address=0.0.0.0:8081 - ... ports: - containerPort: 8081 name: oauth-proxy protocol: TCP resources: {} |
|
||||||
|
| ui.podAnnotations | object | `{}` | Additional annotations to add to each pod |
|
||||||
|
| ui.podLabels | object | `{}` | Additional labels to add to each pod |
|
||||||
|
| ui.updateStrategy | object | `{}` | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
|
||||||
|
| ui.revisionHistoryLimit | int | `10` | The number of revisions to keep |
|
||||||
|
| ui.podSecurityContext | object | `{"runAsGroup":1234,"runAsUser":1234}` | Security context for the pod |
|
||||||
|
| ui.envVars | list | `[]` | Allow additional env variables to be added |
|
||||||
|
| ui.rbac.enabled | bool | `true` | Create RBAC resources |
|
||||||
|
| ui.securityContext.runAsUser | int | `1234` | |
|
||||||
|
| ui.securityContext.runAsNonRoot | bool | `true` | |
|
||||||
|
| ui.securityContext.privileged | bool | `false` | |
|
||||||
|
| ui.securityContext.allowPrivilegeEscalation | bool | `false` | |
|
||||||
|
| ui.securityContext.readOnlyRootFilesystem | bool | `true` | |
|
||||||
|
| ui.securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
||||||
|
| ui.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||||
|
| ui.service.type | string | `"ClusterIP"` | Service type. |
|
||||||
|
| ui.service.port | int | `8080` | Service port. |
|
||||||
|
| ui.service.annotations | object | `{}` | Service annotations. |
|
||||||
|
| ui.service.labels | object | `{}` | Service labels. |
|
||||||
|
| ui.service.additionalPorts | list | `[]` | Additional service ports for e.g. Sidecars # - name: authenticated additionalPorts: - name: authenticated port: 8081 targetPort: 8081 |
|
||||||
|
| ui.ingress.enabled | bool | `false` | Create ingress resource. |
|
||||||
|
| ui.ingress.port | string | `nil` | Redirect ingress to an additional defined port on the service |
|
||||||
|
| ui.ingress.className | string | `""` | Ingress class name. |
|
||||||
|
| ui.ingress.labels | object | `{}` | Ingress labels. |
|
||||||
|
| ui.ingress.annotations | object | `{}` | Ingress annotations. |
|
||||||
|
| ui.ingress.hosts | list | `[]` | List of ingress host configurations. |
|
||||||
|
| ui.ingress.tls | list | `[]` | List of ingress TLS configurations. |
|
||||||
|
| ui.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
|
||||||
|
| ui.networkPolicy.egress | list | `[{"ports":[{"port":6443,"protocol":"TCP"}]}]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. Enables Kubernetes API Server by default |
|
||||||
|
| ui.networkPolicy.ingress | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
|
||||||
|
| ui.resources | object | `{}` | Resource constraints |
|
||||||
|
| ui.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for kyvernoPlugin disruptions. Cannot be used if `maxUnavailable` is set. |
|
||||||
|
| ui.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for kyvernoPlugin disruptions. Cannot be used if `minAvailable` is set. |
|
||||||
|
| ui.nodeSelector | object | `{}` | Node labels for pod assignment |
|
||||||
|
| ui.tolerations | list | `[]` | List of node taints to tolerate |
|
||||||
|
| ui.affinity | object | `{}` | Affinity constraints. |
|
||||||
|
| plugin.kyverno.enabled | bool | `false` | Enable Kyverno Plugin |
|
||||||
|
| plugin.kyverno.image.registry | string | `"ghcr.io"` | Image registry |
|
||||||
|
| plugin.kyverno.image.repository | string | `"kyverno/policy-reporter/kyverno-plugin"` | Image repository |
|
||||||
|
| plugin.kyverno.image.pullPolicy | string | `"IfNotPresent"` | Image PullPolicy |
|
||||||
|
| plugin.kyverno.image.tag | string | `"0.3.0"` | Image tag Defaults to `Chart.AppVersion` if omitted |
|
||||||
|
| plugin.kyverno.replicaCount | int | `1` | Deployment replica count |
|
||||||
|
| plugin.kyverno.logging.api | bool | `false` | Enables external API request logging |
|
||||||
|
| plugin.kyverno.logging.server | bool | `false` | Enables Server access logging |
|
||||||
|
| plugin.kyverno.logging.encoding | string | `"console"` | log encoding possible encodings are console and json |
|
||||||
|
| plugin.kyverno.logging.logLevel | int | `0` | log level default info |
|
||||||
|
| plugin.kyverno.server.port | int | `8080` | Application port |
|
||||||
|
| plugin.kyverno.blockReports.enabled | bool | `false` | Enables he BlockReport feature |
|
||||||
|
| plugin.kyverno.blockReports.eventNamespace | string | `"default"` | Watches for Kyverno Events in the configured namespace leave blank to watch in all namespaces |
|
||||||
|
| plugin.kyverno.blockReports.results.maxPerReport | int | `200` | Max items per PolicyReport resource |
|
||||||
|
| plugin.kyverno.blockReports.results.keepOnlyLatest | bool | `false` | Keep only the latest of duplicated events |
|
||||||
|
| plugin.kyverno.imagePullSecrets | list | `[]` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
|
||||||
|
| plugin.kyverno.serviceAccount.create | bool | `true` | Create ServiceAccount |
|
||||||
|
| plugin.kyverno.serviceAccount.automount | bool | `true` | Enable ServiceAccount automaount |
|
||||||
|
| plugin.kyverno.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
|
||||||
|
| plugin.kyverno.serviceAccount.name | string | `""` | The ServiceAccount name |
|
||||||
|
| plugin.kyverno.podAnnotations | object | `{}` | Additional annotations to add to each pod |
|
||||||
|
| plugin.kyverno.podLabels | object | `{}` | Additional labels to add to each pod |
|
||||||
|
| plugin.kyverno.updateStrategy | object | `{}` | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
|
||||||
|
| plugin.kyverno.revisionHistoryLimit | int | `10` | The number of revisions to keep |
|
||||||
|
| plugin.kyverno.podSecurityContext | object | `{"runAsGroup":1234,"runAsUser":1234}` | Security context for the pod |
|
||||||
|
| plugin.kyverno.envVars | list | `[]` | Allow additional env variables to be added |
|
||||||
|
| plugin.kyverno.rbac.enabled | bool | `true` | Create RBAC resources |
|
||||||
|
| plugin.kyverno.securityContext.runAsUser | int | `1234` | |
|
||||||
|
| plugin.kyverno.securityContext.runAsNonRoot | bool | `true` | |
|
||||||
|
| plugin.kyverno.securityContext.privileged | bool | `false` | |
|
||||||
|
| plugin.kyverno.securityContext.allowPrivilegeEscalation | bool | `false` | |
|
||||||
|
| plugin.kyverno.securityContext.readOnlyRootFilesystem | bool | `true` | |
|
||||||
|
| plugin.kyverno.securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
||||||
|
| plugin.kyverno.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||||
|
| plugin.kyverno.service.type | string | `"ClusterIP"` | Service type. |
|
||||||
|
| plugin.kyverno.service.port | int | `8080` | Service port. |
|
||||||
|
| plugin.kyverno.service.annotations | object | `{}` | Service annotations. |
|
||||||
|
| plugin.kyverno.service.labels | object | `{}` | Service labels. |
|
||||||
|
| plugin.kyverno.ingress.enabled | bool | `false` | Create ingress resource. |
|
||||||
|
| plugin.kyverno.ingress.className | string | `""` | Ingress class name. |
|
||||||
|
| plugin.kyverno.ingress.labels | object | `{}` | Ingress labels. |
|
||||||
|
| plugin.kyverno.ingress.annotations | object | `{}` | Ingress annotations. |
|
||||||
|
| plugin.kyverno.ingress.hosts | list | `[]` | List of ingress host configurations. |
|
||||||
|
| plugin.kyverno.ingress.tls | list | `[]` | List of ingress TLS configurations. |
|
||||||
|
| plugin.kyverno.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
|
||||||
|
| plugin.kyverno.networkPolicy.egress | list | `[{"ports":[{"port":6443,"protocol":"TCP"}]}]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. Enables Kubernetes API Server by default |
|
||||||
|
| plugin.kyverno.networkPolicy.ingress | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
|
||||||
|
| plugin.kyverno.resources | object | `{}` | Resource constraints |
|
||||||
|
| plugin.kyverno.leaderElection.lockName | string | `"kyverno-plugin"` | Lock Name |
|
||||||
|
| plugin.kyverno.leaderElection.releaseOnCancel | bool | `true` | Released lock when the run context is cancelled. |
|
||||||
|
| plugin.kyverno.leaderElection.leaseDuration | int | `15` | LeaseDuration is the duration that non-leader candidates will wait to force acquire leadership. |
|
||||||
|
| plugin.kyverno.leaderElection.renewDeadline | int | `10` | RenewDeadline is the duration that the acting master will retry refreshing leadership before giving up. |
|
||||||
|
| plugin.kyverno.leaderElection.retryPeriod | int | `2` | RetryPeriod is the duration the LeaderElector clients should wait between tries of actions. |
|
||||||
|
| plugin.kyverno.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for kyvernoPlugin disruptions. Cannot be used if `maxUnavailable` is set. |
|
||||||
|
| plugin.kyverno.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for kyvernoPlugin disruptions. Cannot be used if `minAvailable` is set. |
|
||||||
|
| plugin.kyverno.nodeSelector | object | `{}` | Node labels for pod assignment |
|
||||||
|
| plugin.kyverno.tolerations | list | `[]` | List of node taints to tolerate |
|
||||||
|
| plugin.kyverno.affinity | object | `{}` | Affinity constraints. |
|
||||||
|
| plugin.trivy.enabled | bool | `false` | Enable Trivy Operator Plugin |
|
||||||
|
| plugin.trivy.image.registry | string | `"ghcr.io"` | Image registry |
|
||||||
|
| plugin.trivy.image.repository | string | `"kyverno/policy-reporter/trivy-plugin"` | Image repository |
|
||||||
|
| plugin.trivy.image.pullPolicy | string | `"IfNotPresent"` | Image PullPolicy |
|
||||||
|
| plugin.trivy.image.tag | string | `"0.2.0"` | Image tag Defaults to `Chart.AppVersion` if omitted |
|
||||||
|
| plugin.trivy.replicaCount | int | `1` | Deployment replica count |
|
||||||
|
| plugin.trivy.logging.api | bool | `false` | Enables external API request logging |
|
||||||
|
| plugin.trivy.logging.server | bool | `false` | Enables Server access logging |
|
||||||
|
| plugin.trivy.logging.encoding | string | `"console"` | log encoding possible encodings are console and json |
|
||||||
|
| plugin.trivy.logging.logLevel | int | `0` | log level default info |
|
||||||
|
| plugin.trivy.server.port | int | `8080` | Application port |
|
||||||
|
| plugin.trivy.policyReporter.skipTLS | bool | `false` | Skip TLS Verification |
|
||||||
|
| plugin.trivy.policyReporter.certificate | string | `""` | TLS Certificate |
|
||||||
|
| plugin.trivy.policyReporter.secretRef | string | `""` | Secret to read the API configuration from supports `host`, `certificate`, `skipTLS`, `username`, `password` key |
|
||||||
|
| plugin.trivy.imagePullSecrets | list | `[]` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
|
||||||
|
| plugin.trivy.serviceAccount.create | bool | `true` | Create ServiceAccount |
|
||||||
|
| plugin.trivy.serviceAccount.automount | bool | `true` | Enable ServiceAccount automaount |
|
||||||
|
| plugin.trivy.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
|
||||||
|
| plugin.trivy.serviceAccount.name | string | `""` | The ServiceAccount name |
|
||||||
|
| plugin.trivy.podAnnotations | object | `{}` | Additional annotations to add to each pod |
|
||||||
|
| plugin.trivy.podLabels | object | `{}` | Additional labels to add to each pod |
|
||||||
|
| plugin.trivy.updateStrategy | object | `{}` | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
|
||||||
|
| plugin.trivy.revisionHistoryLimit | int | `10` | The number of revisions to keep |
|
||||||
|
| plugin.trivy.podSecurityContext | object | `{"runAsGroup":1234,"runAsUser":1234}` | Security context for the pod |
|
||||||
|
| plugin.trivy.envVars | list | `[]` | Allow additional env variables to be added |
|
||||||
|
| plugin.trivy.rbac.enabled | bool | `true` | Create RBAC resources |
|
||||||
|
| plugin.trivy.securityContext.runAsUser | int | `1234` | |
|
||||||
|
| plugin.trivy.securityContext.runAsNonRoot | bool | `true` | |
|
||||||
|
| plugin.trivy.securityContext.privileged | bool | `false` | |
|
||||||
|
| plugin.trivy.securityContext.allowPrivilegeEscalation | bool | `false` | |
|
||||||
|
| plugin.trivy.securityContext.readOnlyRootFilesystem | bool | `true` | |
|
||||||
|
| plugin.trivy.securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
||||||
|
| plugin.trivy.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||||
|
| plugin.trivy.service.type | string | `"ClusterIP"` | Service type. |
|
||||||
|
| plugin.trivy.service.port | int | `8080` | Service port. |
|
||||||
|
| plugin.trivy.service.annotations | object | `{}` | Service annotations. |
|
||||||
|
| plugin.trivy.service.labels | object | `{}` | Service labels. |
|
||||||
|
| plugin.trivy.ingress.enabled | bool | `false` | Create ingress resource. |
|
||||||
|
| plugin.trivy.ingress.className | string | `""` | Ingress class name. |
|
||||||
|
| plugin.trivy.ingress.labels | object | `{}` | Ingress labels. |
|
||||||
|
| plugin.trivy.ingress.annotations | object | `{}` | Ingress annotations. |
|
||||||
|
| plugin.trivy.ingress.hosts | list | `[]` | List of ingress host configurations. |
|
||||||
|
| plugin.trivy.ingress.tls | list | `[]` | List of ingress TLS configurations. |
|
||||||
|
| plugin.trivy.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
|
||||||
|
| plugin.trivy.networkPolicy.egress | list | `[{"ports":[{"port":6443,"protocol":"TCP"}]}]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. Enables Kubernetes API Server by default |
|
||||||
|
| plugin.trivy.networkPolicy.ingress | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
|
||||||
|
| plugin.trivy.resources | object | `{}` | Resource constraints |
|
||||||
|
| plugin.trivy.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for kyvernoPlugin disruptions. Cannot be used if `maxUnavailable` is set. |
|
||||||
|
| plugin.trivy.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for kyvernoPlugin disruptions. Cannot be used if `minAvailable` is set. |
|
||||||
|
| plugin.trivy.nodeSelector | object | `{}` | Node labels for pod assignment |
|
||||||
|
| plugin.trivy.tolerations | list | `[]` | List of node taints to tolerate |
|
||||||
|
| plugin.trivy.affinity | object | `{}` | Affinity constraints. |
|
||||||
|
| monitoring.enabled | bool | `false` | Enables the Prometheus Operator integration |
|
||||||
|
| monitoring.annotations | object | `{}` | Key/value pairs that are attached to all resources. |
|
||||||
|
| monitoring.serviceMonitor.honorLabels | bool | `false` | HonorLabels chooses the metrics labels on collisions with target labels |
|
||||||
|
| monitoring.serviceMonitor.namespace | string | `nil` | Allow to override the namespace for serviceMonitor |
|
||||||
|
| monitoring.serviceMonitor.labels | object | `{}` | Labels to match the serviceMonitorSelector of the Prometheus Resource |
|
||||||
|
| monitoring.serviceMonitor.relabelings | list | `[]` | ServiceMonitor Relabelings https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig |
|
||||||
|
| monitoring.serviceMonitor.metricRelabelings | list | `[]` | See serviceMonitor.relabelings |
|
||||||
|
| monitoring.serviceMonitor.namespaceSelector | optional | `{}` | NamespaceSelector |
|
||||||
|
| monitoring.serviceMonitor.scrapeTimeout | optional | `nil` | ScrapeTimeout |
|
||||||
|
| monitoring.serviceMonitor.interval | optional | `nil` | Scrape interval |
|
||||||
|
| monitoring.grafana.namespace | string | `nil` | Naamespace for configMap of grafana dashboards |
|
||||||
|
| monitoring.grafana.dashboards.enabled | bool | `true` | Enable the deployment of grafana dashboards |
|
||||||
|
| monitoring.grafana.dashboards.label | string | `"grafana_dashboard"` | Label to find dashboards using the k8s sidecar |
|
||||||
|
| monitoring.grafana.dashboards.value | string | `"1"` | Label value to find dashboards using the k8s sidecar |
|
||||||
|
| monitoring.grafana.dashboards.labelFilter | list | `[]` | List of custom label filter Used to add filter for report label based metric labels defined in custom mode |
|
||||||
|
| monitoring.grafana.dashboards.multicluster.enabled | bool | `false` | Enable cluster filter in all dashboards |
|
||||||
|
| monitoring.grafana.dashboards.multicluster.label | string | `"cluster"` | Metric Label which is used to filter clusters |
|
||||||
|
| monitoring.grafana.dashboards.enable.overview | bool | `true` | Enable the Overview Dashboard |
|
||||||
|
| monitoring.grafana.dashboards.enable.policyReportDetails | bool | `true` | Enable the PolicyReport Dashboard |
|
||||||
|
| monitoring.grafana.dashboards.enable.clusterPolicyReportDetails | bool | `true` | Enable the ClusterPolicyReport Dashboard |
|
||||||
|
| monitoring.grafana.folder.annotation | string | `"grafana_folder"` | Annotation to enable folder storage using the k8s sidecar |
|
||||||
|
| monitoring.grafana.folder.name | string | `"Policy Reporter"` | Grafana folder in which to store the dashboards |
|
||||||
|
| monitoring.grafana.datasource.label | string | `"Prometheus"` | Grafana Datasource Label |
|
||||||
|
| monitoring.grafana.datasource.pluginId | string | `"prometheus"` | Grafana Datasource PluginId |
|
||||||
|
| monitoring.grafana.datasource.pluginName | string | `"Prometheus"` | Grafana Datasource PluginName |
|
||||||
|
| monitoring.grafana.grafanaDashboard.enabled | bool | `false` | Create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/ |
|
||||||
|
| monitoring.grafana.grafanaDashboard.folder | string | `"kyverno"` | Dashboard folder |
|
||||||
|
| monitoring.grafana.grafanaDashboard.allowCrossNamespaceImport | bool | `true` | Allow cross Namespace import |
|
||||||
|
| monitoring.grafana.grafanaDashboard.matchLabels | object | `{"dashboards":"grafana"}` | Label match selector |
|
||||||
|
| monitoring.policyReportDetails.firstStatusRow.height | int | `8` | |
|
||||||
|
| monitoring.policyReportDetails.secondStatusRow.enabled | bool | `true` | |
|
||||||
|
| monitoring.policyReportDetails.secondStatusRow.height | int | `2` | |
|
||||||
|
| monitoring.policyReportDetails.statusTimeline.enabled | bool | `true` | |
|
||||||
|
| monitoring.policyReportDetails.statusTimeline.height | int | `8` | |
|
||||||
|
| monitoring.policyReportDetails.passTable.enabled | bool | `true` | |
|
||||||
|
| monitoring.policyReportDetails.passTable.height | int | `8` | |
|
||||||
|
| monitoring.policyReportDetails.failTable.enabled | bool | `true` | |
|
||||||
|
| monitoring.policyReportDetails.failTable.height | int | `8` | |
|
||||||
|
| monitoring.policyReportDetails.warningTable.enabled | bool | `true` | |
|
||||||
|
| monitoring.policyReportDetails.warningTable.height | int | `4` | |
|
||||||
|
| monitoring.policyReportDetails.errorTable.enabled | bool | `true` | |
|
||||||
|
| monitoring.policyReportDetails.errorTable.height | int | `4` | |
|
||||||
|
| monitoring.clusterPolicyReportDetails.statusRow.height | int | `6` | |
|
||||||
|
| monitoring.clusterPolicyReportDetails.statusTimeline.enabled | bool | `true` | |
|
||||||
|
| monitoring.clusterPolicyReportDetails.statusTimeline.height | int | `8` | |
|
||||||
|
| monitoring.clusterPolicyReportDetails.passTable.enabled | bool | `true` | |
|
||||||
|
| monitoring.clusterPolicyReportDetails.passTable.height | int | `8` | |
|
||||||
|
| monitoring.clusterPolicyReportDetails.failTable.enabled | bool | `true` | |
|
||||||
|
| monitoring.clusterPolicyReportDetails.failTable.height | int | `8` | |
|
||||||
|
| monitoring.clusterPolicyReportDetails.warningTable.enabled | bool | `true` | |
|
||||||
|
| monitoring.clusterPolicyReportDetails.warningTable.height | int | `4` | |
|
||||||
|
| monitoring.clusterPolicyReportDetails.errorTable.enabled | bool | `true` | |
|
||||||
|
| monitoring.clusterPolicyReportDetails.errorTable.height | int | `4` | |
|
||||||
|
| monitoring.policyReportOverview.failingSummaryRow.height | int | `8` | |
|
||||||
|
| monitoring.policyReportOverview.failingTimeline.height | int | `10` | |
|
||||||
|
| monitoring.policyReportOverview.failingPolicyRuleTable.height | int | `10` | |
|
||||||
|
| monitoring.policyReportOverview.failingClusterPolicyRuleTable.height | int | `10` | |
|
||||||
|
|
||||||
* [[Video] 37. #EveryoneCanContribute cafe: Policy reporter for Kyverno](https://youtu.be/1mKywg9f5Fw)
|
## Source Code
|
||||||
* [[Video] Rawkode Live: Hands on Policy Reporter](https://www.youtube.com/watch?v=ZrOtTELNLyg)
|
|
||||||
* [[Blog] Monitor Security and Best Practices with Kyverno and Policy Reporter](https://blog.webdev-jogeleit.de/blog/monitor-security-with-kyverno-and-policy-reporter/)
|
* <https://github.com/kyverno/policy-reporter>
|
||||||
|
|
||||||
|
## Maintainers
|
||||||
|
|
||||||
|
| Name | Email | Url |
|
||||||
|
| ---- | ------ | --- |
|
||||||
|
| Frank Jogeleit | | |
|
||||||
|
|
||||||
|
----------------------------------------------
|
||||||
|
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
|
||||||
|
|
50
charts/policy-reporter/README.md.gotmpl
Normal file
50
charts/policy-reporter/README.md.gotmpl
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
{{ template "chart.header" . }}
|
||||||
|
{{ template "chart.deprecationWarning" . }}
|
||||||
|
{{ template "chart.description" . }}
|
||||||
|
|
||||||
|
{{ template "chart.badgesSection" . }}
|
||||||
|
|
||||||
|
## Documentation
|
||||||
|
|
||||||
|
You can find detailed Information and Screens about Features and Configurations in the [Documentation](https://kyverno.github.io/policy-reporter-docs).
|
||||||
|
|
||||||
|
## Installation with Helm v3
|
||||||
|
|
||||||
|
Installation via Helm Repository
|
||||||
|
|
||||||
|
### Add the Helm repository
|
||||||
|
```bash
|
||||||
|
helm repo add policy-reporter https://kyverno.github.io/policy-reporter
|
||||||
|
helm repo update
|
||||||
|
```
|
||||||
|
|
||||||
|
### Basic Installation
|
||||||
|
|
||||||
|
The basic installation provides an Prometheus Metrics Endpoint and different REST APIs, for more details have a look at the [Documentation](https://kyverno.github.io/policy-reporter/guide/02-getting-started).
|
||||||
|
|
||||||
|
```bash
|
||||||
|
helm install policy-reporter policy-reporter/policy-reporter -n policy-reporter --create-namespace
|
||||||
|
```
|
||||||
|
|
||||||
|
## Policy Reporter UI
|
||||||
|
|
||||||
|
You can use the Policy Reporter as standalone Application along with the optional UI SubChart.
|
||||||
|
|
||||||
|
### Installation with Policy Reporter UI and Kyverno Plugin enabled
|
||||||
|
|
||||||
|
```bash
|
||||||
|
helm install policy-reporter policy-reporter/policy-reporter --set plugin.kyverno.enabled=true --set ui.enabled=true -n policy-reporter --create-namespace
|
||||||
|
kubectl port-forward service/policy-reporter-ui 8082:8080 -n policy-reporter
|
||||||
|
```
|
||||||
|
Open `http://localhost:8082/` in your browser.
|
||||||
|
|
||||||
|
|
||||||
|
{{ template "chart.valuesSection" . }}
|
||||||
|
|
||||||
|
{{ template "chart.sourcesSection" . }}
|
||||||
|
|
||||||
|
{{ template "chart.requirementsSection" . }}
|
||||||
|
|
||||||
|
{{ template "chart.maintainersSection" . }}
|
||||||
|
|
||||||
|
{{ template "helm-docs.versionFooter" . }}
|
|
@ -1,7 +0,0 @@
|
||||||
apiVersion: v2
|
|
||||||
name: kyvernoPlugin
|
|
||||||
description: Policy Reporter Kyverno Plugin
|
|
||||||
|
|
||||||
type: application
|
|
||||||
version: 1.6.5
|
|
||||||
appVersion: 1.6.3
|
|
|
@ -1,21 +0,0 @@
|
||||||
blockReports:
|
|
||||||
{{- toYaml .Values.blockReports | nindent 2 }}
|
|
||||||
|
|
||||||
leaderElection:
|
|
||||||
enabled: {{ or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1) }}
|
|
||||||
releaseOnCancel: {{ .Values.leaderElection.releaseOnCancel }}
|
|
||||||
leaseDuration: {{ .Values.leaderElection.leaseDuration }}
|
|
||||||
renewDeadline: {{ .Values.leaderElection.renewDeadline }}
|
|
||||||
retryPeriod: {{ .Values.leaderElection.retryPeriod }}
|
|
||||||
|
|
||||||
logging:
|
|
||||||
encoding: {{ .Values.logging.encoding }}
|
|
||||||
logLevel: {{ include "kyvernoplugin.logLevel" . }}
|
|
||||||
development: {{ .Values.logging.development }}
|
|
||||||
|
|
||||||
api:
|
|
||||||
logging: {{ .Values.api.logging }}
|
|
||||||
basicAuth:
|
|
||||||
username: {{ .Values.global.basicAuth.username }}
|
|
||||||
password: {{ .Values.global.basicAuth.password }}
|
|
||||||
secretRef: {{ .Values.global.basicAuth.secretRef }}
|
|
|
@ -1,105 +0,0 @@
|
||||||
{{/*
|
|
||||||
Create a default fully qualified app name.
|
|
||||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
|
||||||
If release name contains chart name it will be used as a full name.
|
|
||||||
*/}}
|
|
||||||
{{- define "kyvernoplugin.fullname" -}}
|
|
||||||
{{- $name := "kyverno-plugin" }}
|
|
||||||
{{- if .Values.global.fullnameOverride }}
|
|
||||||
{{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- else if contains $name .Release.Name }}
|
|
||||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- else }}
|
|
||||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- define "kyvernoplugin.name" -}}
|
|
||||||
{{- "kyverno-plugin" }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Create chart name and version as used by the chart label.
|
|
||||||
*/}}
|
|
||||||
{{- define "kyvernoplugin.chart" -}}
|
|
||||||
{{- printf "kyverno-plugin-%s" .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Common labels
|
|
||||||
*/}}
|
|
||||||
{{- define "kyvernoplugin.labels" -}}
|
|
||||||
helm.sh/chart: {{ include "kyvernoplugin.chart" . }}
|
|
||||||
{{ include "kyvernoplugin.selectorLabels" . }}
|
|
||||||
{{- if .Chart.AppVersion }}
|
|
||||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
|
||||||
{{- end }}
|
|
||||||
app.kubernetes.io/component: plugin
|
|
||||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
|
||||||
app.kubernetes.io/part-of: policy-reporter
|
|
||||||
{{- with .Values.global.labels }}
|
|
||||||
{{ toYaml . }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Selector labels
|
|
||||||
*/}}
|
|
||||||
{{- define "kyvernoplugin.selectorLabels" -}}
|
|
||||||
app.kubernetes.io/name: {{ include "kyvernoplugin.name" . }}
|
|
||||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Pod labels
|
|
||||||
*/}}
|
|
||||||
{{- define "kyvernoplugin.podLabels" -}}
|
|
||||||
helm.sh/chart: {{ include "kyvernoplugin.chart" . }}
|
|
||||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
|
||||||
app.kubernetes.io/part-of: policy-reporter
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Create the name of the service account to use
|
|
||||||
*/}}
|
|
||||||
{{- define "kyvernoplugin.serviceAccountName" -}}
|
|
||||||
{{- if .Values.serviceAccount.create }}
|
|
||||||
{{- default (include "kyvernoplugin.fullname" .) .Values.serviceAccount.name }}
|
|
||||||
{{- else }}
|
|
||||||
{{- default "default" .Values.serviceAccount.name }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Selector labels
|
|
||||||
*/}}
|
|
||||||
{{- define "ui.selectorLabels" -}}
|
|
||||||
app.kubernetes.io/name: ui
|
|
||||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- define "kyvernoplugin.securityContext" -}}
|
|
||||||
{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
|
|
||||||
{{ toYaml (omit .Values.securityContext "seccompProfile") }}
|
|
||||||
{{- else }}
|
|
||||||
{{ toYaml .Values.securityContext }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/* Get the namespace name. */}}
|
|
||||||
{{- define "kyvernoplugin.namespace" -}}
|
|
||||||
{{- if .Values.global.namespace -}}
|
|
||||||
{{- .Values.global.namespace -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- .Release.Namespace -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* Get the namespace name. */}}
|
|
||||||
{{- define "kyvernoplugin.logLevel" -}}
|
|
||||||
{{- if .Values.api.logging -}}
|
|
||||||
-1
|
|
||||||
{{- else -}}
|
|
||||||
{{- .Values.logging.logLevel -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
|
@ -1,20 +0,0 @@
|
||||||
{{- if and .Values.serviceAccount.create .Values.rbac.enabled -}}
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
name: {{ include "kyvernoplugin.fullname" . }}
|
|
||||||
{{- if .Values.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
{{- include "kyvernoplugin.labels" . | nindent 4 }}
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: {{ include "kyvernoplugin.fullname" . }}
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
subjects:
|
|
||||||
- kind: "ServiceAccount"
|
|
||||||
name: {{ include "kyvernoplugin.serviceAccountName" . }}
|
|
||||||
namespace: {{ include "kyvernoplugin.namespace" . }}
|
|
||||||
{{- end -}}
|
|
|
@ -1,14 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: {{ include "kyvernoplugin.fullname" . }}-config
|
|
||||||
namespace: {{ include "kyvernoplugin.namespace" . }}
|
|
||||||
{{- if .Values.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
{{- include "kyvernoplugin.labels" . | nindent 4 }}
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
config.yaml: {{ tpl (.Files.Get "config.yaml") . | b64enc }}
|
|
|
@ -1,129 +0,0 @@
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: {{ include "kyvernoplugin.fullname" . }}
|
|
||||||
namespace: {{ include "kyvernoplugin.namespace" . }}
|
|
||||||
{{- if .Values.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
{{- include "kyvernoplugin.labels" . | nindent 4 }}
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.replicaCount }}
|
|
||||||
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
|
|
||||||
{{- if .Values.deploymentStrategy }}
|
|
||||||
strategy:
|
|
||||||
{{- toYaml .Values.deploymentStrategy | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{- include "kyvernoplugin.selectorLabels" . | nindent 6 }}
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{- include "kyvernoplugin.selectorLabels" . | nindent 8 }}
|
|
||||||
{{- include "kyvernoplugin.podLabels" . | nindent 8 }}
|
|
||||||
{{- with .Values.podLabels }}
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.global.labels }}
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
annotations:
|
|
||||||
checksum/secret: {{ include (print .Template.BasePath "/config-secret.yaml") . | sha256sum | quote }}
|
|
||||||
{{- with .Values.annotations }}
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.podAnnotations }}
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
{{- with .Values.priorityClassName }}
|
|
||||||
priorityClassName: {{ . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.podSecurityContext }}
|
|
||||||
securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
serviceAccountName: {{ include "kyvernoplugin.serviceAccountName" . }}
|
|
||||||
automountServiceAccountToken: true
|
|
||||||
containers:
|
|
||||||
- name: "kyverno-plugin"
|
|
||||||
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
|
||||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
||||||
{{- if .Values.securityContext }}
|
|
||||||
securityContext: {{ include "kyvernoplugin.securityContext" . | nindent 12 }}
|
|
||||||
{{- end }}
|
|
||||||
args:
|
|
||||||
- --port={{ .Values.port.number }}
|
|
||||||
- --metrics-enabled={{ .Values.metrics.enabled }}
|
|
||||||
- --rest-enabled={{ .Values.rest.enabled }}
|
|
||||||
- --lease-name={{ include "kyvernoplugin.fullname" . }}
|
|
||||||
ports:
|
|
||||||
- name: {{ .Values.port.name }}
|
|
||||||
containerPort: {{ .Values.port.number }}
|
|
||||||
protocol: TCP
|
|
||||||
livenessProbe:
|
|
||||||
{{- toYaml .Values.livenessProbe | nindent 12 }}
|
|
||||||
readinessProbe:
|
|
||||||
{{- toYaml .Values.readinessProbe | nindent 12 }}
|
|
||||||
resources:
|
|
||||||
{{- toYaml .Values.resources | nindent 12 }}
|
|
||||||
volumeMounts:
|
|
||||||
- name: config-file
|
|
||||||
mountPath: /app/config.yaml
|
|
||||||
subPath: config.yaml
|
|
||||||
readOnly: true
|
|
||||||
env:
|
|
||||||
- name: POD_NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
{{- if or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1) }}
|
|
||||||
- name: POD_NAME
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.name
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.global.basicAuth.secretRef }}
|
|
||||||
- name: API_AUTH_USERNAME
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: {{ .Values.global.basicAuth.secretRef }}
|
|
||||||
key: username
|
|
||||||
optional: false
|
|
||||||
- name: API_AUTH_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: {{ .Values.global.basicAuth.secretRef }}
|
|
||||||
key: password
|
|
||||||
optional: false
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.envVars }}
|
|
||||||
{{- . | toYaml | trim | nindent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
volumes:
|
|
||||||
- name: config-file
|
|
||||||
secret:
|
|
||||||
secretName: {{ include "kyvernoplugin.fullname" . }}-config
|
|
||||||
optional: true
|
|
||||||
{{- with .Values.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.topologySpreadConstraints }}
|
|
||||||
topologySpreadConstraints:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
|
@ -1,61 +0,0 @@
|
||||||
{{- if .Values.ingress.enabled -}}
|
|
||||||
{{- $fullName := include "kyvernoplugin.fullname" . -}}
|
|
||||||
{{- $svcPort := .Values.service.port -}}
|
|
||||||
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
|
|
||||||
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
|
|
||||||
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
|
|
||||||
apiVersion: networking.k8s.io/v1
|
|
||||||
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
|
|
||||||
apiVersion: networking.k8s.io/v1beta1
|
|
||||||
{{- else -}}
|
|
||||||
apiVersion: extensions/v1beta1
|
|
||||||
{{- end }}
|
|
||||||
kind: Ingress
|
|
||||||
metadata:
|
|
||||||
name: {{ $fullName }}
|
|
||||||
namespace: {{ include "kyvernoplugin.namespace" . }}
|
|
||||||
labels:
|
|
||||||
{{- include "kyvernoplugin.labels" . | nindent 4 }}
|
|
||||||
{{- if or .Values.annotations .Values.ingress.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- with .Values.ingress.annotations }}
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.annotations }}
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
|
|
||||||
ingressClassName: {{ .Values.ingress.className }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.ingress.tls }}
|
|
||||||
tls:
|
|
||||||
{{- toYaml .Values.ingress.tls | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
rules:
|
|
||||||
{{- range .Values.ingress.hosts }}
|
|
||||||
- host: {{ .host | quote }}
|
|
||||||
http:
|
|
||||||
paths:
|
|
||||||
{{- range .paths }}
|
|
||||||
- path: {{ .path }}
|
|
||||||
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
|
|
||||||
pathType: {{ .pathType }}
|
|
||||||
{{- end }}
|
|
||||||
backend:
|
|
||||||
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
|
|
||||||
service:
|
|
||||||
name: {{ $fullName }}
|
|
||||||
port:
|
|
||||||
number: {{ $svcPort }}
|
|
||||||
{{- else }}
|
|
||||||
serviceName: {{ $fullName }}
|
|
||||||
servicePort: {{ $svcPort }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
|
@ -1,33 +0,0 @@
|
||||||
{{- if .Values.networkPolicy.enabled }}
|
|
||||||
apiVersion: networking.k8s.io/v1
|
|
||||||
kind: NetworkPolicy
|
|
||||||
metadata:
|
|
||||||
labels: {{- include "kyvernoplugin.labels" . | nindent 4 }}
|
|
||||||
{{- if .Values.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
name: {{ include "kyvernoplugin.fullname" . }}
|
|
||||||
namespace: {{ include "kyvernoplugin.namespace" . }}
|
|
||||||
spec:
|
|
||||||
podSelector:
|
|
||||||
matchLabels: {{- include "kyvernoplugin.selectorLabels" . | nindent 6 }}
|
|
||||||
policyTypes:
|
|
||||||
- Ingress
|
|
||||||
- Egress
|
|
||||||
ingress:
|
|
||||||
- from:
|
|
||||||
- podSelector:
|
|
||||||
matchLabels:
|
|
||||||
{{- include "ui.selectorLabels" . | nindent 10 }}
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: 8080
|
|
||||||
{{- with .Values.networkPolicy.ingress }}
|
|
||||||
{{- toYaml . | nindent 2 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.networkPolicy.egress }}
|
|
||||||
egress:
|
|
||||||
{{- toYaml . | nindent 2 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
|
@ -1,22 +0,0 @@
|
||||||
{{- if (gt (int .Values.replicaCount) 1) }}
|
|
||||||
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
|
|
||||||
apiVersion: policy/v1
|
|
||||||
{{- else }}
|
|
||||||
apiVersion: policy/v1beta1
|
|
||||||
{{- end }}
|
|
||||||
kind: PodDisruptionBudget
|
|
||||||
metadata:
|
|
||||||
name: {{ template "kyvernoplugin.fullname" . }}
|
|
||||||
namespace: {{ include "kyvernoplugin.namespace" . }}
|
|
||||||
labels:
|
|
||||||
{{- include "kyvernoplugin.labels" . | nindent 4 }}
|
|
||||||
{{- if .Values.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
{{- include "policyreporter.podDisruptionBudget" . | indent 2 }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{- include "kyvernoplugin.selectorLabels" . | nindent 6 }}
|
|
||||||
{{- end }}
|
|
|
@ -1,24 +0,0 @@
|
||||||
{{- if and (and .Values.serviceAccount.create .Values.rbac.enabled) (and .Values.blockReports.enabled (or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1))) -}}
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: Role
|
|
||||||
metadata:
|
|
||||||
{{- if .Values.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
{{- include "kyvernoplugin.labels" . | nindent 4 }}
|
|
||||||
name: {{ include "kyvernoplugin.fullname" . }}-leaderelection
|
|
||||||
namespace: {{ include "kyvernoplugin.namespace" . }}
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- coordination.k8s.io
|
|
||||||
resources:
|
|
||||||
- leases
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- delete
|
|
||||||
- get
|
|
||||||
- patch
|
|
||||||
- update
|
|
||||||
{{- end -}}
|
|
|
@ -1,21 +0,0 @@
|
||||||
{{- if and (and .Values.serviceAccount.create .Values.rbac.enabled) (and .Values.blockReports.enabled (or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1))) -}}
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: RoleBinding
|
|
||||||
metadata:
|
|
||||||
name: {{ include "kyvernoplugin.fullname" . }}-leaderelection
|
|
||||||
namespace: {{ include "kyvernoplugin.namespace" . }}
|
|
||||||
{{- if .Values.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
{{- include "kyvernoplugin.labels" . | nindent 4 }}
|
|
||||||
roleRef:
|
|
||||||
kind: Role
|
|
||||||
name: {{ include "kyvernoplugin.fullname" . }}-leaderelection
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
subjects:
|
|
||||||
- kind: "ServiceAccount"
|
|
||||||
name: {{ include "kyvernoplugin.serviceAccountName" . }}
|
|
||||||
namespace: {{ include "kyvernoplugin.namespace" . }}
|
|
||||||
{{- end -}}
|
|
|
@ -1,19 +0,0 @@
|
||||||
{{- if and .Values.serviceAccount.create .Values.rbac.enabled -}}
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: Role
|
|
||||||
metadata:
|
|
||||||
{{- if .Values.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
{{- include "kyvernoplugin.labels" . | nindent 4 }}
|
|
||||||
name: {{ include "kyvernoplugin.fullname" . }}-secret-reader
|
|
||||||
namespace: {{ include "kyvernoplugin.namespace" . }}
|
|
||||||
rules:
|
|
||||||
- apiGroups: ['']
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
{{- end -}}
|
|
|
@ -1,21 +0,0 @@
|
||||||
{{- if and .Values.serviceAccount.create .Values.rbac.enabled -}}
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: RoleBinding
|
|
||||||
metadata:
|
|
||||||
name: {{ include "kyvernoplugin.fullname" . }}-secret-reader
|
|
||||||
namespace: {{ include "kyvernoplugin.namespace" . }}
|
|
||||||
{{- if .Values.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
{{- include "kyvernoplugin.labels" . | nindent 4 }}
|
|
||||||
roleRef:
|
|
||||||
kind: Role
|
|
||||||
name: {{ include "kyvernoplugin.fullname" . }}-secret-reader
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
subjects:
|
|
||||||
- kind: "ServiceAccount"
|
|
||||||
name: {{ include "kyvernoplugin.serviceAccountName" . }}
|
|
||||||
namespace: {{ include "kyvernoplugin.namespace" . }}
|
|
||||||
{{- end -}}
|
|
|
@ -1,30 +0,0 @@
|
||||||
{{- if .Values.service.enabled -}}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: {{ include "kyvernoplugin.fullname" . }}
|
|
||||||
namespace: {{ include "kyvernoplugin.namespace" . }}
|
|
||||||
labels:
|
|
||||||
{{- include "kyvernoplugin.labels" . | nindent 4 }}
|
|
||||||
{{- with .Values.service.labels }}
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if or .Values.annotations .Values.service.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- with .Values.annotations }}
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.service.annotations }}
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
type: {{ .Values.service.type }}
|
|
||||||
ports:
|
|
||||||
- port: {{ .Values.service.port }}
|
|
||||||
targetPort: {{ .Values.port.name }}
|
|
||||||
protocol: TCP
|
|
||||||
name: rest
|
|
||||||
selector:
|
|
||||||
{{- include "kyvernoplugin.selectorLabels" . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
|
@ -1,18 +0,0 @@
|
||||||
{{- if .Values.serviceAccount.create -}}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: {{ include "kyvernoplugin.serviceAccountName" . }}
|
|
||||||
namespace: {{ include "kyvernoplugin.namespace" . }}
|
|
||||||
labels:
|
|
||||||
{{- include "kyvernoplugin.labels" . | nindent 4 }}
|
|
||||||
{{- if or .Values.annotations .Values.serviceAccount.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- with .Values.annotations }}
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.serviceAccount.annotations }}
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
|
@ -1,211 +0,0 @@
|
||||||
image:
|
|
||||||
registry: ghcr.io
|
|
||||||
repository: kyverno/policy-reporter-kyverno-plugin
|
|
||||||
pullPolicy: IfNotPresent
|
|
||||||
tag: 1.6.3
|
|
||||||
|
|
||||||
imagePullSecrets: []
|
|
||||||
|
|
||||||
priorityClassName: ""
|
|
||||||
|
|
||||||
replicaCount: 1
|
|
||||||
|
|
||||||
revisionHistoryLimit: 10
|
|
||||||
|
|
||||||
deploymentStrategy: {}
|
|
||||||
# rollingUpdate:
|
|
||||||
# maxSurge: 25%
|
|
||||||
# maxUnavailable: 25%
|
|
||||||
# type: RollingUpdate
|
|
||||||
|
|
||||||
# When using a custom port together with the PolicyReporter UI
|
|
||||||
# the port has also to be changed in the UI subchart as well because it can't access values of other subcharts.
|
|
||||||
# You can change the port under `ui.kyvernoPlugin.port`
|
|
||||||
port:
|
|
||||||
name: rest
|
|
||||||
number: 8080
|
|
||||||
|
|
||||||
# Key/value pairs that are attached to all resources.
|
|
||||||
annotations: {}
|
|
||||||
|
|
||||||
# Create cluster role policies
|
|
||||||
rbac:
|
|
||||||
enabled: true
|
|
||||||
|
|
||||||
serviceAccount:
|
|
||||||
# Specifies whether a service account should be created
|
|
||||||
create: true
|
|
||||||
# Annotations to add to the service account
|
|
||||||
annotations: {}
|
|
||||||
# The name of the service account to use.
|
|
||||||
# If not set and create is true, a name is generated using the fullname template
|
|
||||||
name: ""
|
|
||||||
|
|
||||||
service:
|
|
||||||
enabled: true
|
|
||||||
## configuration of service
|
|
||||||
# key/value
|
|
||||||
annotations: {}
|
|
||||||
# key/value
|
|
||||||
labels: {}
|
|
||||||
port: 8080
|
|
||||||
type: ClusterIP
|
|
||||||
|
|
||||||
## Set to true to enable ingress record generation
|
|
||||||
# ref to: https://kubernetes.io/docs/concepts/services-networking/ingress/
|
|
||||||
ingress:
|
|
||||||
enabled: false
|
|
||||||
className: ""
|
|
||||||
# key/value
|
|
||||||
labels: {}
|
|
||||||
# key/value
|
|
||||||
annotations: {}
|
|
||||||
# kubernetes.io/ingress.class: nginx
|
|
||||||
# kubernetes.io/tls-acme: "true"
|
|
||||||
hosts:
|
|
||||||
- host: chart-example.local
|
|
||||||
paths: []
|
|
||||||
tls: []
|
|
||||||
# - secretName: chart-example-tls
|
|
||||||
# hosts:
|
|
||||||
# - chart-example.local
|
|
||||||
podSecurityContext:
|
|
||||||
runAsUser: 1234
|
|
||||||
runAsGroup: 1234
|
|
||||||
|
|
||||||
securityContext:
|
|
||||||
runAsUser: 1234
|
|
||||||
runAsNonRoot: true
|
|
||||||
privileged: false
|
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
readOnlyRootFilesystem: true
|
|
||||||
capabilities:
|
|
||||||
drop:
|
|
||||||
- ALL
|
|
||||||
seccompProfile:
|
|
||||||
type: RuntimeDefault
|
|
||||||
|
|
||||||
# Key/value pairs that are attached to pods.
|
|
||||||
podAnnotations: {}
|
|
||||||
|
|
||||||
# Key/value pairs that are attached to pods.
|
|
||||||
podLabels: {}
|
|
||||||
|
|
||||||
# Allow additional env variables to be added
|
|
||||||
envVars: []
|
|
||||||
|
|
||||||
resources: {}
|
|
||||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
||||||
# choice for the user. This also increases chances charts run on environments with little
|
|
||||||
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
||||||
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
||||||
# limits:
|
|
||||||
# memory: 30Mi
|
|
||||||
# cpu: 10m
|
|
||||||
# requests:
|
|
||||||
# memory: 20Mi
|
|
||||||
# cpu: 5m
|
|
||||||
|
|
||||||
# Node labels for pod assignment
|
|
||||||
# ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
||||||
nodeSelector: {}
|
|
||||||
|
|
||||||
# Tolerations for pod assignment
|
|
||||||
# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
||||||
tolerations: []
|
|
||||||
|
|
||||||
# Anti-affinity to disallow deploying client and master nodes on the same worker node
|
|
||||||
affinity: {}
|
|
||||||
|
|
||||||
# Topology Spread Constraints to better spread pods
|
|
||||||
topologySpreadConstraints: []
|
|
||||||
|
|
||||||
# livenessProbe for policy-reporter-kyverno-plugin
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /healthz
|
|
||||||
port: rest
|
|
||||||
|
|
||||||
# readinessProbe for policy-reporter-kyverno-plugin
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /ready
|
|
||||||
port: rest
|
|
||||||
|
|
||||||
# REST API
|
|
||||||
rest:
|
|
||||||
enabled: true
|
|
||||||
|
|
||||||
# Prometheus Metrics API
|
|
||||||
metrics:
|
|
||||||
enabled: true
|
|
||||||
|
|
||||||
logging:
|
|
||||||
encoding: console # possible encodings are console and json
|
|
||||||
logLevel: 0 # default info
|
|
||||||
development: false # more human readable structure, enables stacktraces and removes log sampling
|
|
||||||
|
|
||||||
api:
|
|
||||||
logging: false # enable debug API access logging, sets logLevel to debug
|
|
||||||
|
|
||||||
# create PolicyReports for enforce policies,
|
|
||||||
# based on Events created by Kyverno (>= v1.7.0)
|
|
||||||
blockReports:
|
|
||||||
enabled: false
|
|
||||||
eventNamespace: default
|
|
||||||
results:
|
|
||||||
maxPerReport: 200
|
|
||||||
keepOnlyLatest: false
|
|
||||||
|
|
||||||
# required if policy-reporter-kyverno-plugin should run in HA mode and the "blockReports" feature is enabled
|
|
||||||
# if "blockReports" is disabled, leaderElection is also disabled automatically
|
|
||||||
# will be enabled when replicaCount > 1
|
|
||||||
leaderElection:
|
|
||||||
enabled: false
|
|
||||||
releaseOnCancel: true
|
|
||||||
leaseDuration: 15
|
|
||||||
renewDeadline: 10
|
|
||||||
retryPeriod: 2
|
|
||||||
|
|
||||||
# enabled if replicaCount > 1
|
|
||||||
podDisruptionBudget:
|
|
||||||
# -- Configures the minimum available pods for kyvernoPlugin disruptions.
|
|
||||||
# Cannot be used if `maxUnavailable` is set.
|
|
||||||
minAvailable: 1
|
|
||||||
# -- Configures the maximum unavailable pods for kyvernoPlugin disruptions.
|
|
||||||
# Cannot be used if `minAvailable` is set.
|
|
||||||
maxUnavailable:
|
|
||||||
|
|
||||||
# Enable a NetworkPolicy for this chart. Useful on clusters where Network Policies are
|
|
||||||
# used and configured in a default-deny fashion.
|
|
||||||
networkPolicy:
|
|
||||||
enabled: false
|
|
||||||
# Kubernetes API Server
|
|
||||||
egress:
|
|
||||||
- to:
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: 6443
|
|
||||||
ingress: []
|
|
||||||
|
|
||||||
# Should be set in the parent chart only
|
|
||||||
global:
|
|
||||||
# available plugins
|
|
||||||
plugins:
|
|
||||||
# enable kyverno for Policy Reporter UI and monitoring
|
|
||||||
kyverno: false
|
|
||||||
# overwrite the fullname of all resources including subcharts
|
|
||||||
fullnameOverride: ""
|
|
||||||
# configure the namespace of all resources including subcharts
|
|
||||||
namespace: ""
|
|
||||||
# additional labels added on each resource
|
|
||||||
labels: {}
|
|
||||||
# basicAuth for APIs and metrics
|
|
||||||
basicAuth:
|
|
||||||
# HTTP BasicAuth username
|
|
||||||
username: ""
|
|
||||||
# HTTP BasicAuth password
|
|
||||||
password: ""
|
|
||||||
# read credentials from secret
|
|
||||||
secretRef: ""
|
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
apiVersion: v2
|
|
||||||
name: monitoring
|
|
||||||
description: Policy Reporter Monitoring with predefined ServiceMonitor and Grafana Dashboards
|
|
||||||
|
|
||||||
type: application
|
|
||||||
version: 2.8.2
|
|
||||||
appVersion: 0.0.0
|
|
|
@ -1,85 +0,0 @@
|
||||||
{{/*
|
|
||||||
Create a default fully qualified app name.
|
|
||||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
|
||||||
If release name contains chart name it will be used as a full name.
|
|
||||||
*/}}
|
|
||||||
{{- define "monitoring.fullname" -}}
|
|
||||||
{{- $name := default .Chart.Name .Values.nameOverride }}
|
|
||||||
{{- if .Values.global.fullnameOverride }}
|
|
||||||
{{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- else if contains $name .Release.Name }}
|
|
||||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- else }}
|
|
||||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Create chart name and version as used by the chart label.
|
|
||||||
*/}}
|
|
||||||
{{- define "monitoring.chart" -}}
|
|
||||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Common labels
|
|
||||||
*/}}
|
|
||||||
{{- define "monitoring.labels" -}}
|
|
||||||
helm.sh/chart: {{ include "monitoring.chart" . }}
|
|
||||||
{{ include "monitoring.selectorLabels" . }}
|
|
||||||
{{- if .Chart.AppVersion }}
|
|
||||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
|
||||||
{{- end }}
|
|
||||||
app.kubernetes.io/component: monitoring
|
|
||||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
|
||||||
app.kubernetes.io/part-of: kyverno
|
|
||||||
{{- with .Values.global.labels }}
|
|
||||||
{{ toYaml . }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Selector labels
|
|
||||||
*/}}
|
|
||||||
{{- define "monitoring.selectorLabels" -}}
|
|
||||||
app.kubernetes.io/name: {{ include "monitoring.name" . }}
|
|
||||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- define "monitoring.name" -}}
|
|
||||||
{{- "monitoring" }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- define "monitoring.namespace" -}}
|
|
||||||
{{- if .Values.grafana.namespace -}}
|
|
||||||
{{- .Values.grafana.namespace -}}
|
|
||||||
{{- else if .Values.global.namespace -}}
|
|
||||||
{{- .Values.global.namespace -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- .Release.Namespace -}}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- define "kyvernoplugin.selectorLabels" -}}
|
|
||||||
app.kubernetes.io/name: kyverno-plugin
|
|
||||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/* Get the namespace name. */}}
|
|
||||||
{{- define "monitoring.smNamespace" -}}
|
|
||||||
{{- if .Values.serviceMonitor.namespace -}}
|
|
||||||
{{- .Values.serviceMonitor.namespace -}}
|
|
||||||
{{- else if .Values.global.namespace -}}
|
|
||||||
{{- .Values.global.namespace -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- .Release.Namespace -}}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Policy Reporter Selector labels
|
|
||||||
*/}}
|
|
||||||
{{- define "policyreporter.selectorLabels" -}}
|
|
||||||
app.kubernetes.io/name: policy-reporter
|
|
||||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
||||||
{{- end }}
|
|
|
@ -1,17 +0,0 @@
|
||||||
{{- if and .Values.global.basicAuth.username .Values.global.basicAuth.password }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: {{ include "monitoring.fullname" . }}-auth
|
|
||||||
namespace: {{ include "monitoring.smNamespace" . }}
|
|
||||||
{{- if .Values.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
{{- include "monitoring.labels" . | nindent 4 }}
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
username: {{ .Values.global.basicAuth.username | b64enc }}
|
|
||||||
password: {{ .Values.global.basicAuth.password | b64enc }}
|
|
||||||
{{- end }}
|
|
|
@ -1,20 +0,0 @@
|
||||||
{{- if and $.Values.grafana.dashboards.enabled $.Values.grafana.dashboards.enable.clusterPolicyReportDetails $.Values.grafana.grafanaDashboard.enabled }}
|
|
||||||
---
|
|
||||||
apiVersion: grafana.integreatly.org/v1beta1
|
|
||||||
kind: GrafanaDashboard
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{ .Values.grafana.dashboards.label }}: {{ .Values.grafana.dashboards.value | quote }}
|
|
||||||
{{- include "monitoring.labels" . | nindent 4 }}
|
|
||||||
name: {{ include "monitoring.fullname" . }}-clusterpolicy-details-dashboard
|
|
||||||
namespace: {{ include "monitoring.namespace" . }}
|
|
||||||
spec:
|
|
||||||
allowCrossNamespaceImport: {{ $.Values.grafana.grafanaDashboard.allowCrossNamespaceImport }}
|
|
||||||
folder: {{ $.Values.grafana.grafanaDashboard.folder }}
|
|
||||||
instanceSelector:
|
|
||||||
matchLabels:
|
|
||||||
{{- toYaml $.Values.grafana.grafanaDashboard.matchLabels | nindent 6 }}
|
|
||||||
configMapRef:
|
|
||||||
name: {{ include "monitoring.fullname" . }}-clusterpolicy-details-dashboard
|
|
||||||
key: cluster-policy-reporter-details-dashboard.json
|
|
||||||
{{- end }}
|
|
|
@ -1,63 +0,0 @@
|
||||||
{{- if or .Values.plugins.kyverno .Values.global.plugins.kyverno -}}
|
|
||||||
apiVersion: monitoring.coreos.com/v1
|
|
||||||
kind: ServiceMonitor
|
|
||||||
metadata:
|
|
||||||
name: {{ include "monitoring.fullname" . }}-kyverno-plugin
|
|
||||||
namespace: {{ include "monitoring.smNamespace" . }}
|
|
||||||
{{- if .Values.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
{{- with .Values.serviceMonitor.labels }}
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- include "monitoring.labels" . | nindent 4 }}
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{- include "kyvernoplugin.selectorLabels" . | nindent 8 }}
|
|
||||||
{{- with .Values.kyverno.serviceMonitor.namespaceSelector }}
|
|
||||||
namespaceSelector:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
endpoints:
|
|
||||||
- port: rest
|
|
||||||
{{- if and .Values.global.basicAuth.username .Values.global.basicAuth.password }}
|
|
||||||
basicAuth:
|
|
||||||
password:
|
|
||||||
name: {{ include "monitoring.fullname" . }}-auth
|
|
||||||
key: password
|
|
||||||
username:
|
|
||||||
name: {{ include "monitoring.fullname" . }}-auth
|
|
||||||
key: username
|
|
||||||
{{- else if .Values.global.basicAuth.secretRef }}
|
|
||||||
basicAuth:
|
|
||||||
password:
|
|
||||||
name: {{ .Values.global.basicAuth.secretRef }}
|
|
||||||
key: password
|
|
||||||
username:
|
|
||||||
name: {{ .Values.global.basicAuth.secretRef }}
|
|
||||||
key: username
|
|
||||||
{{- end }}
|
|
||||||
honorLabels: {{ .Values.kyverno.serviceMonitor.honorLabels }}
|
|
||||||
{{- if .Values.kyverno.serviceMonitor.scrapeTimeout }}
|
|
||||||
scrapeTimeout: {{ .Values.kyverno.serviceMonitor.scrapeTimeout }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.kyverno.serviceMonitor.interval }}
|
|
||||||
interval: {{ .Values.kyverno.serviceMonitor.interval }}
|
|
||||||
{{- end }}
|
|
||||||
relabelings:
|
|
||||||
- action: labeldrop
|
|
||||||
regex: pod|service|container
|
|
||||||
- targetLabel: instance
|
|
||||||
replacement: policy-reporter
|
|
||||||
action: replace
|
|
||||||
{{- with .Values.kyverno.serviceMonitor.relabelings }}
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.kyverno.serviceMonitor.metricRelabelings }}
|
|
||||||
metricRelabelings:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
|
@ -1,20 +0,0 @@
|
||||||
{{- if and $.Values.grafana.dashboards.enabled $.Values.grafana.dashboards.enable.overview $.Values.grafana.grafanaDashboard.enabled }}
|
|
||||||
---
|
|
||||||
apiVersion: grafana.integreatly.org/v1beta1
|
|
||||||
kind: GrafanaDashboard
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{ .Values.grafana.dashboards.label }}: {{ .Values.grafana.dashboards.value | quote }}
|
|
||||||
{{- include "monitoring.labels" . | nindent 4 }}
|
|
||||||
name: {{ include "monitoring.fullname" . }}-overview-dashboard
|
|
||||||
namespace: {{ include "monitoring.namespace" . }}
|
|
||||||
spec:
|
|
||||||
allowCrossNamespaceImport: {{ $.Values.grafana.grafanaDashboard.allowCrossNamespaceImport }}
|
|
||||||
folder: {{ $.Values.grafana.grafanaDashboard.folder }}
|
|
||||||
instanceSelector:
|
|
||||||
matchLabels:
|
|
||||||
{{- toYaml $.Values.grafana.grafanaDashboard.matchLabels | nindent 6 }}
|
|
||||||
configMapRef:
|
|
||||||
name: {{ include "monitoring.fullname" . }}-overview-dashboard
|
|
||||||
key: policy-reporter-dashboard.json
|
|
||||||
{{- end }}
|
|
|
@ -1,20 +0,0 @@
|
||||||
{{- if and $.Values.grafana.dashboards.enabled $.Values.grafana.dashboards.enable.policyReportDetails $.Values.grafana.grafanaDashboard.enabled }}
|
|
||||||
---
|
|
||||||
apiVersion: grafana.integreatly.org/v1beta1
|
|
||||||
kind: GrafanaDashboard
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{ .Values.grafana.dashboards.label }}: {{ .Values.grafana.dashboards.value | quote }}
|
|
||||||
{{- include "monitoring.labels" . | nindent 4 }}
|
|
||||||
name: {{ include "monitoring.fullname" . }}-policy-details-dashboard
|
|
||||||
namespace: {{ include "monitoring.namespace" . }}
|
|
||||||
spec:
|
|
||||||
allowCrossNamespaceImport: {{ $.Values.grafana.grafanaDashboard.allowCrossNamespaceImport }}
|
|
||||||
folder: {{ $.Values.grafana.grafanaDashboard.folder }}
|
|
||||||
instanceSelector:
|
|
||||||
matchLabels:
|
|
||||||
{{- toYaml $.Values.grafana.grafanaDashboard.matchLabels | nindent 6 }}
|
|
||||||
configMapRef:
|
|
||||||
name: {{ include "monitoring.fullname" . }}-policy-details-dashboard
|
|
||||||
key: policy-reporter-details-dashboard.json
|
|
||||||
{{- end }}
|
|
|
@ -1,150 +0,0 @@
|
||||||
# Override the chart name used for all resources
|
|
||||||
nameOverride: ""
|
|
||||||
|
|
||||||
plugins:
|
|
||||||
kyverno: false
|
|
||||||
|
|
||||||
# Key/value pairs that are attached to all resources.
|
|
||||||
annotations: {}
|
|
||||||
|
|
||||||
serviceMonitor:
|
|
||||||
# HonorLabels chooses the metrics labels on collisions with target labels
|
|
||||||
honorLabels: false
|
|
||||||
# allow to override the namespace for serviceMonitor
|
|
||||||
namespace:
|
|
||||||
# labels to match the serviceMonitorSelector of the Prometheus Resource
|
|
||||||
labels: {}
|
|
||||||
# https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig
|
|
||||||
relabelings: []
|
|
||||||
# see serviceMonitor.relabelings
|
|
||||||
metricRelabelings: []
|
|
||||||
# optional namespaceSelector
|
|
||||||
namespaceSelector: {}
|
|
||||||
# optional scrapeTimeout
|
|
||||||
scrapeTimeout:
|
|
||||||
# optional scrape interval
|
|
||||||
interval:
|
|
||||||
|
|
||||||
kyverno:
|
|
||||||
serviceMonitor:
|
|
||||||
# HonorLabels chooses the metrics labels on collisions with target labels
|
|
||||||
honorLabels: false
|
|
||||||
# see serviceMonitor.relabelings
|
|
||||||
relabelings: []
|
|
||||||
# see serviceMonitor.relabelings
|
|
||||||
metricRelabelings: []
|
|
||||||
# optional namespaceSelector
|
|
||||||
namespaceSelector: {}
|
|
||||||
# optional scrapeTimeout
|
|
||||||
scrapeTimeout:
|
|
||||||
# optional scrape interval
|
|
||||||
interval:
|
|
||||||
|
|
||||||
grafana:
|
|
||||||
# namespace for configMap of grafana dashboards
|
|
||||||
namespace:
|
|
||||||
dashboards:
|
|
||||||
# Enable the deployment of grafana dashboards
|
|
||||||
enabled: true
|
|
||||||
# Label to find dashboards using the k8s sidecar
|
|
||||||
label: grafana_dashboard
|
|
||||||
value: "1"
|
|
||||||
labelFilter: []
|
|
||||||
multicluster:
|
|
||||||
enabled: false
|
|
||||||
label: cluster
|
|
||||||
enable:
|
|
||||||
overview: true
|
|
||||||
policyReportDetails: true
|
|
||||||
clusterPolicyReportDetails: true
|
|
||||||
folder:
|
|
||||||
# Annotation to enable folder storage using the k8s sidecar
|
|
||||||
annotation: grafana_folder
|
|
||||||
# Grafana folder in which to store the dashboards
|
|
||||||
name: Policy Reporter
|
|
||||||
datasource:
|
|
||||||
label: Prometheus
|
|
||||||
pluginId: prometheus
|
|
||||||
pluginName: Prometheus
|
|
||||||
|
|
||||||
# -- create GrafanaDashboard custom resource referencing to the configMap.
|
|
||||||
# according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/
|
|
||||||
grafanaDashboard:
|
|
||||||
enabled: false
|
|
||||||
folder: kyverno
|
|
||||||
allowCrossNamespaceImport: true
|
|
||||||
matchLabels:
|
|
||||||
dashboards: "grafana"
|
|
||||||
|
|
||||||
|
|
||||||
policyReportDetails:
|
|
||||||
firstStatusRow:
|
|
||||||
height: 8
|
|
||||||
secondStatusRow:
|
|
||||||
enabled: true
|
|
||||||
height: 2
|
|
||||||
statusTimeline:
|
|
||||||
enabled: true
|
|
||||||
height: 8
|
|
||||||
passTable:
|
|
||||||
enabled: true
|
|
||||||
height: 8
|
|
||||||
failTable:
|
|
||||||
enabled: true
|
|
||||||
height: 8
|
|
||||||
warningTable:
|
|
||||||
enabled: true
|
|
||||||
height: 4
|
|
||||||
errorTable:
|
|
||||||
enabled: true
|
|
||||||
height: 4
|
|
||||||
|
|
||||||
clusterPolicyReportDetails:
|
|
||||||
statusRow:
|
|
||||||
height: 6
|
|
||||||
statusTimeline:
|
|
||||||
enabled: true
|
|
||||||
height: 8
|
|
||||||
passTable:
|
|
||||||
enabled: true
|
|
||||||
height: 8
|
|
||||||
failTable:
|
|
||||||
enabled: true
|
|
||||||
height: 8
|
|
||||||
warningTable:
|
|
||||||
enabled: true
|
|
||||||
height: 4
|
|
||||||
errorTable:
|
|
||||||
enabled: true
|
|
||||||
height: 4
|
|
||||||
|
|
||||||
policyReportOverview:
|
|
||||||
failingSummaryRow:
|
|
||||||
height: 8
|
|
||||||
failingTimeline:
|
|
||||||
height: 10
|
|
||||||
failingPolicyRuleTable:
|
|
||||||
height: 10
|
|
||||||
failingClusterPolicyRuleTable:
|
|
||||||
height: 10
|
|
||||||
|
|
||||||
# Should be set in the parent chart only
|
|
||||||
global:
|
|
||||||
# available plugins
|
|
||||||
plugins:
|
|
||||||
# enable kyverno for Policy Reporter UI and monitoring
|
|
||||||
kyverno: false
|
|
||||||
# overwrite the fullname of all resources including subcharts
|
|
||||||
fullnameOverride: ""
|
|
||||||
# configure the namespace of all resources including subcharts
|
|
||||||
namespace: ""
|
|
||||||
# additional labels added on each resource
|
|
||||||
labels: {}
|
|
||||||
# basicAuth for APIs and metrics
|
|
||||||
basicAuth:
|
|
||||||
# HTTP BasicAuth username
|
|
||||||
username: ""
|
|
||||||
# HTTP BasicAuth password
|
|
||||||
password: ""
|
|
||||||
# read credentials from secret
|
|
||||||
secretRef: ""
|
|
|
@ -1,7 +0,0 @@
|
||||||
apiVersion: v2
|
|
||||||
name: ui
|
|
||||||
description: Policy Reporter UI
|
|
||||||
|
|
||||||
type: application
|
|
||||||
version: 2.10.5
|
|
||||||
appVersion: 1.9.2
|
|
|
@ -1,140 +0,0 @@
|
||||||
{{/*
|
|
||||||
Create a default fully qualified app name.
|
|
||||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
|
||||||
If release name contains chart name it will be used as a full name.
|
|
||||||
*/}}
|
|
||||||
{{- define "ui.fullname" -}}
|
|
||||||
{{- $name := "ui" }}
|
|
||||||
{{- if .Values.global.fullnameOverride }}
|
|
||||||
{{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- else if contains $name .Release.Name }}
|
|
||||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- else }}
|
|
||||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- define "ui.name" -}}
|
|
||||||
{{- "ui" }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Create chart name and version as used by the chart label.
|
|
||||||
*/}}
|
|
||||||
{{- define "ui.chart" -}}
|
|
||||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Common labels
|
|
||||||
*/}}
|
|
||||||
{{- define "ui.labels" -}}
|
|
||||||
helm.sh/chart: {{ include "ui.chart" . }}
|
|
||||||
{{ include "ui.selectorLabels" . }}
|
|
||||||
{{- if .Chart.AppVersion }}
|
|
||||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
|
||||||
{{- end }}
|
|
||||||
app.kubernetes.io/component: ui
|
|
||||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
|
||||||
app.kubernetes.io/part-of: policy-reporter
|
|
||||||
{{- with .Values.global.labels }}
|
|
||||||
{{ toYaml . }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- with .Values.ingress.labels }}
|
|
||||||
{{ toYaml . }}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Selector labels
|
|
||||||
*/}}
|
|
||||||
{{- define "ui.selectorLabels" -}}
|
|
||||||
app.kubernetes.io/name: {{ include "ui.name" . }}
|
|
||||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Pod labels
|
|
||||||
*/}}
|
|
||||||
{{- define "ui.podLabels" -}}
|
|
||||||
helm.sh/chart: {{ include "ui.chart" . }}
|
|
||||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
|
||||||
app.kubernetes.io/part-of: policy-reporter
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Policy Reporter Selector labels
|
|
||||||
*/}}
|
|
||||||
{{- define "policyreporter.selectorLabels" -}}
|
|
||||||
app.kubernetes.io/name: policy-reporter
|
|
||||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Kyverno Plugin Selector labels
|
|
||||||
*/}}
|
|
||||||
{{- define "kyvernoplugin.selectorLabels" -}}
|
|
||||||
app.kubernetes.io/name: kyverno-plugin
|
|
||||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/*
|
|
||||||
Create the name of the service account to use
|
|
||||||
*/}}
|
|
||||||
{{- define "ui.serviceAccountName" -}}
|
|
||||||
{{- if .Values.serviceAccount.create }}
|
|
||||||
{{- default (include "ui.fullname" .) .Values.serviceAccount.name }}
|
|
||||||
{{- else }}
|
|
||||||
{{- default "default" .Values.serviceAccount.name }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- define "ui.kyvernoPluginServiceName" -}}
|
|
||||||
{{- $name := "kyverno-plugin" }}
|
|
||||||
{{- if .Values.global.fullnameOverride }}
|
|
||||||
{{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- else if contains $name .Release.Name }}
|
|
||||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- else }}
|
|
||||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- define "ui.policyReportServiceName" -}}
|
|
||||||
{{- $name := "policy-reporter" }}
|
|
||||||
{{- if .Values.global.backend }}
|
|
||||||
{{- .Values.global.backend }}
|
|
||||||
{{- else if .Values.global.fullnameOverride }}
|
|
||||||
{{- .Values.global.fullnameOverride }}
|
|
||||||
{{- else if contains $name .Release.Name }}
|
|
||||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- else }}
|
|
||||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- define "ui.securityContext" -}}
|
|
||||||
{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
|
|
||||||
{{ toYaml (omit .Values.securityContext "seccompProfile") }}
|
|
||||||
{{- else }}
|
|
||||||
{{ toYaml .Values.securityContext }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{/* Get the namespace name. */}}
|
|
||||||
{{- define "ui.namespace" -}}
|
|
||||||
{{- if .Values.global.namespace -}}
|
|
||||||
{{- .Values.global.namespace -}}
|
|
||||||
{{- else -}}
|
|
||||||
{{- .Release.Namespace -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
||||||
|
|
||||||
{{/* Get the namespace name. */}}
|
|
||||||
{{- define "ui.logLevel" -}}
|
|
||||||
{{- if .Values.api.logging -}}
|
|
||||||
-1
|
|
||||||
{{- else -}}
|
|
||||||
{{- .Values.logging.logLevel -}}
|
|
||||||
{{- end -}}
|
|
||||||
{{- end -}}
|
|
|
@ -1,52 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: {{ include "ui.fullname" . }}-config
|
|
||||||
namespace: {{ include "ui.namespace" . }}
|
|
||||||
{{- if .Values.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
{{- include "ui.labels" . | nindent 4 }}
|
|
||||||
data:
|
|
||||||
config.yaml: |-
|
|
||||||
logSize: {{ .Values.log.size }}
|
|
||||||
displayMode: {{ .Values.displayMode | quote }}
|
|
||||||
refreshInterval: {{ .Values.refreshInterval }}
|
|
||||||
clusterName: {{ .Values.clusterName | quote }}
|
|
||||||
views:
|
|
||||||
dashboard:
|
|
||||||
policyReports: {{ .Values.views.dashboard.policyReports }}
|
|
||||||
clusterPolicyReports: {{ .Values.views.dashboard.clusterPolicyReports }}
|
|
||||||
logs: {{ .Values.views.logs }}
|
|
||||||
policyReports: {{ .Values.views.policyReports }}
|
|
||||||
clusterPolicyReports: {{ .Values.views.clusterPolicyReports }}
|
|
||||||
kyvernoPolicies: {{ .Values.views.kyvernoPolicies }}
|
|
||||||
kyvernoVerifyImages: {{ .Values.views.kyvernoVerifyImages }}
|
|
||||||
{{- with .Values.clusters }}
|
|
||||||
clusters:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.labelFilter }}
|
|
||||||
labelFilter:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- with .Values.redis }}
|
|
||||||
redis:
|
|
||||||
{{- toYaml . | nindent 6 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
logging:
|
|
||||||
encoding: {{ .Values.logging.encoding }}
|
|
||||||
logLevel: {{ include "ui.logLevel" . }}
|
|
||||||
development: {{ .Values.logging.development }}
|
|
||||||
|
|
||||||
apiConfig:
|
|
||||||
logging: {{ .Values.api.logging }}
|
|
||||||
overwriteHost: {{ .Values.api.overwriteHost }}
|
|
||||||
basicAuth:
|
|
||||||
username: {{ .Values.global.basicAuth.username }}
|
|
||||||
password: {{ .Values.global.basicAuth.password }}
|
|
||||||
secretRef: {{ .Values.global.basicAuth.secretRef }}
|
|
|
@ -1,123 +0,0 @@
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: {{ include "ui.fullname" . }}
|
|
||||||
namespace: {{ include "ui.namespace" . }}
|
|
||||||
labels:
|
|
||||||
{{- include "ui.labels" . | nindent 4 }}
|
|
||||||
{{- if .Values.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
replicas: {{ .Values.replicaCount }}
|
|
||||||
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
|
|
||||||
{{- if .Values.deploymentStrategy }}
|
|
||||||
strategy:
|
|
||||||
{{- toYaml .Values.deploymentStrategy | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
{{- include "ui.selectorLabels" . | nindent 6 }}
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
{{- include "ui.selectorLabels" . | nindent 8 }}
|
|
||||||
{{- include "ui.podLabels" . | nindent 8 }}
|
|
||||||
{{- with .Values.podLabels }}
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.global.labels }}
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
annotations:
|
|
||||||
checksum/config: {{ include (print .Template.BasePath "/config.yaml") . | sha256sum | quote }}
|
|
||||||
{{- with .Values.podAnnotations }}
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
{{- with .Values.priorityClassName }}
|
|
||||||
priorityClassName: {{ . }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.imagePullSecrets }}
|
|
||||||
imagePullSecrets:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
serviceAccountName: {{ include "ui.serviceAccountName" . }}
|
|
||||||
automountServiceAccountToken: true
|
|
||||||
containers:
|
|
||||||
- name: {{ default .Chart.Name .Values.nameOverride }}
|
|
||||||
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
|
||||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
||||||
{{- if .Values.securityContext }}
|
|
||||||
securityContext: {{ include "ui.securityContext" . | nindent 12 }}
|
|
||||||
{{- end }}
|
|
||||||
args:
|
|
||||||
- -config=/app/config.yaml
|
|
||||||
- -policy-reporter=http://{{ include "ui.policyReportServiceName" . }}:{{ .Values.policyReporter.port }}
|
|
||||||
{{- if or .Values.plugins.kyverno .Values.global.plugins.kyverno }}
|
|
||||||
- -kyverno-plugin=http://{{ include "ui.kyvernoPluginServiceName" . }}:{{ .Values.kyvernoPlugin.port }}
|
|
||||||
{{- end }}
|
|
||||||
ports:
|
|
||||||
- name: http
|
|
||||||
containerPort: 8080
|
|
||||||
protocol: TCP
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /
|
|
||||||
port: http
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /
|
|
||||||
port: http
|
|
||||||
volumeMounts:
|
|
||||||
- name: config-file
|
|
||||||
mountPath: /app/config.yaml
|
|
||||||
subPath: config.yaml
|
|
||||||
readOnly: true
|
|
||||||
{{- if .Values.volumes }}
|
|
||||||
{{- toYaml .Values.volumeMounts | nindent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
resources:
|
|
||||||
{{- toYaml .Values.resources | nindent 12 }}
|
|
||||||
env:
|
|
||||||
- name: POD_NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
{{- with .Values.envVars }}
|
|
||||||
{{- . | toYaml | trim | nindent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if .Values.sidecarContainers }}
|
|
||||||
{{- range $name, $spec := .Values.sidecarContainers }}
|
|
||||||
- name: {{ $name }}
|
|
||||||
{{- if kindIs "string" $spec }}
|
|
||||||
{{- tpl $spec $ | nindent 10 }}
|
|
||||||
{{- else }}
|
|
||||||
{{- toYaml $spec | nindent 10 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
volumes:
|
|
||||||
- name: config-file
|
|
||||||
configMap:
|
|
||||||
name: {{ include "ui.fullname" . }}-config
|
|
||||||
{{- if .Values.volumes }}
|
|
||||||
{{- toYaml .Values.volumes | nindent 6 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.nodeSelector }}
|
|
||||||
nodeSelector:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.affinity }}
|
|
||||||
affinity:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.topologySpreadConstraints }}
|
|
||||||
topologySpreadConstraints:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.tolerations }}
|
|
||||||
tolerations:
|
|
||||||
{{- toYaml . | nindent 8 }}
|
|
||||||
{{- end }}
|
|
|
@ -1,4 +0,0 @@
|
||||||
{{ range .Values.extraManifests }}
|
|
||||||
---
|
|
||||||
{{ tpl . $ }}
|
|
||||||
{{ end }}
|
|
|
@ -1,44 +0,0 @@
|
||||||
{{- if .Values.networkPolicy.enabled }}
|
|
||||||
apiVersion: networking.k8s.io/v1
|
|
||||||
kind: NetworkPolicy
|
|
||||||
metadata:
|
|
||||||
name: {{ include "ui.fullname" . }}
|
|
||||||
namespace: {{ include "ui.namespace" . }}
|
|
||||||
{{- if .Values.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
|
||||||
{{- include "ui.labels" . | nindent 4 }}
|
|
||||||
spec:
|
|
||||||
podSelector:
|
|
||||||
matchLabels: {{- include "ui.selectorLabels" . | nindent 6 }}
|
|
||||||
policyTypes:
|
|
||||||
- Ingress
|
|
||||||
- Egress
|
|
||||||
ingress:
|
|
||||||
- from:
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: {{ .Values.service.port }}
|
|
||||||
egress:
|
|
||||||
- to:
|
|
||||||
- podSelector:
|
|
||||||
matchLabels:
|
|
||||||
{{- include "policyreporter.selectorLabels" . | nindent 10 }}
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: 8080
|
|
||||||
{{- if or .Values.plugins.kyverno .Values.global.plugins.kyverno }}
|
|
||||||
- to:
|
|
||||||
- podSelector:
|
|
||||||
matchLabels:
|
|
||||||
{{- include "kyvernoplugin.selectorLabels" . | nindent 10 }}
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: 8080
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.networkPolicy.egress }}
|
|
||||||
{{- toYaml . | nindent 2 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
|
@ -1,33 +0,0 @@
|
||||||
{{- if .Values.service.enabled -}}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: {{ include "ui.fullname" . }}
|
|
||||||
namespace: {{ include "ui.namespace" . }}
|
|
||||||
labels:
|
|
||||||
{{- include "ui.labels" . | nindent 4 }}
|
|
||||||
{{- with .Values.service.labels }}
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- if or .Values.annotations .Values.service.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- with .Values.annotations }}
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.service.annotations }}
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
spec:
|
|
||||||
type: {{ .Values.service.type }}
|
|
||||||
ports:
|
|
||||||
- port: {{ .Values.service.port }}
|
|
||||||
targetPort: http
|
|
||||||
protocol: TCP
|
|
||||||
name: http
|
|
||||||
{{- if .Values.service.additionalPorts }}
|
|
||||||
{{ toYaml .Values.service.additionalPorts | indent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
selector:
|
|
||||||
{{- include "ui.selectorLabels" . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
|
@ -1,18 +0,0 @@
|
||||||
{{- if .Values.serviceAccount.create -}}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: {{ include "ui.serviceAccountName" . }}
|
|
||||||
namespace: {{ include "ui.namespace" . }}
|
|
||||||
labels:
|
|
||||||
{{- include "ui.labels" . | nindent 4 }}
|
|
||||||
{{- if or .Values.annotations .Values.serviceAccount.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- with .Values.annotations }}
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.serviceAccount.annotations }}
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
|
|
@ -1,279 +0,0 @@
|
||||||
enabled: false
|
|
||||||
|
|
||||||
# Override the chart name used for all resources
|
|
||||||
nameOverride: ""
|
|
||||||
|
|
||||||
priorityClassName: ""
|
|
||||||
|
|
||||||
image:
|
|
||||||
registry: ghcr.io
|
|
||||||
repository: kyverno/policy-reporter-ui
|
|
||||||
pullPolicy: IfNotPresent
|
|
||||||
tag: 1.9.2
|
|
||||||
|
|
||||||
# sidecarContainers - add more containers to Kyverno ui
|
|
||||||
# Key/Value where Key is the sidecar `- name: <Key>`
|
|
||||||
# Example:
|
|
||||||
# for adding OAuth authentication to Kyverno ui
|
|
||||||
# sidecarContainers:
|
|
||||||
# oauth-proxy:
|
|
||||||
# image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
|
|
||||||
# args:
|
|
||||||
# - --upstream=http://127.0.0.1:8080
|
|
||||||
# - --http-address=0.0.0.0:8081
|
|
||||||
# - ...
|
|
||||||
# ports:
|
|
||||||
# - containerPort: 8081
|
|
||||||
# name: oauth-proxy
|
|
||||||
# protocol: TCP
|
|
||||||
# resources: {}
|
|
||||||
sidecarContainers: {}
|
|
||||||
|
|
||||||
# possible default displayModes: light/dark
|
|
||||||
displayMode: ""
|
|
||||||
|
|
||||||
# default refreshInterval, set 0 to disable it
|
|
||||||
refreshInterval: 10000
|
|
||||||
|
|
||||||
# Key/value pairs that are attached to all resources.
|
|
||||||
annotations: {}
|
|
||||||
|
|
||||||
log:
|
|
||||||
# holds the latest 200 validation results in the UI Log
|
|
||||||
size: 200
|
|
||||||
|
|
||||||
# enable/disable views as needed in the Policy Reporter UI
|
|
||||||
# disabled log view will also disable the UI as push target
|
|
||||||
views:
|
|
||||||
dashboard:
|
|
||||||
policyReports: true
|
|
||||||
clusterPolicyReports: true
|
|
||||||
logs: true
|
|
||||||
policyReports: true
|
|
||||||
clusterPolicyReports: true
|
|
||||||
kyvernoPolicies: true
|
|
||||||
kyvernoVerifyImages: true
|
|
||||||
|
|
||||||
plugins:
|
|
||||||
kyverno: false
|
|
||||||
|
|
||||||
# Custom Cluster Name which is used in the ClusterSelect, if you configured additional clusters below.
|
|
||||||
clusterName: ""
|
|
||||||
|
|
||||||
# Attention: be sure that your APIs are not accessable for the outside world
|
|
||||||
# Use tools like VPN, private Networks or internal Network Load Balancer to expose your APIs in a secure way to the UI
|
|
||||||
clusters: []
|
|
||||||
# - name: External Cluster
|
|
||||||
# api: https://policy-reporter.external.cluster # reachable external Policy Reporter REST API
|
|
||||||
# kyvernoApi: https://policy-reporter-kyverno-plugin.external.cluster # (optional) reachable external Policy Reporter Kyverno Plugin REST API
|
|
||||||
# skipTLS: false
|
|
||||||
# certificate: "/app/certs/root.ca"
|
|
||||||
# secreRef: "" # name of an existing secret to read the clusterconfiguration from, supported keys: api, kyvernoApi, username, password, skipTLS, certificate
|
|
||||||
# basicAuth: # added as HTTP BasicAuthentication Header for all requests against api and kyvernoApi
|
|
||||||
# username: ""
|
|
||||||
# password: ""
|
|
||||||
|
|
||||||
# define custom filter for policy report results based on (Cluster)PolicyReport labels
|
|
||||||
# exmaple - use a owner label on all reports belonging to a dedicated team and add the label as additional custom filter
|
|
||||||
#
|
|
||||||
# apiVersion: wgpolicyk8s.io/v1alpha2
|
|
||||||
# kind: PolicyReport
|
|
||||||
# metadata:
|
|
||||||
# labels:
|
|
||||||
# app.kubernetes.io/managed-by: kyverno
|
|
||||||
# owner: team-a
|
|
||||||
# name: cpol-disallow-capabilities
|
|
||||||
# namespace: default
|
|
||||||
# results: [...]
|
|
||||||
#
|
|
||||||
# labelFilter: ["owner"]
|
|
||||||
labelFilter: []
|
|
||||||
|
|
||||||
# Proxy request logging
|
|
||||||
logging:
|
|
||||||
encoding: console # possible encodings are console and json
|
|
||||||
logLevel: 0 # default info
|
|
||||||
development: false # more human readable structure, removes log sampling
|
|
||||||
|
|
||||||
api:
|
|
||||||
logging: false # enables access logging for proxy requests, sets log level to debug
|
|
||||||
overwriteHost: true # overwrites request host and sets X-Forwarded--Host and X-Origin-Host headers
|
|
||||||
|
|
||||||
# use redis as external log storage instead of an in memory store
|
|
||||||
# recommended when using a HA setup with more then one replica
|
|
||||||
# to get all logs on each instance
|
|
||||||
redis:
|
|
||||||
enabled: false
|
|
||||||
address: ""
|
|
||||||
database: 0
|
|
||||||
prefix: "policy-reporter-ui"
|
|
||||||
username: ""
|
|
||||||
password: ""
|
|
||||||
|
|
||||||
# configurations related to the PolicyReporter API
|
|
||||||
policyReporter:
|
|
||||||
port: 8080
|
|
||||||
|
|
||||||
# configurations related to the RolicyReporter KyvernoPlugin API
|
|
||||||
kyvernoPlugin:
|
|
||||||
port: 8080
|
|
||||||
|
|
||||||
# configure additional volumes to e.g. mount custom certificate for proxy TLS
|
|
||||||
volumes: []
|
|
||||||
volumeMounts: []
|
|
||||||
|
|
||||||
imagePullSecrets: []
|
|
||||||
|
|
||||||
replicaCount: 1
|
|
||||||
|
|
||||||
revisionHistoryLimit: 10
|
|
||||||
|
|
||||||
deploymentStrategy: {}
|
|
||||||
# rollingUpdate:
|
|
||||||
# maxSurge: 25%
|
|
||||||
# maxUnavailable: 25%
|
|
||||||
# type: RollingUpdate
|
|
||||||
|
|
||||||
securityContext:
|
|
||||||
runAsUser: 1234
|
|
||||||
runAsNonRoot: true
|
|
||||||
privileged: false
|
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
readOnlyRootFilesystem: true
|
|
||||||
capabilities:
|
|
||||||
drop:
|
|
||||||
- ALL
|
|
||||||
seccompProfile:
|
|
||||||
type: RuntimeDefault
|
|
||||||
|
|
||||||
# Key/value pairs that are attached to pods.
|
|
||||||
podAnnotations: {}
|
|
||||||
|
|
||||||
# Key/value pairs that are attached to pods.
|
|
||||||
podLabels: {}
|
|
||||||
|
|
||||||
# Allow additional env variables to be added
|
|
||||||
envVars: []
|
|
||||||
|
|
||||||
resources: {}
|
|
||||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
||||||
# choice for the user. This also increases chances charts run on environments with little
|
|
||||||
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
||||||
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
||||||
# limits:
|
|
||||||
# memory: 100Mi
|
|
||||||
# cpu: 50m
|
|
||||||
# requests:
|
|
||||||
# memory: 50Mi
|
|
||||||
# cpu: 10m
|
|
||||||
|
|
||||||
serviceAccount:
|
|
||||||
# Specifies whether a service account should be created
|
|
||||||
create: true
|
|
||||||
# Annotations to add to the service account
|
|
||||||
annotations: {}
|
|
||||||
# The name of the service account to use.
|
|
||||||
# If not set and create is true, a name is generated using the fullname template
|
|
||||||
name: ""
|
|
||||||
|
|
||||||
# Create secret reader role and rolebinding
|
|
||||||
rbac:
|
|
||||||
enabled: true
|
|
||||||
|
|
||||||
service:
|
|
||||||
enabled: true
|
|
||||||
## configuration of service
|
|
||||||
# key/value
|
|
||||||
annotations: {}
|
|
||||||
# key/value
|
|
||||||
labels: {}
|
|
||||||
type: ClusterIP
|
|
||||||
# integer nubmer. This is port for service
|
|
||||||
port: 8080
|
|
||||||
# additionalPorts:
|
|
||||||
# - name: authenticated
|
|
||||||
# port: 8081
|
|
||||||
# targetPort: 8081
|
|
||||||
additionalPorts: []
|
|
||||||
|
|
||||||
# enabled if replicaCount > 1
|
|
||||||
podDisruptionBudget:
|
|
||||||
# -- Configures the minimum available pods for policy-reporter-ui disruptions.
|
|
||||||
# Cannot be used if `maxUnavailable` is set.
|
|
||||||
minAvailable: 1
|
|
||||||
# -- Configures the maximum unavailable pods for policy-reporter-ui disruptions.
|
|
||||||
# Cannot be used if `minAvailable` is set.
|
|
||||||
maxUnavailable:
|
|
||||||
|
|
||||||
## Set to true to enable ingress record generation
|
|
||||||
# ref to: https://kubernetes.io/docs/concepts/services-networking/ingress/
|
|
||||||
ingress:
|
|
||||||
enabled: false
|
|
||||||
className: ""
|
|
||||||
# key/value
|
|
||||||
labels: {}
|
|
||||||
# key/value
|
|
||||||
annotations: {}
|
|
||||||
# kubernetes.io/ingress.class: nginx
|
|
||||||
# kubernetes.io/tls-acme: "true"
|
|
||||||
## Redirect ingress to an additional defined port on the service
|
|
||||||
# port: 8081
|
|
||||||
hosts:
|
|
||||||
- host: chart-example.local
|
|
||||||
paths: []
|
|
||||||
tls: []
|
|
||||||
# - secretName: chart-example-tls
|
|
||||||
# hosts:
|
|
||||||
# - chart-example.local
|
|
||||||
|
|
||||||
# Node labels for pod assignment
|
|
||||||
# ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
||||||
nodeSelector: {}
|
|
||||||
|
|
||||||
# Tolerations for pod assignment
|
|
||||||
# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
||||||
tolerations: []
|
|
||||||
|
|
||||||
# Anti-affinity to disallow deploying client and master nodes on the same worker node
|
|
||||||
affinity: {}
|
|
||||||
|
|
||||||
# Topology Spread Constraints to better spread pods
|
|
||||||
topologySpreadConstraints: []
|
|
||||||
|
|
||||||
# enable a NetworkPolicy for this chart. Useful on clusters where Network Policies are
|
|
||||||
# used and configured in a default-deny fashion.
|
|
||||||
networkPolicy:
|
|
||||||
enabled: false
|
|
||||||
egress: []
|
|
||||||
|
|
||||||
# Should be set in the parent chart only
|
|
||||||
global:
|
|
||||||
# available plugins
|
|
||||||
plugins:
|
|
||||||
# enable kyverno for Policy Reporter UI and monitoring
|
|
||||||
kyverno: false
|
|
||||||
# overwrite the fullname of all resources including subcharts
|
|
||||||
fullnameOverride: ""
|
|
||||||
# configure the namespace of all resources including subcharts
|
|
||||||
namespace: ""
|
|
||||||
# additional labels added on each resource
|
|
||||||
labels: {}
|
|
||||||
# basicAuth for APIs and metrics
|
|
||||||
basicAuth:
|
|
||||||
# HTTP BasicAuth username
|
|
||||||
username: ""
|
|
||||||
# HTTP BasicAuth password
|
|
||||||
password: ""
|
|
||||||
# read credentials from secret
|
|
||||||
secretRef: ""
|
|
||||||
|
|
||||||
# Extra manifests to deploy as an array
|
|
||||||
extraManifests: []
|
|
||||||
# - |
|
|
||||||
# apiVersion: v1
|
|
||||||
# kind: ConfigMap
|
|
||||||
# metadata:
|
|
||||||
# labels:
|
|
||||||
# name: kyverno-extra
|
|
||||||
# data:
|
|
||||||
# extra-data: "value"
|
|
|
@ -1,416 +0,0 @@
|
||||||
loki:
|
|
||||||
host: {{ .Values.target.loki.host | quote }}
|
|
||||||
certificate: {{ .Values.target.loki.certificate | quote }}
|
|
||||||
skipTLS: {{ .Values.target.loki.skipTLS }}
|
|
||||||
path: {{ .Values.target.loki.path | quote }}
|
|
||||||
secretRef: {{ .Values.target.loki.secretRef | quote }}
|
|
||||||
mountedSecret: {{ .Values.target.loki.mountedSecret | quote }}
|
|
||||||
minimumPriority: {{ .Values.target.loki.minimumPriority | quote }}
|
|
||||||
skipExistingOnStartup: {{ .Values.target.loki.skipExistingOnStartup }}
|
|
||||||
username: {{ .Values.target.loki.username | quote }}
|
|
||||||
password: {{ .Values.target.loki.password | quote }}
|
|
||||||
{{- with .Values.target.loki.customLabels }}
|
|
||||||
customLabels:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.loki.sources }}
|
|
||||||
sources:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.loki.filter }}
|
|
||||||
filter:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.loki.headers }}
|
|
||||||
headers:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.loki.channels }}
|
|
||||||
channels:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
elasticsearch:
|
|
||||||
host: {{ .Values.target.elasticsearch.host | quote }}
|
|
||||||
certificate: {{ .Values.target.elasticsearch.certificate | quote }}
|
|
||||||
skipTLS: {{ .Values.target.elasticsearch.skipTLS }}
|
|
||||||
username: {{ .Values.target.elasticsearch.username | quote }}
|
|
||||||
password: {{ .Values.target.elasticsearch.password | quote }}
|
|
||||||
apiKey: {{ .Values.target.elasticsearch.apiKey | quote }}
|
|
||||||
secretRef: {{ .Values.target.elasticsearch.secretRef | quote }}
|
|
||||||
mountedSecret: {{ .Values.target.elasticsearch.mountedSecret | quote }}
|
|
||||||
index: {{ .Values.target.elasticsearch.index | default "policy-reporter" | quote }}
|
|
||||||
rotation: {{ .Values.target.elasticsearch.rotation | default "daily" | quote }}
|
|
||||||
minimumPriority: {{ .Values.target.elasticsearch.minimumPriority | quote }}
|
|
||||||
skipExistingOnStartup: {{ .Values.target.elasticsearch.skipExistingOnStartup }}
|
|
||||||
typelessApi: {{ .Values.target.elasticsearch.typelessApi }}
|
|
||||||
{{- with .Values.target.elasticsearch.sources }}
|
|
||||||
sources:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.elasticsearch.customFields }}
|
|
||||||
customFields:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.elasticsearch.filter }}
|
|
||||||
filter:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.elasticsearch.channels }}
|
|
||||||
channels:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
slack:
|
|
||||||
webhook: {{ .Values.target.slack.webhook | quote }}
|
|
||||||
channel: {{ .Values.target.slack.channel | quote }}
|
|
||||||
secretRef: {{ .Values.target.slack.secretRef | quote }}
|
|
||||||
mountedSecret: {{ .Values.target.slack.mountedSecret | quote }}
|
|
||||||
minimumPriority: {{ .Values.target.slack.minimumPriority | quote }}
|
|
||||||
skipExistingOnStartup: {{ .Values.target.slack.skipExistingOnStartup }}
|
|
||||||
{{- with .Values.target.slack.customFields }}
|
|
||||||
customFields:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.slack.sources }}
|
|
||||||
sources:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.slack.filter }}
|
|
||||||
filter:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.slack.channels }}
|
|
||||||
channels:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
discord:
|
|
||||||
webhook: {{ .Values.target.discord.webhook | quote }}
|
|
||||||
secretRef: {{ .Values.target.discord.secretRef | quote }}
|
|
||||||
mountedSecret: {{ .Values.target.discord.mountedSecret | quote }}
|
|
||||||
minimumPriority: {{ .Values.target.discord.minimumPriority | quote }}
|
|
||||||
skipExistingOnStartup: {{ .Values.target.discord.skipExistingOnStartup }}
|
|
||||||
{{- with .Values.target.discord.customFields }}
|
|
||||||
customFields:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.discord.sources }}
|
|
||||||
sources:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.discord.filter }}
|
|
||||||
filter:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.discord.channels }}
|
|
||||||
channels:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
teams:
|
|
||||||
webhook: {{ .Values.target.teams.webhook | quote }}
|
|
||||||
certificate: {{ .Values.target.teams.certificate | quote }}
|
|
||||||
skipTLS: {{ .Values.target.teams.skipTLS }}
|
|
||||||
secretRef: {{ .Values.target.teams.secretRef | quote }}
|
|
||||||
mountedSecret: {{ .Values.target.teams.mountedSecret | quote }}
|
|
||||||
minimumPriority: {{ .Values.target.teams.minimumPriority | quote }}
|
|
||||||
skipExistingOnStartup: {{ .Values.target.teams.skipExistingOnStartup }}
|
|
||||||
{{- with .Values.target.teams.customFields }}
|
|
||||||
customFields:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.teams.sources }}
|
|
||||||
sources:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.teams.filter }}
|
|
||||||
filter:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.teams.channels }}
|
|
||||||
channels:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
webhook:
|
|
||||||
host: {{ .Values.target.webhook.host | quote }}
|
|
||||||
certificate: {{ .Values.target.webhook.certificate | quote }}
|
|
||||||
skipTLS: {{ .Values.target.webhook.skipTLS }}
|
|
||||||
secretRef: {{ .Values.target.webhook.secretRef | quote }}
|
|
||||||
mountedSecret: {{ .Values.target.webhook.mountedSecret | quote }}
|
|
||||||
minimumPriority: {{ .Values.target.webhook.minimumPriority | quote }}
|
|
||||||
skipExistingOnStartup: {{ .Values.target.webhook.skipExistingOnStartup }}
|
|
||||||
{{- with .Values.target.webhook.headers }}
|
|
||||||
headers:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.webhook.sources }}
|
|
||||||
sources:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.webhook.customFields }}
|
|
||||||
customFields:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.webhook.filter }}
|
|
||||||
filter:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.webhook.channels }}
|
|
||||||
channels:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
telegram:
|
|
||||||
token: {{ .Values.target.telegram.token | quote }}
|
|
||||||
chatID: {{ .Values.target.telegram.chatID | quote }}
|
|
||||||
host: {{ .Values.target.telegram.host | quote }}
|
|
||||||
certificate: {{ .Values.target.telegram.certificate | quote }}
|
|
||||||
skipTLS: {{ .Values.target.telegram.skipTLS }}
|
|
||||||
secretRef: {{ .Values.target.telegram.secretRef | quote }}
|
|
||||||
mountedSecret: {{ .Values.target.telegram.mountedSecret | quote }}
|
|
||||||
minimumPriority: {{ .Values.target.telegram.minimumPriority | quote }}
|
|
||||||
skipExistingOnStartup: {{ .Values.target.telegram.skipExistingOnStartup }}
|
|
||||||
{{- with .Values.target.telegram.headers }}
|
|
||||||
headers:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.telegram.sources }}
|
|
||||||
sources:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.telegram.customFields }}
|
|
||||||
customFields:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.telegram.filter }}
|
|
||||||
filter:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.telegram.channels }}
|
|
||||||
channels:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
googleChat:
|
|
||||||
webhook: {{ .Values.target.googleChat.webhook | quote }}
|
|
||||||
certificate: {{ .Values.target.googleChat.certificate | quote }}
|
|
||||||
skipTLS: {{ .Values.target.googleChat.skipTLS }}
|
|
||||||
secretRef: {{ .Values.target.googleChat.secretRef | quote }}
|
|
||||||
mountedSecret: {{ .Values.target.googleChat.mountedSecret | quote }}
|
|
||||||
minimumPriority: {{ .Values.target.googleChat.minimumPriority | quote }}
|
|
||||||
skipExistingOnStartup: {{ .Values.target.googleChat.skipExistingOnStartup }}
|
|
||||||
{{- with .Values.target.googleChat.headers }}
|
|
||||||
headers:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.googleChat.sources }}
|
|
||||||
sources:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.googleChat.customFields }}
|
|
||||||
customFields:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.googleChat.filter }}
|
|
||||||
filter:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.googleChat.channels }}
|
|
||||||
channels:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
ui:
|
|
||||||
host: {{ include "policyreporter.uihost" . }}
|
|
||||||
certificate: {{ .Values.target.ui.certificate | quote }}
|
|
||||||
skipTLS: {{ .Values.target.ui.skipTLS }}
|
|
||||||
minimumPriority: {{ .Values.target.ui.minimumPriority | quote }}
|
|
||||||
skipExistingOnStartup: {{ .Values.target.ui.skipExistingOnStartup }}
|
|
||||||
{{- with .Values.target.ui.sources }}
|
|
||||||
sources:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
s3:
|
|
||||||
accessKeyID: {{ .Values.target.s3.accessKeyID }}
|
|
||||||
secretAccessKey: {{ .Values.target.s3.secretAccessKey }}
|
|
||||||
secretRef: {{ .Values.target.s3.secretRef | quote }}
|
|
||||||
mountedSecret: {{ .Values.target.s3.mountedSecret }}
|
|
||||||
region: {{ .Values.target.s3.region }}
|
|
||||||
endpoint: {{ .Values.target.s3.endpoint }}
|
|
||||||
bucket: {{ .Values.target.s3.bucket }}
|
|
||||||
bucketKeyEnabled: {{ .Values.target.s3.bucketKeyEnabled }}
|
|
||||||
kmsKeyId: {{ .Values.target.s3.kmsKeyId }}
|
|
||||||
serverSideEncryption: {{ .Values.target.s3.serverSideEncryption }}
|
|
||||||
pathStyle: {{ .Values.target.s3.pathStyle }}
|
|
||||||
prefix: {{ .Values.target.s3.prefix }}
|
|
||||||
minimumPriority: {{ .Values.target.s3.minimumPriority | quote }}
|
|
||||||
skipExistingOnStartup: {{ .Values.target.s3.skipExistingOnStartup }}
|
|
||||||
{{- with .Values.target.s3.sources }}
|
|
||||||
sources:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.s3.customFields }}
|
|
||||||
customFields:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.s3.filter }}
|
|
||||||
filter:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.s3.channels }}
|
|
||||||
channels:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
kinesis:
|
|
||||||
accessKeyID: {{ .Values.target.kinesis.accessKeyID }}
|
|
||||||
secretAccessKey: {{ .Values.target.kinesis.secretAccessKey }}
|
|
||||||
secretRef: {{ .Values.target.kinesis.secretRef | quote }}
|
|
||||||
mountedSecret: {{ .Values.target.kinesis.mountedSecret | quote }}
|
|
||||||
region: {{ .Values.target.kinesis.region }}
|
|
||||||
endpoint: {{ .Values.target.kinesis.endpoint }}
|
|
||||||
streamName: {{ .Values.target.kinesis.streamName }}
|
|
||||||
minimumPriority: {{ .Values.target.kinesis.minimumPriority | quote }}
|
|
||||||
skipExistingOnStartup: {{ .Values.target.kinesis.skipExistingOnStartup }}
|
|
||||||
{{- with .Values.target.kinesis.sources }}
|
|
||||||
sources:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.kinesis.customFields }}
|
|
||||||
customFields:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.kinesis.filter }}
|
|
||||||
filter:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.kinesis.channels }}
|
|
||||||
channels:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
securityHub:
|
|
||||||
accountID: {{ .Values.target.securityHub.accountID }}
|
|
||||||
accessKeyID: {{ .Values.target.securityHub.accessKeyID }}
|
|
||||||
secretAccessKey: {{ .Values.target.securityHub.secretAccessKey }}
|
|
||||||
delayInSeconds: {{ .Values.target.securityHub.delayInSeconds }}
|
|
||||||
cleanup: {{ .Values.target.securityHub.cleanup }}
|
|
||||||
secretRef: {{ .Values.target.securityHub.secretRef | quote }}
|
|
||||||
mountedSecret: {{ .Values.target.securityHub.mountedSecret | quote }}
|
|
||||||
productName: {{ .Values.target.securityHub.productName | quote }}
|
|
||||||
companyName: {{ .Values.target.securityHub.companyName | quote }}
|
|
||||||
region: {{ .Values.target.securityHub.region }}
|
|
||||||
endpoint: {{ .Values.target.securityHub.endpoint }}
|
|
||||||
minimumPriority: {{ .Values.target.securityHub.minimumPriority | quote }}
|
|
||||||
skipExistingOnStartup: {{ .Values.target.securityHub.skipExistingOnStartup }}
|
|
||||||
{{- with .Values.target.securityHub.sources }}
|
|
||||||
sources:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.securityHub.customFields }}
|
|
||||||
customFields:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.securityHub.filter }}
|
|
||||||
filter:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.securityHub.channels }}
|
|
||||||
channels:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
gcs:
|
|
||||||
credentials: {{ .Values.target.gcs.credentials }}
|
|
||||||
secretRef: {{ .Values.target.gcs.secretRef | quote }}
|
|
||||||
mountedSecret: {{ .Values.target.gcs.mountedSecret | quote }}
|
|
||||||
bucket: {{ .Values.target.gcs.bucket }}
|
|
||||||
prefix: {{ .Values.target.gcs.prefix }}
|
|
||||||
minimumPriority: {{ .Values.target.gcs.minimumPriority | quote }}
|
|
||||||
skipExistingOnStartup: {{ .Values.target.gcs.skipExistingOnStartup }}
|
|
||||||
{{- with .Values.target.gcs.sources }}
|
|
||||||
sources:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.gcs.customFields }}
|
|
||||||
customFields:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.gcs.filter }}
|
|
||||||
filter:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.target.gcs.channels }}
|
|
||||||
channels:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
worker: {{ .Values.worker }}
|
|
||||||
|
|
||||||
metrics:
|
|
||||||
mode: {{ .Values.metrics.mode }}
|
|
||||||
{{- with .Values.metrics.filter }}
|
|
||||||
filter:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.metrics.customLabels }}
|
|
||||||
customLabels:
|
|
||||||
{{- toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
reportFilter:
|
|
||||||
namespaces:
|
|
||||||
{{- with .Values.reportFilter.namespaces.include }}
|
|
||||||
include:
|
|
||||||
{{- toYaml . | nindent 6 }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.reportFilter.namespaces.exclude }}
|
|
||||||
exclude:
|
|
||||||
{{- toYaml . | nindent 6 }}
|
|
||||||
{{- end }}
|
|
||||||
clusterReports:
|
|
||||||
disabled: {{ .Values.reportFilter.clusterReports.disabled }}
|
|
||||||
|
|
||||||
leaderElection:
|
|
||||||
enabled: {{ or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1) }}
|
|
||||||
releaseOnCancel: {{ .Values.leaderElection.releaseOnCancel }}
|
|
||||||
leaseDuration: {{ .Values.leaderElection.leaseDuration }}
|
|
||||||
renewDeadline: {{ .Values.leaderElection.renewDeadline }}
|
|
||||||
retryPeriod: {{ .Values.leaderElection.retryPeriod }}
|
|
||||||
|
|
||||||
{{- with .Values.redis }}
|
|
||||||
redis:
|
|
||||||
{{- toYaml . | nindent 2 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- with .Values.sourceConfig }}
|
|
||||||
sourceConfig:
|
|
||||||
{{- toYaml . | nindent 2 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
|
|
||||||
logging:
|
|
||||||
encoding: {{ .Values.logging.encoding }}
|
|
||||||
logLevel: {{ include "policyreporter.logLevel" . }}
|
|
||||||
development: {{ .Values.logging.development }}
|
|
||||||
|
|
||||||
api:
|
|
||||||
logging: {{ .Values.api.logging }}
|
|
||||||
basicAuth:
|
|
||||||
username: {{ .Values.global.basicAuth.username }}
|
|
||||||
password: {{ .Values.global.basicAuth.password }}
|
|
||||||
secretRef: {{ .Values.global.basicAuth.secretRef }}
|
|
||||||
|
|
||||||
database:
|
|
||||||
type: {{ .Values.database.type }}
|
|
||||||
database: {{ .Values.database.database }}
|
|
||||||
username: {{ .Values.database.username }}
|
|
||||||
password: {{ .Values.database.password }}
|
|
||||||
host: {{ .Values.database.host }}
|
|
||||||
enableSSL: {{ .Values.database.enableSSL }}
|
|
||||||
dsn: {{ .Values.database.dsn }}
|
|
||||||
secretRef: {{ .Values.database.secretRef }}
|
|
||||||
mountedSecret: {{ .Values.database.mountedSecret }}
|
|
176
charts/policy-reporter/configs/core.tmpl
Normal file
176
charts/policy-reporter/configs/core.tmpl
Normal file
|
@ -0,0 +1,176 @@
|
||||||
|
target:
|
||||||
|
loki:
|
||||||
|
{{- include "target.loki" .Values.target.loki | nindent 4 }}
|
||||||
|
{{- if and .Values.target.loki .Values.target.loki.channels }}
|
||||||
|
channels:
|
||||||
|
{{- range .Values.target.loki.channels }}
|
||||||
|
-
|
||||||
|
{{- include "target.loki" . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
elasticsearch:
|
||||||
|
{{- include "target.elasticsearch" .Values.target.elasticsearch | nindent 4 }}
|
||||||
|
{{- if and .Values.target.elasticsearch .Values.target.elasticsearch.channels }}
|
||||||
|
channels:
|
||||||
|
{{- range .Values.target.elasticsearch.channels }}
|
||||||
|
-
|
||||||
|
{{- include "target.elasticsearch" . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
slack:
|
||||||
|
{{- include "target.slack" .Values.target.slack | nindent 4 }}
|
||||||
|
{{- if and .Values.target.slack .Values.target.slack.channels }}
|
||||||
|
channels:
|
||||||
|
{{- range .Values.target.slack.channels }}
|
||||||
|
-
|
||||||
|
{{- include "target.slack" . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
discord:
|
||||||
|
{{- include "target.webhook" .Values.target.discord | nindent 4 }}
|
||||||
|
{{- if and .Values.target.discord .Values.target.discord.channels }}
|
||||||
|
channels:
|
||||||
|
{{- range .Values.target.discord.channels }}
|
||||||
|
-
|
||||||
|
{{- include "target.webhook" . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
teams:
|
||||||
|
{{- include "target.webhook" .Values.target.teams | nindent 4 }}
|
||||||
|
{{- if and .Values.target.teams .Values.target.teams.channels }}
|
||||||
|
channels:
|
||||||
|
{{- range .Values.target.teams.channels }}
|
||||||
|
-
|
||||||
|
{{- include "target.webhook" . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
webhook:
|
||||||
|
{{- include "target.webhook" .Values.target.webhook | nindent 4 }}
|
||||||
|
{{- if and .Values.target.webhook .Values.target.webhook.channels }}
|
||||||
|
channels:
|
||||||
|
{{- range .Values.target.webhook.channels }}
|
||||||
|
-
|
||||||
|
{{- include "target.webhook" . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
telegram:
|
||||||
|
{{- include "target.telegram" .Values.target.telegram | nindent 4 }}
|
||||||
|
{{- if and .Values.target.telegram .Values.target.telegram.channels }}
|
||||||
|
channels:
|
||||||
|
{{- range .Values.target.telegram.channels }}
|
||||||
|
-
|
||||||
|
{{- include "target.telegram" . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
googleChat:
|
||||||
|
{{- include "target.webhook" .Values.target.googleChat | nindent 4 }}
|
||||||
|
{{- if and .Values.target.webhook .Values.target.googleChat.channels }}
|
||||||
|
channels:
|
||||||
|
{{- range .Values.target.googleChat.channels }}
|
||||||
|
-
|
||||||
|
{{- include "target.webhook" . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
s3:
|
||||||
|
{{- include "target.s3" .Values.target.s3 | nindent 4 }}
|
||||||
|
{{- if and .Values.target.s3 .Values.target.s3.channels }}
|
||||||
|
channels:
|
||||||
|
{{- range .Values.target.s3.channels }}
|
||||||
|
-
|
||||||
|
{{- include "target.s3" . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
kinesis:
|
||||||
|
{{- include "target.kinesis" .Values.target.kinesis | nindent 4 }}
|
||||||
|
{{- if and .Values.target.kinesis .Values.target.kinesis.channels }}
|
||||||
|
channels:
|
||||||
|
{{- range .Values.target.kinesis.channels }}
|
||||||
|
-
|
||||||
|
{{- include "target.kinesis" . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
securityHub:
|
||||||
|
{{- include "target.securityhub" .Values.target.securityHub | nindent 4 }}
|
||||||
|
{{- if and .Values.target.securityHub .Values.target.securityHub.channels }}
|
||||||
|
channels:
|
||||||
|
{{- range .Values.target.securityHub.channels }}
|
||||||
|
-
|
||||||
|
{{- include "target.securityhub" . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
gcs:
|
||||||
|
{{- include "target.gcs" .Values.target.gcs | nindent 4 }}
|
||||||
|
{{- if and .Values.target.gcs .Values.target.gcs.channels }}
|
||||||
|
channels:
|
||||||
|
{{- range .Values.target.gcs.channels }}
|
||||||
|
-
|
||||||
|
{{- include "target.gcs" . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
worker: {{ .Values.worker }}
|
||||||
|
|
||||||
|
{{- with .Values.metrics }}
|
||||||
|
metrics:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- with .Values.reportFilter }}
|
||||||
|
reportFilter:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- with .Values.sourceFilters }}
|
||||||
|
sourceFilters:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
leaderElection:
|
||||||
|
enabled: {{ gt (int .Values.replicaCount) 1 }}
|
||||||
|
releaseOnCancel: {{ .Values.leaderElection.releaseOnCancel }}
|
||||||
|
leaseDuration: {{ .Values.leaderElection.leaseDuration }}
|
||||||
|
renewDeadline: {{ .Values.leaderElection.renewDeadline }}
|
||||||
|
retryPeriod: {{ .Values.leaderElection.retryPeriod }}
|
||||||
|
|
||||||
|
{{- with .Values.redis }}
|
||||||
|
redis:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- with .Values.sourceConfig }}
|
||||||
|
sourceConfig:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
logging:
|
||||||
|
server: {{ .Values.logging.server }}
|
||||||
|
encoding: {{ .Values.logging.encoding }}
|
||||||
|
logLevel: {{ include "policyreporter.logLevel" . }}
|
||||||
|
|
||||||
|
api:
|
||||||
|
basicAuth:
|
||||||
|
username: {{ .Values.basicAuth.username }}
|
||||||
|
password: {{ .Values.basicAuth.password }}
|
||||||
|
secretRef: {{ .Values.basicAuth.secretRef }}
|
||||||
|
|
||||||
|
database:
|
||||||
|
type: {{ .Values.database.type }}
|
||||||
|
database: {{ .Values.database.database }}
|
||||||
|
username: {{ .Values.database.username }}
|
||||||
|
password: {{ .Values.database.password }}
|
||||||
|
host: {{ .Values.database.host }}
|
||||||
|
enableSSL: {{ .Values.database.enableSSL }}
|
||||||
|
dsn: {{ .Values.database.dsn }}
|
||||||
|
secretRef: {{ .Values.database.secretRef }}
|
||||||
|
mountedSecret: {{ .Values.database.mountedSecret }}
|
27
charts/policy-reporter/configs/kyverno-plugin.tmpl
Normal file
27
charts/policy-reporter/configs/kyverno-plugin.tmpl
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
leaderElection:
|
||||||
|
enabled: {{ gt (int .Values.plugin.kyverno.replicaCount) 1 }}
|
||||||
|
releaseOnCancel: {{ .Values.plugin.kyverno.leaderElection.releaseOnCancel }}
|
||||||
|
leaseDuration: {{ .Values.plugin.kyverno.leaderElection.leaseDuration }}
|
||||||
|
renewDeadline: {{ .Values.plugin.kyverno.leaderElection.renewDeadline }}
|
||||||
|
retryPeriod: {{ .Values.plugin.kyverno.leaderElection.retryPeriod }}
|
||||||
|
lockName: {{ .Values.plugin.kyverno.leaderElection.lockName }}
|
||||||
|
|
||||||
|
logging:
|
||||||
|
api: {{ .Values.plugin.kyverno.logging.api }}
|
||||||
|
server: {{ .Values.plugin.kyverno.logging.server }}
|
||||||
|
encoding: {{ .Values.plugin.kyverno.logging.encoding }}
|
||||||
|
logLevel: {{ .Values.plugin.kyverno.logging.logLevel }}
|
||||||
|
|
||||||
|
server:
|
||||||
|
basicAuth:
|
||||||
|
username: {{ .Values.basicAuth.username }}
|
||||||
|
password: {{ .Values.basicAuth.password }}
|
||||||
|
secretRef: {{ .Values.basicAuth.secretRef }}
|
||||||
|
|
||||||
|
core:
|
||||||
|
host: {{ printf "http://%s:%d" (include "policyreporter.fullname" .) (.Values.service.port | int) }}
|
||||||
|
|
||||||
|
{{- with .Values.plugin.kyverno.blockReports }}
|
||||||
|
blockReports:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
20
charts/policy-reporter/configs/trivy-plugin.tmpl
Normal file
20
charts/policy-reporter/configs/trivy-plugin.tmpl
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
logging:
|
||||||
|
api: {{ .Values.plugin.trivy.logging.api }}
|
||||||
|
server: {{ .Values.plugin.trivy.logging.server }}
|
||||||
|
encoding: {{ .Values.plugin.trivy.logging.encoding }}
|
||||||
|
logLevel: {{ .Values.plugin.trivy.logging.logLevel }}
|
||||||
|
|
||||||
|
server:
|
||||||
|
basicAuth:
|
||||||
|
username: {{ .Values.basicAuth.username }}
|
||||||
|
password: {{ .Values.basicAuth.password }}
|
||||||
|
secretRef: {{ .Values.basicAuth.secretRef }}
|
||||||
|
|
||||||
|
core:
|
||||||
|
host: {{ printf "http://%s:%d" (include "policyreporter.fullname" .) (.Values.service.port | int) }}
|
||||||
|
skipTLS: {{ .Values.plugin.trivy.policyReporter.skipTLS }}
|
||||||
|
certificate: {{ .Values.plugin.trivy.policyReporter.certificate }}
|
||||||
|
secretRef: {{ .Values.plugin.trivy.policyReporter.secretRef }}
|
||||||
|
basicAuth:
|
||||||
|
username: {{ .Values.basicAuth.username }}
|
||||||
|
password: {{ .Values.basicAuth.password }}
|
70
charts/policy-reporter/configs/ui.tmpl
Normal file
70
charts/policy-reporter/configs/ui.tmpl
Normal file
|
@ -0,0 +1,70 @@
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
|
||||||
|
tempDir: {{ .Values.ui.tempDir }}
|
||||||
|
|
||||||
|
logging:
|
||||||
|
api: {{ .Values.ui.logging.api }}
|
||||||
|
server: {{ .Values.ui.logging.server }}
|
||||||
|
encoding: {{ .Values.ui.logging.encoding }}
|
||||||
|
logLevel: {{ .Values.ui.logging.logLevel }}
|
||||||
|
|
||||||
|
server:
|
||||||
|
port: {{ .Values.ui.server.port }}
|
||||||
|
cors: {{ .Values.ui.server.cors }}
|
||||||
|
overwriteHost: {{ .Values.ui.server.overwriteHost }}
|
||||||
|
|
||||||
|
ui:
|
||||||
|
displayMode: {{ .Values.ui.displayMode }}
|
||||||
|
banner: {{ .Values.ui.banner }}
|
||||||
|
|
||||||
|
{{- $default := false -}}
|
||||||
|
{{- range .Values.ui.clusters }}
|
||||||
|
{{- if eq .name .Values.ui.name -}}
|
||||||
|
{{- $default = true -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
clusters:
|
||||||
|
{{- if not $default }}
|
||||||
|
- name: {{ .Values.ui.name }}
|
||||||
|
secretRef: {{ include "ui.fullname" . }}-default-cluster
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.ui.clusters }}
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- with .Values.ui.customBoards }}
|
||||||
|
customBoards:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- $kyverno := false -}}
|
||||||
|
{{- range .Values.ui.sources }}
|
||||||
|
{{- if eq .name "kyverno" -}}
|
||||||
|
{{- $kyverno = true -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
sources:
|
||||||
|
{{- if not $kyverno }}
|
||||||
|
- name: kyverno
|
||||||
|
chartType: result
|
||||||
|
exceptions: false
|
||||||
|
excludes:
|
||||||
|
results:
|
||||||
|
- warn
|
||||||
|
- error
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.ui.sources }}
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- with .Values.ui.openIDConnect }}
|
||||||
|
openIDConnect:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- with .Values.ui.oauth }}
|
||||||
|
oauth:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
|
@ -9,8 +9,8 @@ If release name contains chart name it will be used as a full name.
|
||||||
*/}}
|
*/}}
|
||||||
{{- define "policyreporter.fullname" -}}
|
{{- define "policyreporter.fullname" -}}
|
||||||
{{- $name := default .Chart.Name .Values.nameOverride }}
|
{{- $name := default .Chart.Name .Values.nameOverride }}
|
||||||
{{- if .Values.global.fullnameOverride }}
|
{{- if .Values.fullnameOverride }}
|
||||||
{{- .Values.global.fullnameOverride }}
|
{{- .Values.fullnameOverride }}
|
||||||
{{- else if contains $name .Release.Name }}
|
{{- else if contains $name .Release.Name }}
|
||||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
||||||
{{- else }}
|
{{- else }}
|
||||||
|
@ -78,8 +78,6 @@ Create UI target host based on configuration
|
||||||
{{- .Values.target.ui.host }}
|
{{- .Values.target.ui.host }}
|
||||||
{{- else if not .Values.ui.enabled }}
|
{{- else if not .Values.ui.enabled }}
|
||||||
{{- "" }}
|
{{- "" }}
|
||||||
{{- else if and .Values.ui.enabled (and .Values.ui.views.logs .Values.ui.service.enabled) }}
|
|
||||||
{{- printf "http://%s:%s" (include "ui.fullname" .) (.Values.ui.service.port | toString) }}
|
|
||||||
{{- else }}
|
{{- else }}
|
||||||
{{- "" }}
|
{{- "" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -95,7 +93,7 @@ Create UI target host based on configuration
|
||||||
|
|
||||||
{{- define "policyreporter.podDisruptionBudget" -}}
|
{{- define "policyreporter.podDisruptionBudget" -}}
|
||||||
{{- if and .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable }}
|
{{- if and .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable }}
|
||||||
{{- fail "Cannot set both .Values.podDisruptionBudget.minAvailable and .Values.podDisruptionBudget.maxUnavailable" -}}
|
{{- fail "Cannot set both minAvailable and maxUnavailable" -}}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if not .Values.podDisruptionBudget.maxUnavailable }}
|
{{- if not .Values.podDisruptionBudget.maxUnavailable }}
|
||||||
minAvailable: {{ default 1 .Values.podDisruptionBudget.minAvailable }}
|
minAvailable: {{ default 1 .Values.podDisruptionBudget.minAvailable }}
|
||||||
|
@ -107,8 +105,8 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
|
||||||
|
|
||||||
{{/* Get the namespace name. */}}
|
{{/* Get the namespace name. */}}
|
||||||
{{- define "policyreporter.namespace" -}}
|
{{- define "policyreporter.namespace" -}}
|
||||||
{{- if .Values.global.namespace -}}
|
{{- if .Values.namespaceOverride -}}
|
||||||
{{- .Values.global.namespace -}}
|
{{- .Values.namespaceOverride -}}
|
||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- .Release.Namespace -}}
|
{{- .Release.Namespace -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
@ -116,9 +114,137 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
|
||||||
|
|
||||||
{{/* Get the namespace name. */}}
|
{{/* Get the namespace name. */}}
|
||||||
{{- define "policyreporter.logLevel" -}}
|
{{- define "policyreporter.logLevel" -}}
|
||||||
{{- if .Values.api.logging -}}
|
{{- if .Values.logging.server -}}
|
||||||
-1
|
-1
|
||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- .Values.logging.logLevel -}}
|
{{- .Values.logging.logLevel -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- define "target" -}}
|
||||||
|
name: {{ .name | quote }}
|
||||||
|
secretRef: {{ .secretRef | quote }}
|
||||||
|
mountedSecret: {{ .mountedSecret | quote }}
|
||||||
|
minimumSeverity: {{ .minimumSeverity | quote }}
|
||||||
|
skipExistingOnStartup: {{ .skipExistingOnStartup }}
|
||||||
|
{{- with .customFields }}
|
||||||
|
customFields:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .sources }}
|
||||||
|
sources:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .filter }}
|
||||||
|
filter:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "target.loki" -}}
|
||||||
|
config:
|
||||||
|
host: {{ .host | quote }}
|
||||||
|
certificate: {{ .certificate | quote }}
|
||||||
|
skipTLS: {{ .skipTLS }}
|
||||||
|
path: {{ .path | quote }}
|
||||||
|
{{ include "target" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "target.elasticsearch" -}}
|
||||||
|
config:
|
||||||
|
host: {{ .host | quote }}
|
||||||
|
certificate: {{ .certificate | quote }}
|
||||||
|
skipTLS: {{ .skipTLS }}
|
||||||
|
username: {{ .username | quote }}
|
||||||
|
password: {{ .password | quote }}
|
||||||
|
apiKey: {{ .apiKey | quote }}
|
||||||
|
index: {{ .index| quote }}
|
||||||
|
rotation: {{ .rotation | quote }}
|
||||||
|
{{ include "target" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "target.slack" -}}
|
||||||
|
config:
|
||||||
|
webhook: {{ .webhook | quote }}
|
||||||
|
channel: {{ .channel | quote }}
|
||||||
|
certificate: {{ .certificate | quote }}
|
||||||
|
skipTLS: {{ .skipTLS }}
|
||||||
|
{{- with .headers }}
|
||||||
|
headers:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{ include "target" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "target.webhook" -}}
|
||||||
|
config:
|
||||||
|
webhook: {{ .webhook | quote }}
|
||||||
|
certificate: {{ .certificate | quote }}
|
||||||
|
skipTLS: {{ .skipTLS }}
|
||||||
|
{{- with .headers }}
|
||||||
|
headers:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{ include "target" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "target.telegram" -}}
|
||||||
|
config:
|
||||||
|
chatId: {{ .chatId | quote }}
|
||||||
|
token: {{ .token | quote }}
|
||||||
|
webhook: {{ .webhook | quote }}
|
||||||
|
certificate: {{ .certificate | quote }}
|
||||||
|
skipTLS: {{ .skipTLS }}
|
||||||
|
{{- with .headers }}
|
||||||
|
headers:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{ include "target" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "target.s3" -}}
|
||||||
|
config:
|
||||||
|
accessKeyId: {{ .accessKeyId }}
|
||||||
|
secretAccessKey: {{ .secretAccessKey }}
|
||||||
|
region: {{ .region }}
|
||||||
|
endpoint: {{ .endpoint }}
|
||||||
|
bucket: {{ .bucket }}
|
||||||
|
bucketKeyEnabled: {{ .bucketKeyEnabled }}
|
||||||
|
kmsKeyId: {{ .kmsKeyId }}
|
||||||
|
serverSideEncryption: {{ .serverSideEncryption }}
|
||||||
|
pathStyle: {{ .pathStyle }}
|
||||||
|
prefix: {{ .prefix }}
|
||||||
|
{{ include "target" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "target.kinesis" -}}
|
||||||
|
config:
|
||||||
|
accessKeyId: {{ .accessKeyId }}
|
||||||
|
secretAccessKey: {{ .secretAccessKey }}
|
||||||
|
region: {{ .region }}
|
||||||
|
endpoint: {{ .endpoint }}
|
||||||
|
streamName: {{ .streamName }}
|
||||||
|
{{ include "target" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "target.securityhub" -}}
|
||||||
|
config:
|
||||||
|
accessKeyId: {{ .accessKeyId }}
|
||||||
|
secretAccessKey: {{ .secretAccessKey }}
|
||||||
|
region: {{ .region }}
|
||||||
|
endpoint: {{ .endpoint }}
|
||||||
|
accountId: {{ .accountId }}
|
||||||
|
productName: {{ .productName }}
|
||||||
|
companyName: {{ .companyName }}
|
||||||
|
delayInSeconds: {{ .delayInSeconds }}
|
||||||
|
synchronize: {{ .synchronize }}
|
||||||
|
{{ include "target" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "target.gcs" -}}
|
||||||
|
config:
|
||||||
|
credentials: {{ .credentials }}
|
||||||
|
bucket: {{ .bucket }}
|
||||||
|
prefix: {{ .prefix }}
|
||||||
|
{{ include "target" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
26
charts/policy-reporter/templates/cluster-secret.yaml
Normal file
26
charts/policy-reporter/templates/cluster-secret.yaml
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "ui.fullname" . }}-default-cluster
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
{{- if .Values.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml .Values.annotations | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "policyreporter.labels" . | nindent 4 }}
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
{{- $username := .Values.basicAuth.username }}
|
||||||
|
{{- $password := .Values.basicAuth.password }}
|
||||||
|
host: {{ printf "http://%s:%d" (include "policyreporter.fullname" .) (.Values.service.port | int) | b64enc }}
|
||||||
|
{{- if .Values.plugin.kyverno.enabled }}
|
||||||
|
{{- $host := printf "http://%s:%d" (include "kyverno-plugin.fullname" .) (.Values.plugin.kyverno.service.port | int) }}
|
||||||
|
plugin.kyverno: {{ (printf "{\"host\":\"%s\", \"name\":\"kyverno\", \"username\":\"%s\", \"password\":\"%s\"}" $host $username $password) | b64enc }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.plugin.trivy.enabled }}
|
||||||
|
{{- $host := printf "http://%s:%d/vulnr" (include "trivy-plugin.fullname" .) (.Values.plugin.trivy.service.port | int) }}
|
||||||
|
plugin.trivy: {{ (printf "{\"host\":\"%s\", \"name\":\"Trivy Vulnerability\", \"username\":\"%s\", \"password\":\"%s\"}" $host $username $password) | b64enc }}
|
||||||
|
username: {{ $username | b64enc }}
|
||||||
|
password: {{ $password | b64enc }}
|
||||||
|
{{- end }}
|
|
@ -22,4 +22,22 @@ rules:
|
||||||
- get
|
- get
|
||||||
- list
|
- list
|
||||||
- watch
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- namespaces
|
||||||
|
verbs:
|
||||||
|
- list
|
||||||
|
- apiGroups:
|
||||||
|
- ''
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- apiGroups:
|
||||||
|
- 'batch'
|
||||||
|
resources:
|
||||||
|
- jobs
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
|
@ -12,5 +12,5 @@ metadata:
|
||||||
{{- include "policyreporter.labels" . | nindent 4 }}
|
{{- include "policyreporter.labels" . | nindent 4 }}
|
||||||
type: Opaque
|
type: Opaque
|
||||||
data:
|
data:
|
||||||
config.yaml: {{ tpl (.Files.Get "config-email-reports.yaml") . | b64enc }}
|
config.yaml: {{ tpl (.Files.Get "configs/email-reports.tmpl") . | b64enc }}
|
||||||
{{- end }}
|
{{- end }}
|
|
@ -12,5 +12,5 @@ metadata:
|
||||||
{{- include "policyreporter.labels" . | nindent 4 }}
|
{{- include "policyreporter.labels" . | nindent 4 }}
|
||||||
type: Opaque
|
type: Opaque
|
||||||
data:
|
data:
|
||||||
config.yaml: {{ tpl (.Files.Get "config.yaml") . | b64enc }}
|
config.yaml: {{ tpl (.Files.Get "configs/core.tmpl") . | b64enc }}
|
||||||
{{- end }}
|
{{- end }}
|
|
@ -51,7 +51,7 @@ spec:
|
||||||
{{- end }}
|
{{- end }}
|
||||||
restartPolicy: {{ .Values.emailReports.summary.restartPolicy }}
|
restartPolicy: {{ .Values.emailReports.summary.restartPolicy }}
|
||||||
containers:
|
containers:
|
||||||
- name: {{ default .Chart.Name .Values.nameOverride }}
|
- name: policy-reporter
|
||||||
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
||||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||||
{{- if .Values.securityContext }}
|
{{- if .Values.securityContext }}
|
||||||
|
|
|
@ -51,7 +51,7 @@ spec:
|
||||||
{{- end }}
|
{{- end }}
|
||||||
restartPolicy: {{ .Values.emailReports.violations.restartPolicy }}
|
restartPolicy: {{ .Values.emailReports.violations.restartPolicy }}
|
||||||
containers:
|
containers:
|
||||||
- name: {{ default .Chart.Name .Values.nameOverride }}
|
- name: policy-reporter
|
||||||
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
||||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||||
{{- if .Values.securityContext }}
|
{{- if .Values.securityContext }}
|
||||||
|
|
|
@ -12,9 +12,9 @@ metadata:
|
||||||
spec:
|
spec:
|
||||||
replicas: {{ .Values.replicaCount }}
|
replicas: {{ .Values.replicaCount }}
|
||||||
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
|
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
|
||||||
{{- if .Values.deploymentStrategy }}
|
{{- with .Values.plugin.kyverno.updateStrategy }}
|
||||||
strategy:
|
strategy:
|
||||||
{{- toYaml .Values.deploymentStrategy | nindent 4 }}
|
{{- toYaml . | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
|
@ -53,11 +53,11 @@ spec:
|
||||||
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
containers:
|
containers:
|
||||||
- name: {{ default .Chart.Name .Values.nameOverride }}
|
- name: policy-reporter
|
||||||
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
||||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||||
{{- if .Values.securityContext }}
|
{{- if .Values.securityContext }}
|
||||||
securityContext: {{ include "policyreporter.securityContext" . | nindent 12 }}
|
securityContext: {{- include "policyreporter.securityContext" . | nindent 12 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
args:
|
args:
|
||||||
- --port={{ .Values.port.number }}
|
- --port={{ .Values.port.number }}
|
||||||
|
@ -99,7 +99,7 @@ spec:
|
||||||
valueFrom:
|
valueFrom:
|
||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: metadata.namespace
|
fieldPath: metadata.namespace
|
||||||
{{- if or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1) }}
|
{{- if gt (int .Values.replicaCount) 1 }}
|
||||||
- name: POD_NAME
|
- name: POD_NAME
|
||||||
valueFrom:
|
valueFrom:
|
||||||
fieldRef:
|
fieldRef:
|
||||||
|
|
56
charts/policy-reporter/templates/monitoring/_helpers.tpl
Normal file
56
charts/policy-reporter/templates/monitoring/_helpers.tpl
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
{{/*
|
||||||
|
Create a default fully qualified app name.
|
||||||
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
|
If release name contains chart name it will be used as a full name.
|
||||||
|
*/}}
|
||||||
|
{{- define "monitoring.fullname" -}}
|
||||||
|
{{ template "policyreporter.fullname" . }}-monitoring
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "monitoring.name" -}}
|
||||||
|
{{ template "policyreporter.name" . }}-monitoring
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create chart name and version as used by the chart label.
|
||||||
|
*/}}
|
||||||
|
{{- define "monitoring.chart" -}}
|
||||||
|
{{ template "policyreporter.chart" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Common labels
|
||||||
|
*/}}
|
||||||
|
{{- define "monitoring.labels" -}}
|
||||||
|
helm.sh/chart: {{ include "monitoring.chart" . }}
|
||||||
|
{{ include "monitoring.selectorLabels" . }}
|
||||||
|
{{- if .Chart.AppVersion }}
|
||||||
|
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||||
|
{{- end }}
|
||||||
|
app.kubernetes.io/component: monitoring
|
||||||
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||||
|
app.kubernetes.io/part-of: kyverno
|
||||||
|
{{- with .Values.global.labels }}
|
||||||
|
{{ toYaml . }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Selector labels
|
||||||
|
*/}}
|
||||||
|
{{- define "monitoring.selectorLabels" -}}
|
||||||
|
app.kubernetes.io/name: {{ include "monitoring.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/* Get the namespace name. */}}
|
||||||
|
{{- define "monitoring.smNamespace" -}}
|
||||||
|
{{- if .Values.monitoring.serviceMonitor.namespace -}}
|
||||||
|
{{- .Values.monitoring.serviceMonitor.namespace -}}
|
||||||
|
{{- else if .Values.namespaceOverride -}}
|
||||||
|
{{- .Values.namespaceOverride -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- .Release.Namespace -}}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
19
charts/policy-reporter/templates/monitoring/auth-secret.yaml
Normal file
19
charts/policy-reporter/templates/monitoring/auth-secret.yaml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
{{- if and .Values.monitoring.enabled }}
|
||||||
|
{{- if and .Values.basicAuth.username .Values.basicAuth.password }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "monitoring.fullname" . }}-auth
|
||||||
|
namespace: {{ include "monitoring.smNamespace" . }}
|
||||||
|
{{- if .Values.monitoring.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml .Values.monitoring.annotations | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "monitoring.labels" . | nindent 4 }}
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
username: {{ .Values.basicAuth.username | b64enc }}
|
||||||
|
password: {{ .Values.basicAuth.password | b64enc }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -1,11 +1,13 @@
|
||||||
{{- if and $.Values.grafana.dashboards.enabled $.Values.grafana.dashboards.enable.clusterPolicyReportDetails }}
|
{{ $root := .Values.monitoring }}
|
||||||
{{- $filters := .Values.grafana.dashboards.labelFilter }}
|
|
||||||
{{- if and .Values.grafana.dashboards.multicluster.enabled .Values.grafana.dashboards.multicluster.label }}
|
{{- if and $root.grafana.dashboards.enabled $root.grafana.dashboards.enable.clusterPolicyReportDetails }}
|
||||||
{{- $filters = append $filters .Values.grafana.dashboards.multicluster.label }}
|
{{- $filters := $root.grafana.dashboards.labelFilter }}
|
||||||
|
{{- if and $root.grafana.dashboards.multicluster.enabled $root.grafana.dashboards.multicluster.label }}
|
||||||
|
{{- $filters = append $filters $root.grafana.dashboards.multicluster.label }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- $nsLabel := "exported_namespace" }}
|
{{- $nsLabel := "exported_namespace" }}
|
||||||
{{- if .Values.serviceMonitor.honorLabels }}
|
{{- if $root.serviceMonitor.honorLabels }}
|
||||||
{{- $nsLabel = "namespace" }}
|
{{- $nsLabel = "namespace" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
@ -13,14 +15,14 @@ apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ include "monitoring.fullname" . }}-clusterpolicy-details-dashboard
|
name: {{ include "monitoring.fullname" . }}-clusterpolicy-details-dashboard
|
||||||
namespace: {{ include "monitoring.namespace" . }}
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
annotations:
|
annotations:
|
||||||
{{ .Values.grafana.folder.annotation }}: {{ .Values.grafana.folder.name }}
|
{{ $root.grafana.folder.annotation }}: {{ $root.grafana.folder.name }}
|
||||||
{{- with .Values.annotations }}
|
{{- with .Values.annotations }}
|
||||||
{{- toYaml . | nindent 4 }}
|
{{- toYaml . | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
labels:
|
labels:
|
||||||
{{ .Values.grafana.dashboards.label }}: {{ .Values.grafana.dashboards.value | quote }}
|
{{ $root.grafana.dashboards.label }}: {{ $root.grafana.dashboards.value | quote }}
|
||||||
{{- include "monitoring.labels" . | nindent 4 }}
|
{{- include "monitoring.labels" . | nindent 4 }}
|
||||||
data:
|
data:
|
||||||
cluster-policy-reporter-details-dashboard.json: |
|
cluster-policy-reporter-details-dashboard.json: |
|
||||||
|
@ -28,11 +30,11 @@ data:
|
||||||
"__inputs": [
|
"__inputs": [
|
||||||
{
|
{
|
||||||
"name": "DS_PROMETHEUS",
|
"name": "DS_PROMETHEUS",
|
||||||
"label": "{{ .Values.grafana.datasource.label }}",
|
"label": "{{ $root.grafana.datasource.label }}",
|
||||||
"description": "",
|
"description": "",
|
||||||
"type": "datasource",
|
"type": "datasource",
|
||||||
"pluginId": "{{ .Values.grafana.datasource.pluginId }}",
|
"pluginId": "{{ $root.grafana.datasource.pluginId }}",
|
||||||
"pluginName": "{{ .Values.grafana.datasource.pluginName }}"
|
"pluginName": "{{ $root.grafana.datasource.pluginName }}"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"__requires": [
|
"__requires": [
|
||||||
|
@ -101,7 +103,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.clusterPolicyReportDetails.statusRow.height }},
|
"h": {{ $root.clusterPolicyReportDetails.statusRow.height }},
|
||||||
"w": 6,
|
"w": 6,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 0
|
"y": 0
|
||||||
|
@ -124,7 +126,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} })",
|
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod))",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
"legendFormat": "",
|
"legendFormat": "",
|
||||||
|
@ -158,7 +160,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.clusterPolicyReportDetails.statusRow.height }},
|
"h": {{ $root.clusterPolicyReportDetails.statusRow.height }},
|
||||||
"w": 6,
|
"w": 6,
|
||||||
"x": 6,
|
"x": 6,
|
||||||
"y": 0
|
"y": 0
|
||||||
|
@ -181,7 +183,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} })",
|
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod))",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
"legendFormat": "",
|
"legendFormat": "",
|
||||||
|
@ -215,7 +217,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.clusterPolicyReportDetails.statusRow.height }},
|
"h": {{ $root.clusterPolicyReportDetails.statusRow.height }},
|
||||||
"w": 6,
|
"w": 6,
|
||||||
"x": 12,
|
"x": 12,
|
||||||
"y": 0
|
"y": 0
|
||||||
|
@ -238,7 +240,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} })",
|
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod))",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
"legendFormat": "",
|
"legendFormat": "",
|
||||||
|
@ -272,7 +274,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.clusterPolicyReportDetails.statusRow.height }},
|
"h": {{ $root.clusterPolicyReportDetails.statusRow.height }},
|
||||||
"w": 6,
|
"w": 6,
|
||||||
"x": 18,
|
"x": 18,
|
||||||
"y": 0
|
"y": 0
|
||||||
|
@ -295,7 +297,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} })",
|
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod))",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
"legendFormat": "",
|
"legendFormat": "",
|
||||||
|
@ -307,7 +309,7 @@ data:
|
||||||
"title": "Policy Error Status",
|
"title": "Policy Error Status",
|
||||||
"type": "stat"
|
"type": "stat"
|
||||||
}
|
}
|
||||||
{{- if .Values.clusterPolicyReportDetails.statusTimeline.enabled }}
|
{{- if $root.clusterPolicyReportDetails.statusTimeline.enabled }}
|
||||||
,{
|
,{
|
||||||
"datasource": {
|
"datasource": {
|
||||||
"uid": "${DS_PROMETHEUS}",
|
"uid": "${DS_PROMETHEUS}",
|
||||||
|
@ -412,7 +414,7 @@ data:
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.clusterPolicyReportDetails.statusTimeline.height }},
|
"h": {{ $root.clusterPolicyReportDetails.statusTimeline.height }},
|
||||||
"w": 24,
|
"w": 24,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 6
|
"y": 6
|
||||||
|
@ -421,7 +423,7 @@ data:
|
||||||
"pluginVersion": "10.4.1",
|
"pluginVersion": "10.4.1",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (status)",
|
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (status, pod)) by (status)",
|
||||||
"interval": "",
|
"interval": "",
|
||||||
"legendFormat": "{{`{{ status }}`}}",
|
"legendFormat": "{{`{{ status }}`}}",
|
||||||
"refId": "A",
|
"refId": "A",
|
||||||
|
@ -451,7 +453,7 @@ data:
|
||||||
"timeShift": null
|
"timeShift": null
|
||||||
}
|
}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.clusterPolicyReportDetails.passTable.enabled }}
|
{{- if $root.clusterPolicyReportDetails.passTable.enabled }}
|
||||||
,{
|
,{
|
||||||
"datasource": "${DS_PROMETHEUS}",
|
"datasource": "${DS_PROMETHEUS}",
|
||||||
"fieldConfig": {
|
"fieldConfig": {
|
||||||
|
@ -477,7 +479,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.clusterPolicyReportDetails.passTable.height }},
|
"h": {{ $root.clusterPolicyReportDetails.passTable.height }},
|
||||||
"w": 24,
|
"w": 24,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 15
|
"y": 15
|
||||||
|
@ -489,7 +491,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", kind=~\"$kind\", source=~\"$source\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})",
|
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", kind=~\"$kind\", source=~\"$source\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod,policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})",
|
||||||
"format": "table",
|
"format": "table",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
|
@ -506,7 +508,6 @@ data:
|
||||||
"options": {
|
"options": {
|
||||||
"excludeByName": {
|
"excludeByName": {
|
||||||
"Time": true,
|
"Time": true,
|
||||||
"Value": true,
|
|
||||||
"status": false
|
"status": false
|
||||||
},
|
},
|
||||||
"indexByName": {
|
"indexByName": {
|
||||||
|
@ -530,7 +531,7 @@ data:
|
||||||
"type": "table"
|
"type": "table"
|
||||||
}
|
}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.clusterPolicyReportDetails.failTable.enabled }}
|
{{- if $root.clusterPolicyReportDetails.failTable.enabled }}
|
||||||
,{
|
,{
|
||||||
"datasource": "${DS_PROMETHEUS}",
|
"datasource": "${DS_PROMETHEUS}",
|
||||||
"fieldConfig": {
|
"fieldConfig": {
|
||||||
|
@ -556,7 +557,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.clusterPolicyReportDetails.failTable.height }},
|
"h": {{ $root.clusterPolicyReportDetails.failTable.height }},
|
||||||
"w": 24,
|
"w": 24,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 23
|
"y": 23
|
||||||
|
@ -568,7 +569,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})",
|
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod, policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})",
|
||||||
"format": "table",
|
"format": "table",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
|
@ -585,7 +586,6 @@ data:
|
||||||
"options": {
|
"options": {
|
||||||
"excludeByName": {
|
"excludeByName": {
|
||||||
"Time": true,
|
"Time": true,
|
||||||
"Value": true,
|
|
||||||
"status": false
|
"status": false
|
||||||
},
|
},
|
||||||
"indexByName": {
|
"indexByName": {
|
||||||
|
@ -609,7 +609,7 @@ data:
|
||||||
"type": "table"
|
"type": "table"
|
||||||
}
|
}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.clusterPolicyReportDetails.warningTable.enabled }}
|
{{- if $root.clusterPolicyReportDetails.warningTable.enabled }}
|
||||||
,{
|
,{
|
||||||
"datasource": "${DS_PROMETHEUS}",
|
"datasource": "${DS_PROMETHEUS}",
|
||||||
"fieldConfig": {
|
"fieldConfig": {
|
||||||
|
@ -632,7 +632,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.clusterPolicyReportDetails.warningTable.height }},
|
"h": {{ $root.clusterPolicyReportDetails.warningTable.height }},
|
||||||
"w": 24,
|
"w": 24,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 31
|
"y": 31
|
||||||
|
@ -644,7 +644,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }} )",
|
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod,policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})",
|
||||||
"format": "table",
|
"format": "table",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
|
@ -661,7 +661,6 @@ data:
|
||||||
"options": {
|
"options": {
|
||||||
"excludeByName": {
|
"excludeByName": {
|
||||||
"Time": true,
|
"Time": true,
|
||||||
"Value": true,
|
|
||||||
"status": false
|
"status": false
|
||||||
},
|
},
|
||||||
"indexByName": {
|
"indexByName": {
|
||||||
|
@ -685,7 +684,7 @@ data:
|
||||||
"type": "table"
|
"type": "table"
|
||||||
}
|
}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.clusterPolicyReportDetails.errorTable.enabled }}
|
{{- if $root.clusterPolicyReportDetails.errorTable.enabled }}
|
||||||
,{
|
,{
|
||||||
"datasource": "${DS_PROMETHEUS}",
|
"datasource": "${DS_PROMETHEUS}",
|
||||||
"fieldConfig": {
|
"fieldConfig": {
|
||||||
|
@ -708,7 +707,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.clusterPolicyReportDetails.errorTable.height }},
|
"h": {{ $root.clusterPolicyReportDetails.errorTable.height }},
|
||||||
"w": 24,
|
"w": 24,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 36
|
"y": 36
|
||||||
|
@ -720,7 +719,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})",
|
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod, policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})",
|
||||||
"format": "table",
|
"format": "table",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
|
@ -737,7 +736,6 @@ data:
|
||||||
"options": {
|
"options": {
|
||||||
"excludeByName": {
|
"excludeByName": {
|
||||||
"Time": true,
|
"Time": true,
|
||||||
"Value": true,
|
|
||||||
"status": false
|
"status": false
|
||||||
},
|
},
|
||||||
"indexByName": {
|
"indexByName": {
|
|
@ -0,0 +1,19 @@
|
||||||
|
{{- if and .Values.monitoring.grafana.dashboards.enabled .Values.monitoring.grafana.dashboards.enable.clusterPolicyReportDetails .Values.monitoring.grafana.grafanaDashboard.enabled }}
|
||||||
|
apiVersion: grafana.integreatly.org/v1beta1
|
||||||
|
kind: GrafanaDashboard
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ .Values.monitoring.grafana.dashboards.label }}: {{ .Values.monitoring.grafana.dashboards.value | quote }}
|
||||||
|
{{- include "monitoring.labels" . | nindent 4 }}
|
||||||
|
name: {{ include "monitoring.fullname" . }}-clusterpolicy-details-dashboard
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
spec:
|
||||||
|
allowCrossNamespaceImport: {{ .Values.monitoring.grafana.grafanaDashboard.allowCrossNamespaceImport }}
|
||||||
|
folder: {{ .Values.monitoring.grafana.grafanaDashboard.folder }}
|
||||||
|
instanceSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{- toYaml .Values.monitoring.grafana.grafanaDashboard.matchLabels | nindent 6 }}
|
||||||
|
configMapRef:
|
||||||
|
name: {{ include "monitoring.fullname" . }}-clusterpolicy-details-dashboard
|
||||||
|
key: cluster-policy-reporter-details-dashboard.json
|
||||||
|
{{- end }}
|
|
@ -1,11 +1,13 @@
|
||||||
{{- if and $.Values.grafana.dashboards.enabled $.Values.grafana.dashboards.enable.overview }}
|
{{ $root := .Values.monitoring }}
|
||||||
{{- $filters := .Values.grafana.dashboards.labelFilter }}
|
|
||||||
{{- if and .Values.grafana.dashboards.multicluster.enabled .Values.grafana.dashboards.multicluster.label }}
|
{{- if and $root.grafana.dashboards.enabled $root.grafana.dashboards.enable.overview }}
|
||||||
{{- $filters = append $filters .Values.grafana.dashboards.multicluster.label }}
|
{{- $filters := $root.grafana.dashboards.labelFilter }}
|
||||||
|
{{- if and $root.grafana.dashboards.multicluster.enabled $root.grafana.dashboards.multicluster.label }}
|
||||||
|
{{- $filters = append $filters $root.grafana.dashboards.multicluster.label }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- $nsLabel := "exported_namespace" }}
|
{{- $nsLabel := "exported_namespace" }}
|
||||||
{{- if .Values.serviceMonitor.honorLabels }}
|
{{- if $root.serviceMonitor.honorLabels }}
|
||||||
{{- $nsLabel = "namespace" }}
|
{{- $nsLabel = "namespace" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
@ -13,15 +15,15 @@ apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ include "monitoring.fullname" . }}-overview-dashboard
|
name: {{ include "monitoring.fullname" . }}-overview-dashboard
|
||||||
namespace: {{ include "monitoring.namespace" . }}
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
annotations:
|
annotations:
|
||||||
{{ .Values.grafana.folder.annotation }}: {{ .Values.grafana.folder.name }}
|
{{ $root.grafana.folder.annotation }}: {{ $root.grafana.folder.name }}
|
||||||
{{- with .Values.annotations }}
|
{{- with .Values.annotations }}
|
||||||
{{- toYaml . | nindent 4 }}
|
{{- toYaml . | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
labels:
|
labels:
|
||||||
{{ .Values.grafana.dashboards.label }}: {{ .Values.grafana.dashboards.value | quote }}
|
{{ $root.grafana.dashboards.label }}: {{ $root.grafana.dashboards.value | quote }}
|
||||||
{{- with .Values.serviceMonitor.labels }}
|
{{- with $root.serviceMonitor.labels }}
|
||||||
{{- toYaml . | nindent 4 }}
|
{{- toYaml . | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- include "monitoring.labels" . | nindent 4 }}
|
{{- include "monitoring.labels" . | nindent 4 }}
|
||||||
|
@ -31,11 +33,11 @@ data:
|
||||||
"__inputs": [
|
"__inputs": [
|
||||||
{
|
{
|
||||||
"name": "DS_PROMETHEUS",
|
"name": "DS_PROMETHEUS",
|
||||||
"label": "{{ .Values.grafana.datasource.label }}",
|
"label": "{{ $root.grafana.datasource.label }}",
|
||||||
"description": "",
|
"description": "",
|
||||||
"type": "datasource",
|
"type": "datasource",
|
||||||
"pluginId": "{{ .Values.grafana.datasource.pluginId }}",
|
"pluginId": "{{ $root.grafana.datasource.pluginId }}",
|
||||||
"pluginName": "{{ .Values.grafana.datasource.pluginName }}"
|
"pluginName": "{{ $root.grafana.datasource.pluginName }}"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"__requires": [
|
"__requires": [
|
||||||
|
@ -94,7 +96,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.policyReportOverview.failingSummaryRow.height }},
|
"h": {{ $root.policyReportOverview.failingSummaryRow.height }},
|
||||||
"w": 15,
|
"w": 15,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 0
|
"y": 0
|
||||||
|
@ -115,7 +117,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }})",
|
"expr": "max(sum(policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }}, pod)) by ({{ $nsLabel }})",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
"legendFormat": "{{ printf `{{%s}}` $nsLabel }}",
|
"legendFormat": "{{ printf `{{%s}}` $nsLabel }}",
|
||||||
|
@ -153,7 +155,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.policyReportOverview.failingSummaryRow.height }},
|
"h": {{ $root.policyReportOverview.failingSummaryRow.height }},
|
||||||
"w": 9,
|
"w": 9,
|
||||||
"x": 15,
|
"x": 15,
|
||||||
"y": 0
|
"y": 0
|
||||||
|
@ -176,7 +178,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (status)",
|
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (status, pod)) by (status)",
|
||||||
"format": "time_series",
|
"format": "time_series",
|
||||||
"interval": "",
|
"interval": "",
|
||||||
"intervalFactor": 1,
|
"intervalFactor": 1,
|
||||||
|
@ -292,7 +294,7 @@ data:
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.policyReportOverview.failingTimeline.height }},
|
"h": {{ $root.policyReportOverview.failingTimeline.height }},
|
||||||
"w": 24,
|
"w": 24,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 8
|
"y": 8
|
||||||
|
@ -301,7 +303,7 @@ data:
|
||||||
"pluginVersion": "10.4.1",
|
"pluginVersion": "10.4.1",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (policy)",
|
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (policy, pod)) by (policy)",
|
||||||
"interval": "",
|
"interval": "",
|
||||||
"legendFormat": "{{`{{ policy }}`}}",
|
"legendFormat": "{{`{{ policy }}`}}",
|
||||||
"refId": "A",
|
"refId": "A",
|
||||||
|
@ -310,7 +312,7 @@ data:
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"expr": "sum(policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (policy)",
|
"expr": "max(sum(policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (policy, pod)) by (policy)",
|
||||||
"interval": "",
|
"interval": "",
|
||||||
"legendFormat": "{{`{{ policy }}`}}",
|
"legendFormat": "{{`{{ policy }}`}}",
|
||||||
"refId": "B",
|
"refId": "B",
|
||||||
|
@ -363,7 +365,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.policyReportOverview.failingPolicyRuleTable.height }},
|
"h": {{ $root.policyReportOverview.failingPolicyRuleTable.height }},
|
||||||
"w": 24,
|
"w": 24,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 18
|
"y": 18
|
||||||
|
@ -375,7 +377,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},policy,rule,kind,name,status,category,severity,source{{ range $filters }},{{.}}{{ end }})",
|
"expr": "max(sum(policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod,{{ $nsLabel }},policy,rule,kind,name,status,category,severity,source{{ range $filters }},{{.}}{{ end }})) by ({{ $nsLabel }},policy,rule,kind,name,status,category,severity,source{{ range $filters }},{{.}}{{ end }})",
|
||||||
"format": "table",
|
"format": "table",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
|
@ -391,8 +393,7 @@ data:
|
||||||
"id": "organize",
|
"id": "organize",
|
||||||
"options": {
|
"options": {
|
||||||
"excludeByName": {
|
"excludeByName": {
|
||||||
"Time": true,
|
"Time": true
|
||||||
"Value": true
|
|
||||||
},
|
},
|
||||||
"indexByName": {
|
"indexByName": {
|
||||||
"source": 0,
|
"source": 0,
|
||||||
|
@ -403,7 +404,8 @@ data:
|
||||||
"name": 5,
|
"name": 5,
|
||||||
"policy": 6,
|
"policy": 6,
|
||||||
"rule": 7,
|
"rule": 7,
|
||||||
"status": 8
|
"status": 8,
|
||||||
|
"Value": 9
|
||||||
},
|
},
|
||||||
"renameByName": {
|
"renameByName": {
|
||||||
"{{ $nsLabel }}": "namespace"
|
"{{ $nsLabel }}": "namespace"
|
||||||
|
@ -438,7 +440,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.policyReportOverview.failingClusterPolicyRuleTable.height }},
|
"h": {{ $root.policyReportOverview.failingClusterPolicyRuleTable.height }},
|
||||||
"w": 24,
|
"w": 24,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 28
|
"y": 28
|
||||||
|
@ -450,7 +452,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (policy,rule,kind,name,status,category,severity,source{{ range $filters }},{{.}}{{ end }})",
|
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} })by (pod,policy,rule,kind,name,status,category,severity,source{{ range $filters }},{{.}}{{ end }})) by (policy,rule,kind,name,status,category,severity,source{{ range $filters }},{{.}}{{ end }})",
|
||||||
"format": "table",
|
"format": "table",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
|
@ -467,7 +469,6 @@ data:
|
||||||
"options": {
|
"options": {
|
||||||
"excludeByName": {
|
"excludeByName": {
|
||||||
"Time": true,
|
"Time": true,
|
||||||
"Value": true,
|
|
||||||
"__name__": true,
|
"__name__": true,
|
||||||
"endpoint": true,
|
"endpoint": true,
|
||||||
"instance": true,
|
"instance": true,
|
||||||
|
@ -486,7 +487,8 @@ data:
|
||||||
"name": 4,
|
"name": 4,
|
||||||
"policy": 5,
|
"policy": 5,
|
||||||
"rule": 6,
|
"rule": 6,
|
||||||
"status": 7
|
"status": 7,
|
||||||
|
"Value": 8
|
||||||
},
|
},
|
||||||
"renameByName": {}
|
"renameByName": {}
|
||||||
}
|
}
|
|
@ -0,0 +1,19 @@
|
||||||
|
{{- if and .Values.monitoring.grafana.dashboards.enabled .Values.monitoring.grafana.dashboards.enable.overview .Values.monitoring.grafana.grafanaDashboard.enabled }}
|
||||||
|
apiVersion: grafana.integreatly.org/v1beta1
|
||||||
|
kind: GrafanaDashboard
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ .Values.monitoring.grafana.dashboards.label }}: {{ .Values.monitoring.grafana.dashboards.value | quote }}
|
||||||
|
{{- include "monitoring.labels" . | nindent 4 }}
|
||||||
|
name: {{ include "monitoring.fullname" . }}-overview-dashboard
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
spec:
|
||||||
|
allowCrossNamespaceImport: {{ .Values.monitoring.grafana.grafanaDashboard.allowCrossNamespaceImport }}
|
||||||
|
folder: {{ .Values.monitoring.grafana.grafanaDashboard.folder }}
|
||||||
|
instanceSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{- toYaml .Values.monitoring.grafana.grafanaDashboard.matchLabels | nindent 6 }}
|
||||||
|
configMapRef:
|
||||||
|
name: {{ include "monitoring.fullname" . }}-overview-dashboard
|
||||||
|
key: policy-reporter-dashboard.json
|
||||||
|
{{- end }}
|
|
@ -1,11 +1,13 @@
|
||||||
{{- if and $.Values.grafana.dashboards.enabled $.Values.grafana.dashboards.enable.policyReportDetails }}
|
{{ $root := .Values.monitoring }}
|
||||||
{{- $filters := .Values.grafana.dashboards.labelFilter }}
|
|
||||||
{{- if and .Values.grafana.dashboards.multicluster.enabled .Values.grafana.dashboards.multicluster.label }}
|
{{- if and $root.grafana.dashboards.enabled $root.grafana.dashboards.enable.policyReportDetails }}
|
||||||
{{- $filters = append $filters .Values.grafana.dashboards.multicluster.label }}
|
{{- $filters := $root.grafana.dashboards.labelFilter }}
|
||||||
|
{{- if and $root.grafana.dashboards.multicluster.enabled $root.grafana.dashboards.multicluster.label }}
|
||||||
|
{{- $filters = append $filters $root.grafana.dashboards.multicluster.label }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
{{- $nsLabel := "exported_namespace" }}
|
{{- $nsLabel := "exported_namespace" }}
|
||||||
{{- if .Values.serviceMonitor.honorLabels }}
|
{{- if $root.serviceMonitor.honorLabels }}
|
||||||
{{- $nsLabel = "namespace" }}
|
{{- $nsLabel = "namespace" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
@ -13,15 +15,15 @@ apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ include "monitoring.fullname" . }}-policy-details-dashboard
|
name: {{ include "monitoring.fullname" . }}-policy-details-dashboard
|
||||||
namespace: {{ include "monitoring.namespace" . }}
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
annotations:
|
annotations:
|
||||||
{{ .Values.grafana.folder.annotation }}: {{ .Values.grafana.folder.name }}
|
{{ $root.grafana.folder.annotation }}: {{ $root.grafana.folder.name }}
|
||||||
{{- with .Values.annotations }}
|
{{- with .Values.annotations }}
|
||||||
{{- toYaml . | nindent 4 }}
|
{{- toYaml . | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
labels:
|
labels:
|
||||||
{{ .Values.grafana.dashboards.label }}: {{ .Values.grafana.dashboards.value | quote }}
|
{{ $root.grafana.dashboards.label }}: {{ $root.grafana.dashboards.value | quote }}
|
||||||
{{- with .Values.serviceMonitor.labels }}
|
{{- with $root.serviceMonitor.labels }}
|
||||||
{{- toYaml . | nindent 4 }}
|
{{- toYaml . | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- include "monitoring.labels" . | nindent 4 }}
|
{{- include "monitoring.labels" . | nindent 4 }}
|
||||||
|
@ -31,11 +33,11 @@ data:
|
||||||
"__inputs": [
|
"__inputs": [
|
||||||
{
|
{
|
||||||
"name": "DS_PROMETHEUS",
|
"name": "DS_PROMETHEUS",
|
||||||
"label": "{{ .Values.grafana.datasource.label }}",
|
"label": "{{ $root.grafana.datasource.label }}",
|
||||||
"description": "",
|
"description": "",
|
||||||
"type": "datasource",
|
"type": "datasource",
|
||||||
"pluginId": "{{ .Values.grafana.datasource.pluginId }}",
|
"pluginId": "{{ $root.grafana.datasource.pluginId }}",
|
||||||
"pluginName": "{{ .Values.grafana.datasource.pluginName }}"
|
"pluginName": "{{ $root.grafana.datasource.pluginName }}"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"__requires": [
|
"__requires": [
|
||||||
|
@ -104,7 +106,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.policyReportDetails.firstStatusRow.height }},
|
"h": {{ $root.policyReportDetails.firstStatusRow.height }},
|
||||||
"w": 12,
|
"w": 12,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 0
|
"y": 0
|
||||||
|
@ -125,7 +127,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }})",
|
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }}, pod)) by ({{ $nsLabel }})",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
"legendFormat": "{{ printf `{{%s}}` $nsLabel }}",
|
"legendFormat": "{{ printf `{{%s}}` $nsLabel }}",
|
||||||
|
@ -159,7 +161,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.policyReportDetails.firstStatusRow.height }},
|
"h": {{ $root.policyReportDetails.firstStatusRow.height }},
|
||||||
"w": 12,
|
"w": 12,
|
||||||
"x": 12,
|
"x": 12,
|
||||||
"y": 0
|
"y": 0
|
||||||
|
@ -180,7 +182,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }})",
|
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }}, pod)) by ({{ $nsLabel }})",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
"legendFormat": "{{ printf `{{%s}}` $nsLabel }}",
|
"legendFormat": "{{ printf `{{%s}}` $nsLabel }}",
|
||||||
|
@ -192,7 +194,7 @@ data:
|
||||||
"title": "Policy Fail Status",
|
"title": "Policy Fail Status",
|
||||||
"type": "bargauge"
|
"type": "bargauge"
|
||||||
}
|
}
|
||||||
{{- if .Values.policyReportDetails.secondStatusRow.enabled }}
|
{{- if $root.policyReportDetails.secondStatusRow.enabled }}
|
||||||
,{
|
,{
|
||||||
"datasource": "${DS_PROMETHEUS}",
|
"datasource": "${DS_PROMETHEUS}",
|
||||||
"fieldConfig": {
|
"fieldConfig": {
|
||||||
|
@ -215,7 +217,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.policyReportDetails.secondStatusRow.height }},
|
"h": {{ $root.policyReportDetails.secondStatusRow.height }},
|
||||||
"w": 12,
|
"w": 12,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 7
|
"y": 7
|
||||||
|
@ -236,7 +238,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }})",
|
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }}, pod)) by ({{ $nsLabel }})",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
"legendFormat": "{{ printf `{{%s}}` $nsLabel }}",
|
"legendFormat": "{{ printf `{{%s}}` $nsLabel }}",
|
||||||
|
@ -270,7 +272,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.policyReportDetails.secondStatusRow.height }},
|
"h": {{ $root.policyReportDetails.secondStatusRow.height }},
|
||||||
"w": 12,
|
"w": 12,
|
||||||
"x": 12,
|
"x": 12,
|
||||||
"y": 7
|
"y": 7
|
||||||
|
@ -291,7 +293,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }})",
|
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }}, pod)) by ({{ $nsLabel }})",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
"legendFormat": "{{ printf `{{%s}}` $nsLabel }}",
|
"legendFormat": "{{ printf `{{%s}}` $nsLabel }}",
|
||||||
|
@ -304,7 +306,7 @@ data:
|
||||||
"type": "bargauge"
|
"type": "bargauge"
|
||||||
}
|
}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.policyReportDetails.statusTimeline.enabled }}
|
{{- if $root.policyReportDetails.statusTimeline.enabled }}
|
||||||
,{
|
,{
|
||||||
"datasource": {
|
"datasource": {
|
||||||
"uid": "${DS_PROMETHEUS}"
|
"uid": "${DS_PROMETHEUS}"
|
||||||
|
@ -408,7 +410,7 @@ data:
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.policyReportDetails.statusTimeline.height }},
|
"h": {{ $root.policyReportDetails.statusTimeline.height }},
|
||||||
"w": 24,
|
"w": 24,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 10
|
"y": 10
|
||||||
|
@ -417,7 +419,7 @@ data:
|
||||||
"pluginVersion": "10.4.1",
|
"pluginVersion": "10.4.1",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (status, {{ $nsLabel }})",
|
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (status, pod, {{ $nsLabel }})) by (status, {{ $nsLabel }})",
|
||||||
"interval": "",
|
"interval": "",
|
||||||
"legendFormat": "{{ printf `{{%s}}` $nsLabel }} {{`{{ status }}`}}",
|
"legendFormat": "{{ printf `{{%s}}` $nsLabel }} {{`{{ status }}`}}",
|
||||||
"refId": "A",
|
"refId": "A",
|
||||||
|
@ -446,7 +448,7 @@ data:
|
||||||
"timeShift": null
|
"timeShift": null
|
||||||
}
|
}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.policyReportDetails.passTable.enabled }}
|
{{- if $root.policyReportDetails.passTable.enabled }}
|
||||||
,{
|
,{
|
||||||
"datasource": "${DS_PROMETHEUS}",
|
"datasource": "${DS_PROMETHEUS}",
|
||||||
"fieldConfig": {
|
"fieldConfig": {
|
||||||
|
@ -472,7 +474,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.policyReportDetails.passTable.height }},
|
"h": {{ $root.policyReportDetails.passTable.height }},
|
||||||
"w": 24,
|
"w": 24,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 19
|
"y": 19
|
||||||
|
@ -484,7 +486,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }} )",
|
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})",
|
||||||
"format": "table",
|
"format": "table",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
|
@ -501,7 +503,6 @@ data:
|
||||||
"options": {
|
"options": {
|
||||||
"excludeByName": {
|
"excludeByName": {
|
||||||
"Time": true,
|
"Time": true,
|
||||||
"Value": true,
|
|
||||||
"status": false
|
"status": false
|
||||||
},
|
},
|
||||||
"indexByName": {
|
"indexByName": {
|
||||||
|
@ -526,7 +527,7 @@ data:
|
||||||
"type": "table"
|
"type": "table"
|
||||||
}
|
}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.policyReportDetails.failTable.enabled }}
|
{{- if $root.policyReportDetails.failTable.enabled }}
|
||||||
,{
|
,{
|
||||||
"datasource": "${DS_PROMETHEUS}",
|
"datasource": "${DS_PROMETHEUS}",
|
||||||
"fieldConfig": {
|
"fieldConfig": {
|
||||||
|
@ -552,7 +553,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.policyReportDetails.failTable.height }},
|
"h": {{ $root.policyReportDetails.failTable.height }},
|
||||||
"w": 24,
|
"w": 24,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 27
|
"y": 27
|
||||||
|
@ -564,7 +565,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})",
|
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})",
|
||||||
"format": "table",
|
"format": "table",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
|
@ -581,7 +582,6 @@ data:
|
||||||
"options": {
|
"options": {
|
||||||
"excludeByName": {
|
"excludeByName": {
|
||||||
"Time": true,
|
"Time": true,
|
||||||
"Value": true,
|
|
||||||
"status": false
|
"status": false
|
||||||
},
|
},
|
||||||
"indexByName": {
|
"indexByName": {
|
||||||
|
@ -606,7 +606,7 @@ data:
|
||||||
"type": "table"
|
"type": "table"
|
||||||
}
|
}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.policyReportDetails.warningTable.enabled }}
|
{{- if $root.policyReportDetails.warningTable.enabled }}
|
||||||
,{
|
,{
|
||||||
"datasource": "${DS_PROMETHEUS}",
|
"datasource": "${DS_PROMETHEUS}",
|
||||||
"fieldConfig": {
|
"fieldConfig": {
|
||||||
|
@ -629,7 +629,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.policyReportDetails.warningTable.height }},
|
"h": {{ $root.policyReportDetails.warningTable.height }},
|
||||||
"w": 24,
|
"w": 24,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 35
|
"y": 35
|
||||||
|
@ -641,7 +641,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }} )",
|
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }} )",
|
||||||
"format": "table",
|
"format": "table",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
|
@ -658,7 +658,6 @@ data:
|
||||||
"options": {
|
"options": {
|
||||||
"excludeByName": {
|
"excludeByName": {
|
||||||
"Time": true,
|
"Time": true,
|
||||||
"Value": true,
|
|
||||||
"status": false
|
"status": false
|
||||||
},
|
},
|
||||||
"indexByName": {
|
"indexByName": {
|
||||||
|
@ -683,7 +682,7 @@ data:
|
||||||
"type": "table"
|
"type": "table"
|
||||||
}
|
}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.policyReportDetails.errorTable.enabled }}
|
{{- if $root.policyReportDetails.errorTable.enabled }}
|
||||||
,{
|
,{
|
||||||
"datasource": "${DS_PROMETHEUS}",
|
"datasource": "${DS_PROMETHEUS}",
|
||||||
"fieldConfig": {
|
"fieldConfig": {
|
||||||
|
@ -706,7 +705,7 @@ data:
|
||||||
"overrides": []
|
"overrides": []
|
||||||
},
|
},
|
||||||
"gridPos": {
|
"gridPos": {
|
||||||
"h": {{ .Values.policyReportDetails.errorTable.height }},
|
"h": {{ $root.policyReportDetails.errorTable.height }},
|
||||||
"w": 24,
|
"w": 24,
|
||||||
"x": 0,
|
"x": 0,
|
||||||
"y": 40
|
"y": 40
|
||||||
|
@ -718,7 +717,7 @@ data:
|
||||||
"pluginVersion": "7.1.5",
|
"pluginVersion": "7.1.5",
|
||||||
"targets": [
|
"targets": [
|
||||||
{
|
{
|
||||||
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }} )",
|
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})",
|
||||||
"format": "table",
|
"format": "table",
|
||||||
"instant": true,
|
"instant": true,
|
||||||
"interval": "",
|
"interval": "",
|
||||||
|
@ -735,12 +734,10 @@ data:
|
||||||
"options": {
|
"options": {
|
||||||
"excludeByName": {
|
"excludeByName": {
|
||||||
"Time": true,
|
"Time": true,
|
||||||
"Value": true,
|
|
||||||
"status": false
|
"status": false
|
||||||
},
|
},
|
||||||
"indexByName": {
|
"indexByName": {
|
||||||
"Time": 0,
|
"Time": 0,
|
||||||
"Value": 9,
|
|
||||||
"category": 1,
|
"category": 1,
|
||||||
"{{ $nsLabel }}": 3,
|
"{{ $nsLabel }}": 3,
|
||||||
"kind": 4,
|
"kind": 4,
|
||||||
|
@ -748,7 +745,8 @@ data:
|
||||||
"policy": 6,
|
"policy": 6,
|
||||||
"rule": 7,
|
"rule": 7,
|
||||||
"severity": 2,
|
"severity": 2,
|
||||||
"status": 8
|
"status": 8,
|
||||||
|
"Value": 9
|
||||||
},
|
},
|
||||||
"renameByName": {
|
"renameByName": {
|
||||||
"{{ $nsLabel }}": "namespace"
|
"{{ $nsLabel }}": "namespace"
|
|
@ -0,0 +1,19 @@
|
||||||
|
{{- if and .Values.monitoring.grafana.dashboards.enabled .Values.monitoring.grafana.dashboards.enable.policyReportDetails .Values.monitoring.grafana.grafanaDashboard.enabled }}
|
||||||
|
apiVersion: grafana.integreatly.org/v1beta1
|
||||||
|
kind: GrafanaDashboard
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{ .Values.monitoring.grafana.dashboards.label }}: {{ .Values.monitoring.grafana.dashboards.value | quote }}
|
||||||
|
{{- include "monitoring.labels" . | nindent 4 }}
|
||||||
|
name: {{ include "monitoring.fullname" . }}-policy-details-dashboard
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
spec:
|
||||||
|
allowCrossNamespaceImport: {{ .Values.monitoring.grafana.grafanaDashboard.allowCrossNamespaceImport }}
|
||||||
|
folder: {{ .Values.monitoring.grafana.grafanaDashboard.folder }}
|
||||||
|
instanceSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{- toYaml .Values.monitoring.grafana.grafanaDashboard.matchLabels | nindent 6 }}
|
||||||
|
configMapRef:
|
||||||
|
name: {{ include "monitoring.fullname" . }}-policy-details-dashboard
|
||||||
|
key: policy-reporter-details-dashboard.json
|
||||||
|
{{- end }}
|
|
@ -1,28 +1,29 @@
|
||||||
|
{{- if and .Values.monitoring.enabled }}
|
||||||
apiVersion: monitoring.coreos.com/v1
|
apiVersion: monitoring.coreos.com/v1
|
||||||
kind: ServiceMonitor
|
kind: ServiceMonitor
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ include "monitoring.fullname" . }}
|
name: {{ include "monitoring.fullname" . }}
|
||||||
namespace: {{ include "monitoring.smNamespace" . }}
|
namespace: {{ include "monitoring.smNamespace" . }}
|
||||||
{{- if .Values.annotations }}
|
{{- if .Values.monitoring.annotations }}
|
||||||
annotations:
|
annotations:
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
{{- toYaml .Values.monitoring.annotations | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
labels:
|
labels:
|
||||||
{{- include "monitoring.labels" . | nindent 4 }}
|
{{- include "monitoring.labels" . | nindent 4 }}
|
||||||
{{- with .Values.serviceMonitor.labels }}
|
{{- with .Values.monitoring.serviceMonitor.labels }}
|
||||||
{{- toYaml . | nindent 4 }}
|
{{- toYaml . | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
{{- include "policyreporter.selectorLabels" . | nindent 8 }}
|
{{- include "policyreporter.selectorLabels" . | nindent 8 }}
|
||||||
{{- with .Values.serviceMonitor.namespaceSelector }}
|
{{- with .Values.monitoring.serviceMonitor.namespaceSelector }}
|
||||||
namespaceSelector:
|
namespaceSelector:
|
||||||
{{- toYaml . | nindent 4 }}
|
{{- toYaml . | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
endpoints:
|
endpoints:
|
||||||
- port: http
|
- port: http
|
||||||
{{- if and .Values.global.basicAuth.username .Values.global.basicAuth.password }}
|
{{- if and .Values.basicAuth.username .Values.basicAuth.password }}
|
||||||
basicAuth:
|
basicAuth:
|
||||||
password:
|
password:
|
||||||
name: {{ include "monitoring.fullname" . }}-auth
|
name: {{ include "monitoring.fullname" . }}-auth
|
||||||
|
@ -30,32 +31,28 @@ spec:
|
||||||
username:
|
username:
|
||||||
name: {{ include "monitoring.fullname" . }}-auth
|
name: {{ include "monitoring.fullname" . }}-auth
|
||||||
key: username
|
key: username
|
||||||
{{- else if .Values.global.basicAuth.secretRef }}
|
{{- else if .Values.basicAuth.secretRef }}
|
||||||
basicAuth:
|
basicAuth:
|
||||||
password:
|
password:
|
||||||
name: {{ .Values.global.basicAuth.secretRef }}
|
name: {{ .Values.basicAuth.secretRef }}
|
||||||
key: password
|
key: password
|
||||||
username:
|
username:
|
||||||
name: {{ .Values.global.basicAuth.secretRef }}
|
name: {{ .Values.basicAuth.secretRef }}
|
||||||
key: username
|
key: username
|
||||||
{{- end }}
|
{{- end }}
|
||||||
honorLabels: {{ .Values.serviceMonitor.honorLabels }}
|
honorLabels: {{ .Values.monitoring.serviceMonitor.honorLabels }}
|
||||||
{{- if .Values.serviceMonitor.scrapeTimeout }}
|
{{- if .Values.monitoring.serviceMonitor.scrapeTimeout }}
|
||||||
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
|
scrapeTimeout: {{ .Values.monitoring.serviceMonitor.scrapeTimeout }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.serviceMonitor.interval }}
|
{{- if .Values.monitoring.serviceMonitor.interval }}
|
||||||
interval: {{ .Values.serviceMonitor.interval }}
|
interval: {{ .Values.monitoring.serviceMonitor.interval }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- with .Values.monitoring.serviceMonitor.relabelings }}
|
||||||
relabelings:
|
relabelings:
|
||||||
- action: labeldrop
|
|
||||||
regex: pod|service|container
|
|
||||||
- targetLabel: instance
|
|
||||||
replacement: policy-reporter
|
|
||||||
action: replace
|
|
||||||
{{- with .Values.serviceMonitor.relabelings }}
|
|
||||||
{{- toYaml . | nindent 4 }}
|
{{- toYaml . | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- with .Values.serviceMonitor.metricRelabelings }}
|
{{- with .Values.monitoring.serviceMonitor.metricRelabelings }}
|
||||||
metricRelabelings:
|
metricRelabelings:
|
||||||
{{- toYaml . | nindent 4 }}
|
{{- toYaml . | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -22,21 +22,21 @@ spec:
|
||||||
matchLabels: {{- include "ui.selectorLabels" . | nindent 10 }}
|
matchLabels: {{- include "ui.selectorLabels" . | nindent 10 }}
|
||||||
ports:
|
ports:
|
||||||
- protocol: TCP
|
- protocol: TCP
|
||||||
port: 8080
|
port: {{ .Values.ui.service.port }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.plugin.trivy.enabled }}
|
||||||
|
- from:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels: {{- include "trivy-plugin.selectorLabels" . | nindent 10 }}
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: {{ .Values.plugin.trivy.service.port }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- with .Values.networkPolicy.ingress }}
|
{{- with .Values.networkPolicy.ingress }}
|
||||||
{{- toYaml . | nindent 2 }}
|
{{- toYaml . | nindent 2 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
egress:
|
|
||||||
{{- if .Values.ui.enabled }}
|
|
||||||
- to:
|
|
||||||
- podSelector:
|
|
||||||
matchLabels: {{- include "ui.selectorLabels" . | nindent 10 }}
|
|
||||||
ports:
|
|
||||||
- protocol: TCP
|
|
||||||
port: {{ .Values.ui.service.port }}
|
|
||||||
{{- end }}
|
|
||||||
{{- with .Values.networkPolicy.egress }}
|
{{- with .Values.networkPolicy.egress }}
|
||||||
|
egress:
|
||||||
{{- toYaml . | nindent 2 }}
|
{{- toYaml . | nindent 2 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
@ -0,0 +1,68 @@
|
||||||
|
{{/*
|
||||||
|
Expand the name of the chart.
|
||||||
|
*/}}
|
||||||
|
{{- define "kyverno-plugin.name" -}}
|
||||||
|
{{ template "policyreporter.name" . }}-kyverno-plugin
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create a default fully qualified app name.
|
||||||
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
|
If release name contains chart name it will be used as a full name.
|
||||||
|
*/}}
|
||||||
|
{{- define "kyverno-plugin.fullname" -}}
|
||||||
|
{{ template "policyreporter.fullname" . }}-kyverno-plugin
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create chart name and version as used by the chart label.
|
||||||
|
*/}}
|
||||||
|
{{- define "kyverno-plugin.chart" -}}
|
||||||
|
{{ template "policyreporter.chart" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Common labels
|
||||||
|
*/}}
|
||||||
|
{{- define "kyverno-plugin.labels" -}}
|
||||||
|
helm.sh/chart: {{ include "kyverno-plugin.chart" . }}
|
||||||
|
{{ include "kyverno-plugin.selectorLabels" . }}
|
||||||
|
{{- if .Chart.AppVersion }}
|
||||||
|
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||||
|
{{- end }}
|
||||||
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||||
|
{{- with .Values.global.labels }}
|
||||||
|
{{ toYaml . }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Selector labels
|
||||||
|
*/}}
|
||||||
|
{{- define "kyverno-plugin.selectorLabels" -}}
|
||||||
|
app.kubernetes.io/name: {{ include "kyverno-plugin.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create the name of the service account to use
|
||||||
|
*/}}
|
||||||
|
{{- define "kyverno-plugin.serviceAccountName" -}}
|
||||||
|
{{- if .Values.plugin.kyverno.serviceAccount.create }}
|
||||||
|
{{- default (include "kyverno-plugin.fullname" .) .Values.plugin.kyverno.serviceAccount.name }}
|
||||||
|
{{- else }}
|
||||||
|
{{- default "default" .Values.plugin.kyverno.serviceAccount.name }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "kyverno-plugin.podDisruptionBudget" -}}
|
||||||
|
{{- if and .Values.plugin.kyverno.podDisruptionBudget.minAvailable .Values.plugin.kyverno.podDisruptionBudget.maxUnavailable }}
|
||||||
|
{{- fail "Cannot set both" -}}
|
||||||
|
{{- end }}
|
||||||
|
{{- if not .Values.plugin.kyverno.podDisruptionBudget.maxUnavailable }}
|
||||||
|
minAvailable: {{ default 1 .Values.plugin.kyverno.podDisruptionBudget.minAvailable }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.plugin.kyverno.podDisruptionBudget.maxUnavailable }}
|
||||||
|
maxUnavailable: {{ .Values.plugin.kyverno.podDisruptionBudget.maxUnavailable }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -1,15 +1,12 @@
|
||||||
{{- if .Values.rbac.enabled -}}
|
{{- if .Values.plugin.kyverno.enabled -}}
|
||||||
|
{{- if .Values.plugin.kyverno.rbac.enabled -}}
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
{{- if .Values.annotations }}
|
|
||||||
annotations:
|
|
||||||
{{- toYaml .Values.annotations | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
labels:
|
labels:
|
||||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||||
{{- include "kyvernoplugin.labels" . | nindent 4 }}
|
{{- include "kyverno-plugin.labels" . | nindent 4 }}
|
||||||
name: {{ include "kyvernoplugin.fullname" . }}
|
name: {{ include "kyverno-plugin.fullname" . }}
|
||||||
rules:
|
rules:
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- '*'
|
- '*'
|
||||||
|
@ -21,8 +18,7 @@ rules:
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
- list
|
- list
|
||||||
- watch
|
{{- if .Values.plugin.kyverno.blockReports.enabled }}
|
||||||
{{- if .Values.blockReports.enabled }}
|
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- ""
|
- ""
|
||||||
resources:
|
resources:
|
||||||
|
@ -44,14 +40,6 @@ rules:
|
||||||
- create
|
- create
|
||||||
- update
|
- update
|
||||||
- delete
|
- delete
|
||||||
{{- else }}
|
|
||||||
- apiGroups:
|
|
||||||
- '*'
|
|
||||||
resources:
|
|
||||||
- policyreports
|
|
||||||
- clusterpolicyreports
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end -}}
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,18 @@
|
||||||
|
{{- if .Values.plugin.kyverno.enabled -}}
|
||||||
|
{{- if and .Values.plugin.kyverno.serviceAccount.create .Values.plugin.kyverno.rbac.enabled -}}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ include "kyverno-plugin.fullname" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno-plugin.labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: {{ include "kyverno-plugin.fullname" . }}
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
subjects:
|
||||||
|
- kind: "ServiceAccount"
|
||||||
|
name: {{ include "kyverno-plugin.serviceAccountName" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,12 @@
|
||||||
|
{{- if .Values.plugin.kyverno.enabled -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "kyverno-plugin.fullname" . }}-config
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno-plugin.labels" . | nindent 4 }}
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
config.yaml: {{ tpl (.Files.Get "configs/kyverno-plugin.tmpl") . | b64enc }}
|
||||||
|
{{- end }}
|
103
charts/policy-reporter/templates/plugins/kyverno/deployment.yaml
Normal file
103
charts/policy-reporter/templates/plugins/kyverno/deployment.yaml
Normal file
|
@ -0,0 +1,103 @@
|
||||||
|
{{- if .Values.plugin.kyverno.enabled -}}
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ include "kyverno-plugin.fullname" . }}
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno-plugin.labels" . | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
replicas: {{ .Values.plugin.kyverno.replicaCount }}
|
||||||
|
revisionHistoryLimit: {{ .Values.plugin.kyverno.revisionHistoryLimit }}
|
||||||
|
{{- with .Values.plugin.kyverno.updateStrategy }}
|
||||||
|
strategy:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "kyverno-plugin.selectorLabels" . | nindent 6 }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
checksum/secret: {{ include (print .Template.BasePath "/plugins/kyverno/config-secret.yaml") . | sha256sum | quote }}
|
||||||
|
{{- with .Values.plugin.kyverno.podAnnotations }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno-plugin.labels" . | nindent 8 }}
|
||||||
|
{{- with .Values.plugin.kyverno.podLabels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- with .Values.plugin.kyverno.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
serviceAccountName: {{ include "kyverno-plugin.serviceAccountName" . }}
|
||||||
|
{{- if .Values.plugin.kyverno.podSecurityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml .Values.plugin.kyverno.podSecurityContext | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: policy-reporter-kyverno-plugin
|
||||||
|
{{- if .Values.plugin.kyverno.securityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml .Values.plugin.kyverno.securityContext | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
image: "{{ .Values.plugin.kyverno.image.registry }}/{{ .Values.plugin.kyverno.image.repository }}:{{ .Values.plugin.kyverno.image.tag }}"
|
||||||
|
imagePullPolicy: {{ .Values.plugin.kyverno.image.pullPolicy }}
|
||||||
|
args:
|
||||||
|
- run
|
||||||
|
- --config=/app/config.yaml
|
||||||
|
- --port={{ .Values.plugin.kyverno.server.port }}
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
containerPort: {{ .Values.plugin.kyverno.server.port }}
|
||||||
|
protocol: TCP
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /api/v1/policies
|
||||||
|
port: http
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /api/v1/policies
|
||||||
|
port: http
|
||||||
|
resources:
|
||||||
|
{{- toYaml .Values.plugin.kyverno.resources | nindent 12 }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: config-file
|
||||||
|
mountPath: /app/config.yaml
|
||||||
|
subPath: config.yaml
|
||||||
|
readOnly: true
|
||||||
|
env:
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
{{- if gt (int .Values.plugin.kyverno.replicaCount) 1 }}
|
||||||
|
- name: POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.plugin.kyverno.envVars }}
|
||||||
|
{{- . | toYaml | trim | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
- name: config-file
|
||||||
|
secret:
|
||||||
|
secretName: {{ include "kyverno-plugin.fullname" . }}-config
|
||||||
|
optional: true
|
||||||
|
{{- with .Values.plugin.kyverno.nodeSelector }}
|
||||||
|
nodeSelector:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.plugin.kyverno.affinity }}
|
||||||
|
affinity:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.plugin.kyverno.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,61 @@
|
||||||
|
{{- if .Values.plugin.kyverno.enabled -}}
|
||||||
|
{{- if .Values.plugin.kyverno.ingress.enabled -}}
|
||||||
|
{{- $fullName := include "kyverno-plugin.fullname" . -}}
|
||||||
|
{{- $svcPort := .Values.plugin.kyverno.service.port -}}
|
||||||
|
{{- if and .Values.plugin.kyverno.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
|
||||||
|
{{- if not (hasKey .Values.plugin.kyverno.ingress.annotations "kubernetes.io/ingress.class") }}
|
||||||
|
{{- $_ := set .Values.plugin.kyverno.ingress.annotations "kubernetes.io/ingress.class" .Values.plugin.kyverno.ingress.className}}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
|
||||||
|
apiVersion: networking.k8s.io/v1beta1
|
||||||
|
{{- else -}}
|
||||||
|
apiVersion: extensions/v1beta1
|
||||||
|
{{- end }}
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: {{ $fullName }}
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno-plugin.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.plugin.kyverno.ingress.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.plugin.kyverno.ingress.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- if and .Values.plugin.kyverno.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
|
||||||
|
ingressClassName: {{ .Values.plugin.kyverno.ingress.className }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.plugin.kyverno.ingress.tls }}
|
||||||
|
tls:
|
||||||
|
{{- toYaml .Values.plugin.kyverno.ingress.tls | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
rules:
|
||||||
|
{{- range .Values.plugin.kyverno.ingress.hosts }}
|
||||||
|
- host: {{ .host | quote }}
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
{{- range .paths }}
|
||||||
|
- path: {{ .path }}
|
||||||
|
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
|
||||||
|
pathType: {{ .pathType }}
|
||||||
|
{{- end }}
|
||||||
|
backend:
|
||||||
|
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
|
||||||
|
service:
|
||||||
|
name: {{ $fullName }}
|
||||||
|
port:
|
||||||
|
number: {{ $svcPort }}
|
||||||
|
{{- else }}
|
||||||
|
serviceName: {{ $fullName }}
|
||||||
|
servicePort: {{ $svcPort }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,24 @@
|
||||||
|
{{- if .Values.plugin.kyverno.enabled -}}
|
||||||
|
{{- if .Values.plugin.kyverno.networkPolicy.enabled }}
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
labels: {{- include "kyverno-plugin.labels" . | nindent 4 }}
|
||||||
|
name: {{ include "kyverno-plugin.fullname" . }}
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
spec:
|
||||||
|
podSelector:
|
||||||
|
matchLabels: {{- include "kyverno-plugin.selectorLabels" . | nindent 6 }}
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
- Egress
|
||||||
|
{{- with .Values.plugin.kyverno.networkPolicy.ingress }}
|
||||||
|
ingress:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.plugin.kyverno.networkPolicy.egress }}
|
||||||
|
egress:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,19 @@
|
||||||
|
{{- if .Values.plugin.kyverno.enabled -}}
|
||||||
|
{{- if (gt (int .Values.plugin.kyverno.replicaCount) 1) }}
|
||||||
|
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
|
||||||
|
apiVersion: policy/v1
|
||||||
|
{{- else }}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
{{- end }}
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: {{ include "kyverno-plugin.fullname" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno-plugin.labels" . | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
{{- include "kyverno-plugin.podDisruptionBudget" . | indent 2 }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "kyverno-plugin.selectorLabels" . | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
22
charts/policy-reporter/templates/plugins/kyverno/role.yaml
Normal file
22
charts/policy-reporter/templates/plugins/kyverno/role.yaml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
{{- if .Values.plugin.kyverno.enabled -}}
|
||||||
|
{{- if and (and .Values.plugin.kyverno.serviceAccount.create .Values.plugin.kyverno.rbac.enabled) (and .Values.plugin.kyverno.blockReports.enabled (gt (int .Values.plugin.kyverno.replicaCount) 1)) -}}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno-plugin.labels" . | nindent 4 }}
|
||||||
|
name: {{ include "kyverno-plugin.fullname" . }}-leaderelection
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- coordination.k8s.io
|
||||||
|
resources:
|
||||||
|
- leases
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
- get
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,19 @@
|
||||||
|
{{- if .Values.plugin.kyverno.enabled -}}
|
||||||
|
{{- if and (and .Values.plugin.kyverno.serviceAccount.create .Values.plugin.kyverno.rbac.enabled) (and .Values.plugin.kyverno.blockReports.enabled (gt (int .Values.plugin.kyverno.replicaCount) 1)) -}}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ include "kyverno-plugin.fullname" . }}-leaderelection
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno-plugin.labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: {{ include "kyverno-plugin.fullname" . }}-leaderelection
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
subjects:
|
||||||
|
- kind: "ServiceAccount"
|
||||||
|
name: {{ include "kyverno-plugin.serviceAccountName" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,17 @@
|
||||||
|
{{- if .Values.plugin.kyverno.enabled -}}
|
||||||
|
{{- if and .Values.plugin.kyverno.serviceAccount.create .Values.plugin.kyverno.rbac.enabled -}}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno-plugin.labels" . | nindent 4 }}
|
||||||
|
name: {{ include "kyverno-plugin.fullname" . }}-secret-reader
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ['']
|
||||||
|
resources:
|
||||||
|
- secrets
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,19 @@
|
||||||
|
{{- if .Values.plugin.kyverno.enabled -}}
|
||||||
|
{{- if and .Values.plugin.kyverno.serviceAccount.create .Values.plugin.kyverno.rbac.enabled -}}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ include "kyverno-plugin.fullname" . }}-secret-reader
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno-plugin.labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: {{ include "kyverno-plugin.fullname" . }}-secret-reader
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
subjects:
|
||||||
|
- kind: "ServiceAccount"
|
||||||
|
name: {{ include "kyverno-plugin.serviceAccountName" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,25 @@
|
||||||
|
{{- if .Values.plugin.kyverno.enabled -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ include "kyverno-plugin.fullname" . }}
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno-plugin.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.plugin.kyverno.service.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.plugin.kyverno.service.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
type: {{ .Values.plugin.kyverno.service.type }}
|
||||||
|
ports:
|
||||||
|
- port: {{ .Values.plugin.kyverno.service.port }}
|
||||||
|
targetPort: http
|
||||||
|
protocol: TCP
|
||||||
|
name: http
|
||||||
|
selector:
|
||||||
|
{{- include "kyverno-plugin.selectorLabels" . | nindent 4 }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,16 @@
|
||||||
|
{{- if .Values.plugin.kyverno.enabled -}}
|
||||||
|
{{- if .Values.plugin.kyverno.serviceAccount.create -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: {{ include "kyverno-plugin.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno-plugin.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.plugin.kyverno.serviceAccount.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
automountServiceAccountToken: {{ .Values.plugin.kyverno.serviceAccount.automount }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
68
charts/policy-reporter/templates/plugins/trivy/_helpers.tpl
Normal file
68
charts/policy-reporter/templates/plugins/trivy/_helpers.tpl
Normal file
|
@ -0,0 +1,68 @@
|
||||||
|
{{/*
|
||||||
|
Expand the name of the chart.
|
||||||
|
*/}}
|
||||||
|
{{- define "trivy-plugin.name" -}}
|
||||||
|
{{ template "policyreporter.name" . }}-trivy-plugin
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create a default fully qualified app name.
|
||||||
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
|
If release name contains chart name it will be used as a full name.
|
||||||
|
*/}}
|
||||||
|
{{- define "trivy-plugin.fullname" -}}
|
||||||
|
{{ template "policyreporter.fullname" . }}-trivy-plugin
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create chart name and version as used by the chart label.
|
||||||
|
*/}}
|
||||||
|
{{- define "trivy-plugin.chart" -}}
|
||||||
|
{{ template "policyreporter.chart" . }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Common labels
|
||||||
|
*/}}
|
||||||
|
{{- define "trivy-plugin.labels" -}}
|
||||||
|
helm.sh/chart: {{ include "trivy-plugin.chart" . }}
|
||||||
|
{{ include "trivy-plugin.selectorLabels" . }}
|
||||||
|
{{- if .Chart.AppVersion }}
|
||||||
|
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||||
|
{{- end }}
|
||||||
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||||
|
{{- with .Values.global.labels }}
|
||||||
|
{{ toYaml . }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Selector labels
|
||||||
|
*/}}
|
||||||
|
{{- define "trivy-plugin.selectorLabels" -}}
|
||||||
|
app.kubernetes.io/name: {{ include "trivy-plugin.name" . }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create the name of the service account to use
|
||||||
|
*/}}
|
||||||
|
{{- define "trivy-plugin.serviceAccountName" -}}
|
||||||
|
{{- if .Values.plugin.trivy.serviceAccount.create }}
|
||||||
|
{{- default (include "trivy-plugin.fullname" .) .Values.plugin.trivy.serviceAccount.name }}
|
||||||
|
{{- else }}
|
||||||
|
{{- default "default" .Values.plugin.trivy.serviceAccount.name }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "trivy-plugin.podDisruptionBudget" -}}
|
||||||
|
{{- if and .Values.plugin.trivy.podDisruptionBudget.minAvailable .Values.plugin.trivy.podDisruptionBudget.maxUnavailable }}
|
||||||
|
{{- fail "Cannot set both" -}}
|
||||||
|
{{- end }}
|
||||||
|
{{- if not .Values.plugin.trivy.podDisruptionBudget.maxUnavailable }}
|
||||||
|
minAvailable: {{ default 1 .Values.plugin.trivy.podDisruptionBudget.minAvailable }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.plugin.trivy.podDisruptionBudget.maxUnavailable }}
|
||||||
|
maxUnavailable: {{ .Values.plugin.trivy.podDisruptionBudget.maxUnavailable }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,12 @@
|
||||||
|
{{- if .Values.plugin.trivy.enabled -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ include "trivy-plugin.fullname" . }}-config
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "trivy-plugin.labels" . | nindent 4 }}
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
config.yaml: {{ tpl (.Files.Get "configs/trivy-plugin.tmpl") . | b64enc }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,97 @@
|
||||||
|
{{- if .Values.plugin.trivy.enabled -}}
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: {{ include "trivy-plugin.fullname" . }}
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "trivy-plugin.labels" . | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
replicas: {{ .Values.plugin.trivy.replicaCount }}
|
||||||
|
revisionHistoryLimit: {{ .Values.plugin.trivy.revisionHistoryLimit }}
|
||||||
|
{{- with .Values.plugin.trivy.updateStrategy }}
|
||||||
|
strategy:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "trivy-plugin.selectorLabels" . | nindent 6 }}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
checksum/secret: {{ include (print .Template.BasePath "/plugins/trivy/config-secret.yaml") . | sha256sum | quote }}
|
||||||
|
{{- with .Values.plugin.trivy.podAnnotations }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
labels:
|
||||||
|
{{- include "trivy-plugin.labels" . | nindent 8 }}
|
||||||
|
{{- with .Values.plugin.trivy.podLabels }}
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- with .Values.plugin.trivy.imagePullSecrets }}
|
||||||
|
imagePullSecrets:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
serviceAccountName: {{ include "trivy-plugin.serviceAccountName" . }}
|
||||||
|
{{- if .Values.plugin.trivy.podSecurityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml .Values.plugin.trivy.podSecurityContext | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: policy-reporter-trivy-plugin
|
||||||
|
{{- if .Values.plugin.trivy.securityContext }}
|
||||||
|
securityContext:
|
||||||
|
{{- toYaml .Values.plugin.trivy.securityContext | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
image: "{{ .Values.plugin.trivy.image.registry }}/{{ .Values.plugin.trivy.image.repository }}:{{ .Values.plugin.trivy.image.tag }}"
|
||||||
|
imagePullPolicy: {{ .Values.plugin.trivy.image.pullPolicy }}
|
||||||
|
args:
|
||||||
|
- run
|
||||||
|
- --config=/app/config.yaml
|
||||||
|
- --port={{ .Values.plugin.trivy.server.port }}
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
containerPort: {{ .Values.plugin.trivy.server.port }}
|
||||||
|
protocol: TCP
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /api/vulnr/v1/policies
|
||||||
|
port: http
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /api/vulnr/v1/policies
|
||||||
|
port: http
|
||||||
|
resources:
|
||||||
|
{{- toYaml .Values.plugin.trivy.resources | nindent 12 }}
|
||||||
|
volumeMounts:
|
||||||
|
- name: config-file
|
||||||
|
mountPath: /app/config.yaml
|
||||||
|
subPath: config.yaml
|
||||||
|
readOnly: true
|
||||||
|
env:
|
||||||
|
- name: POD_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
{{- with .Values.plugin.trivy.envVars }}
|
||||||
|
{{- . | toYaml | trim | nindent 10 }}
|
||||||
|
{{- end }}
|
||||||
|
volumes:
|
||||||
|
- name: config-file
|
||||||
|
secret:
|
||||||
|
secretName: {{ include "trivy-plugin.fullname" . }}-config
|
||||||
|
optional: true
|
||||||
|
{{- with .Values.plugin.trivy.nodeSelector }}
|
||||||
|
nodeSelector:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.plugin.trivy.affinity }}
|
||||||
|
affinity:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.plugin.trivy.tolerations }}
|
||||||
|
tolerations:
|
||||||
|
{{- toYaml . | nindent 8 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
61
charts/policy-reporter/templates/plugins/trivy/ingress.yaml
Normal file
61
charts/policy-reporter/templates/plugins/trivy/ingress.yaml
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
{{- if .Values.plugin.trivy.enabled -}}
|
||||||
|
{{- if .Values.plugin.trivy.ingress.enabled -}}
|
||||||
|
{{- $fullName := include "trivy-plugin.fullname" . -}}
|
||||||
|
{{- $svcPort := .Values.plugin.trivy.service.port -}}
|
||||||
|
{{- if and .Values.plugin.trivy.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
|
||||||
|
{{- if not (hasKey .Values.plugin.trivy.ingress.annotations "kubernetes.io/ingress.class") }}
|
||||||
|
{{- $_ := set .Values.plugin.trivy.ingress.annotations "kubernetes.io/ingress.class" .Values.plugin.trivy.ingress.className}}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
|
||||||
|
apiVersion: networking.k8s.io/v1beta1
|
||||||
|
{{- else -}}
|
||||||
|
apiVersion: extensions/v1beta1
|
||||||
|
{{- end }}
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: {{ $fullName }}
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "trivy-plugin.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.plugin.trivy.ingress.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.plugin.trivy.ingress.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- if and .Values.plugin.trivy.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
|
||||||
|
ingressClassName: {{ .Values.plugin.trivy.ingress.className }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.plugin.trivy.ingress.tls }}
|
||||||
|
tls:
|
||||||
|
{{- toYaml .Values.plugin.trivy.ingress.tls | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
rules:
|
||||||
|
{{- range .Values.plugin.trivy.ingress.hosts }}
|
||||||
|
- host: {{ .host | quote }}
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
{{- range .paths }}
|
||||||
|
- path: {{ .path }}
|
||||||
|
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
|
||||||
|
pathType: {{ .pathType }}
|
||||||
|
{{- end }}
|
||||||
|
backend:
|
||||||
|
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
|
||||||
|
service:
|
||||||
|
name: {{ $fullName }}
|
||||||
|
port:
|
||||||
|
number: {{ $svcPort }}
|
||||||
|
{{- else }}
|
||||||
|
serviceName: {{ $fullName }}
|
||||||
|
servicePort: {{ $svcPort }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,31 @@
|
||||||
|
{{- if .Values.plugin.trivy.enabled -}}
|
||||||
|
{{- if .Values.plugin.trivy.networkPolicy.enabled }}
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
labels: {{- include "trivy-plugin.labels" . | nindent 4 }}
|
||||||
|
name: {{ include "trivy-plugin.fullname" . }}
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
spec:
|
||||||
|
podSelector:
|
||||||
|
matchLabels: {{- include "trivy-plugin.selectorLabels" . | nindent 6 }}
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
- Egress
|
||||||
|
{{- with .Values.plugin.trivy.networkPolicy.ingress }}
|
||||||
|
ingress:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "policyreporter.selectorLabels" . | nindent 10 }}
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: {{ .Values.service.port }}
|
||||||
|
{{- with .Values.plugin.trivy.networkPolicy.egress }}
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,20 @@
|
||||||
|
{{- if .Values.plugin.trivy.enabled -}}
|
||||||
|
{{- if (gt (int .Values.plugin.trivy.replicaCount) 1) }}
|
||||||
|
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
|
||||||
|
apiVersion: policy/v1
|
||||||
|
{{- else }}
|
||||||
|
apiVersion: policy/v1beta1
|
||||||
|
{{- end }}
|
||||||
|
kind: PodDisruptionBudget
|
||||||
|
metadata:
|
||||||
|
name: {{ include "trivy-plugin.fullname" . }}
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "trivy-plugin.labels" . | nindent 4 }}
|
||||||
|
spec:
|
||||||
|
{{- include "trivy-plugin.podDisruptionBudget" . | indent 2 }}
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
{{- include "trivy-plugin.selectorLabels" . | nindent 6 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,17 @@
|
||||||
|
{{- if .Values.plugin.trivy.enabled -}}
|
||||||
|
{{- if and .Values.plugin.trivy.serviceAccount.create .Values.plugin.trivy.rbac.enabled -}}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
{{- include "trivy-plugin.labels" . | nindent 4 }}
|
||||||
|
name: {{ include "trivy-plugin.fullname" . }}-secret-reader
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ['']
|
||||||
|
resources:
|
||||||
|
- secrets
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,19 @@
|
||||||
|
{{- if .Values.plugin.trivy.enabled -}}
|
||||||
|
{{- if and .Values.plugin.trivy.serviceAccount.create .Values.plugin.trivy.rbac.enabled -}}
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ include "trivy-plugin.fullname" . }}-secret-reader
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "trivy-plugin.labels" . | nindent 4 }}
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: {{ include "trivy-plugin.fullname" . }}-secret-reader
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
subjects:
|
||||||
|
- kind: "ServiceAccount"
|
||||||
|
name: {{ include "trivy-plugin.serviceAccountName" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
25
charts/policy-reporter/templates/plugins/trivy/service.yaml
Normal file
25
charts/policy-reporter/templates/plugins/trivy/service.yaml
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
{{- if .Values.plugin.trivy.enabled -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: {{ include "trivy-plugin.fullname" . }}
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "trivy-plugin.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.plugin.trivy.service.labels }}
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- with .Values.plugin.trivy.service.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
type: {{ .Values.plugin.trivy.service.type }}
|
||||||
|
ports:
|
||||||
|
- port: {{ .Values.plugin.trivy.service.port }}
|
||||||
|
targetPort: http
|
||||||
|
protocol: TCP
|
||||||
|
name: http
|
||||||
|
selector:
|
||||||
|
{{- include "trivy-plugin.selectorLabels" . | nindent 4 }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,16 @@
|
||||||
|
{{- if .Values.plugin.trivy.enabled -}}
|
||||||
|
{{- if .Values.plugin.trivy.serviceAccount.create -}}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: {{ include "trivy-plugin.serviceAccountName" . }}
|
||||||
|
namespace: {{ include "policyreporter.namespace" . }}
|
||||||
|
labels:
|
||||||
|
{{- include "trivy-plugin.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.plugin.trivy.serviceAccount.annotations }}
|
||||||
|
annotations:
|
||||||
|
{{- toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
automountServiceAccountToken: {{ .Values.plugin.trivy.serviceAccount.automount }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -1,4 +1,4 @@
|
||||||
{{- if and .Values.rbac.enabled (or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1)) -}}
|
{{- if and .Values.rbac.enabled (gt (int .Values.replicaCount) 1) -}}
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: Role
|
kind: Role
|
||||||
metadata:
|
metadata:
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{{- if and .Values.rbac.enabled (or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1)) -}}
|
{{- if and .Values.rbac.enabled (gt (int .Values.replicaCount) 1) -}}
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: RoleBinding
|
kind: RoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue