1
0
Fork 0
mirror of https://github.com/kyverno/policy-reporter.git synced 2024-12-14 11:57:32 +00:00

Policy Reporter v3 (#482)

Policy Reporter v3

Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
This commit is contained in:
Frank Jogeleit 2024-10-07 11:10:46 +02:00 committed by GitHub
parent b8a658463a
commit 78f24497fa
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
277 changed files with 15718 additions and 11040 deletions

10
.github/dependabot.yaml vendored Normal file
View file

@ -0,0 +1,10 @@
version: 2
updates:
- package-ecosystem: gomod
directory: /
schedule:
interval: daily
- package-ecosystem: github-actions
directory: /
schedule:
interval: daily

View file

@ -4,7 +4,7 @@ on:
push:
branches:
- main
- development
- 3.x
paths-ignore:
- README.md
@ -14,25 +14,62 @@ on:
pull_request:
branches:
- main
- 3.x
jobs:
coverage:
runs-on: ubuntu-latest
steps:
- name: Set up Go 1.22
uses: actions/setup-go@v2
- name: Checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.2.0
with:
go-version: 1.22
- name: Checkout code
uses: actions/checkout@v2
- name: Get dependencies
run: go get -v -t -d ./...
go-version-file: go.mod
cache-dependency-path: go.sum
- name: Check go.mod
run: |
set -e
go mod tidy && git diff --exit-code
- name: Check code format
run: |
set -e
make fmt
git diff --exit-code
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Calc coverage
run: make coverage
- name: Convert coverage to lcov
uses: jandelgado/gcov2lcov-action@v1.0.9
uses: jandelgado/gcov2lcov-action@c680c0f7c7442485f1749eb2a13e54a686e76eb5 #v1.0.9
- name: Coveralls
uses: coverallsapp/github-action@v2.0.0
uses: coverallsapp/github-action@643bc377ffa44ace6394b2b5d0d3950076de9f63 # v2.3.0
with:
github-token: ${{ secrets.github_token }}
file: coverage.lcov
check-actions:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Ensure SHA pinned actions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b8f9a25a51fe633d9215ac7734854dc11cd299cb # v3.0.13
with:
# slsa-github-generator requires using a semver tag for reusable workflows.
# See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
allowlist: |
slsa-framework/slsa-github-generator

View file

@ -1,29 +0,0 @@
name: Release Charts
on:
push:
branches:
- main
paths:
- 'charts/**'
- 'manifests/**'
jobs:
release:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Install Helm
uses: azure/setup-helm@v1
- name: Run chart-releaser
uses: helm/chart-releaser-action@v1.2.1
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

View file

@ -10,10 +10,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@master
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Setup node env
uses: actions/setup-node@v2.1.2
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 #v4.0.4
with:
node-version: 16
@ -32,9 +32,8 @@ jobs:
cp index.yaml ./dist/index.yaml
cp artifacthub-repo.yml ./dist/artifacthub-repo.yml
- name: Deploy
uses: peaceiris/actions-gh-pages@v3
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e #v4.0.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./dist

View file

@ -5,7 +5,6 @@ on:
# run pipeline on push on master
branches:
- main
- development
paths:
- "charts/**"
@ -18,16 +17,19 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
fetch-depth: "0"
- name: chart-testing (ct lint)
uses: helm/chart-testing-action@v2.0.1
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
- name: Run Helm Chart lint
run: |
set -e
ct lint --lint-conf=.github/ct_lintconf.yaml \
--chart-yaml-schema=.github/ct_chart_schema.yaml \
--target-branch=main --validate-maintainers=false \
--target-branch=main \
--validate-maintainers=false \
--check-version-increment=false \
--chart-dirs charts

65
.github/workflows/release-chart.yaml vendored Normal file
View file

@ -0,0 +1,65 @@
name: release-chart
on:
push:
tags:
- 'policy-reporter-chart-v*'
jobs:
helm-chart:
runs-on: ubuntu-latest
permissions:
contents: write
pages: write
steps:
- name: Checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
fetch-depth: 0
- name: Verify Helm Docs
run: |
set -e
make verify-helm-docs
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Install Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
version: v3.16.1
- name: Prepare GPG key
run: |
gpg_dir=.cr-gpg
mkdir "$gpg_dir"
keyring="$gpg_dir/secring.gpg"
base64 -d <<< "$GPG_KEYRING_BASE64" > "$keyring"
passphrase_file="$gpg_dir/passphrase"
echo "$GPG_PASSPHRASE" > "$passphrase_file"
echo "CR_PASSPHRASE_FILE=$passphrase_file" >> "$GITHUB_ENV"
echo "CR_KEYRING=$keyring" >> "$GITHUB_ENV"
env:
GPG_KEYRING_BASE64: "${{ secrets.GPG_KEYRING_BASE64 }}" #Referring secrets of github above
GPG_PASSPHRASE: "${{ secrets.GPG_PASSPHRASE }}"
- name: Run chart-releaser
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
id: cr
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_KEY: "${{ secrets.CR_KEY }}"
CR_SIGN: true
- name: Install Cosign
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
- name: Push to OCI
run: |
set -e
output=$(helm push .cr-release-packages/policy-reporter-{{ steps.cr.outputs.chart_version }}.tgz oci://ghcr.io/kyverno/charts 2>&1)
digest=$( echo "$output" | grep Digest | cut -c9-)
cosign sign --yes ghcr.io/kyverno/charts/policy-reporter@$digest

View file

@ -1,9 +1,16 @@
name: image
name: release-image
on:
push:
branches:
- main
tags:
- v*
- dev
- 'v*'
paths-ignore:
- README.md
- charts/**
- manifest/**
permissions:
contents: read
@ -15,58 +22,58 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Push image
id: params
run: |
# Strip git ref prefix from version
VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
VERSION=$(git rev-parse --short "$GITHUB_SHA")
# Strip "v" prefix from tag name
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
echo VERSION=$VERSION
echo "::set-output name=version::$VERSION"
echo "VERSION=$VERSION" >> "$GITHUB_ENV"
- name: Login to Github Packages
uses: docker/login-action@v2
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.CR_PAT }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 #v3.7.1
id: buildx
with:
install: true
version: latest
- name: Build image and push to GitHub Container Registry
uses: docker/build-push-action@v3
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
id: push
with:
push: true
platforms: linux/arm64,linux/amd64,linux/s390x
platforms: linux/arm64,linux/amd64
cache-from: type=registry,ref=ghcr.io/kyverno/policy-reporter:buildcache
cache-to: type=registry,ref=ghcr.io/kyverno/policy-reporter:buildcache,mode=max
tags: |
ghcr.io/kyverno/policy-reporter:latest
ghcr.io/kyverno/policy-reporter:${{ steps.params.outputs.version }}
ghcr.io/kyverno/policy-reporter:${{ env.VERSION }}
- name: Set up Go 1.22
uses: actions/setup-go@v2
- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.2.0
with:
go-version: 1.22
go-version-file: go.mod
cache-dependency-path: go.sum
- uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
with:
version: v1
args: app -licenses -json -output policy-reporter-bom.cdx.json -main .
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
- uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: policy-reporter-bom-cdx
path: policy-reporter-bom.cdx.json

1
.gitignore vendored
View file

@ -6,6 +6,7 @@ build
/test.yaml
*.db
values*.yaml
monitoring.yaml
coverage.out*
heap*
/.env*

View file

@ -309,7 +309,7 @@
* Policy Reporter
* New `certificate` config for `loki`, `elasticsearch`, `teams`, `webhook` and `ui`, to set the path to your custom certificate for the related client.
* New `skipTLS` config for `loki`, `elasticsearch`, `teams`, `webhook` and `ui`, to skip tls if needed for the given target.
* New `secretRef` for targets to reference a secret with the related `username`, `password`, `webhook`, `host`, `accessKeyID`, `secretAccessKey` information of the given target, instead of configure your credentials directly.
* New `secretRef` for targets to reference a secret with the related `username`, `password`, `webhook`, `host`, `accessKeyId`, `secretAccessKey` information of the given target, instead of configure your credentials directly.
* Policy Reporter UI
* New value `refreshInterval` to configure the default refresh interval for API polling. Set `0` to disable polling.
* Policy Reporter Kyverno Plugin

144
DEMO.md Normal file
View file

@ -0,0 +1,144 @@
# Demo Instructions
## Kind Cluster
```bash
make kind-create-cluster
```
## Kyverno
### Add Repository
```bash
helm repo add kyverno https://kyverno.github.io/kyverno
```
### Install
```bash
helm upgrade --install kyverno kyverno/kyverno -n kyverno --create-namespace
helm upgrade --install kyverno-policies kyverno/kyverno-policies --set podSecurityStandard=restricted
```
## Falco
### Add Repository
```bash
helm repo add falcosecurity https://falcosecurity.github.io/charts
```
### Install
```bash
helm upgrade --install falco falcosecurity/falco --set falcosidekick.enabled=true --set falcosidekick.config.policyreport.enabled=true --set falcosidekick.image.tag=latest --namespace falco --create-namespace
```
## Trivy Operator
### Add Repository
```bash
helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm repo add trivy-operator-polr-adapter https://fjogeleit.github.io/trivy-operator-polr-adapter
```
### Install
```bash
helm upgrade --install trivy-operator aqua/trivy-operator -n trivy-system --create-namespace --set="trivy.ignoreUnfixed=true"
helm upgrade --install trivy-operator-polr-adapter trivy-operator-polr-adapter/trivy-operator-polr-adapter -n trivy-system
```
## Policy Reporter
### Add Repository
```bash
helm repo add policy-reporter https://kyverno.github.io/policy-reporter
```
### Install
#### Slack Secret
```yaml
apiVersion: v1
kind: Secret
metadata:
name: webhook-secret
namespace: policy-reporter
type: Opaque
data:
webhook: aHR0cHM6Ly9ob29rcy5z...
```
#### Values
```yaml
plugin:
kyverno:
enabled: true
trivy:
enabled: true
ui:
enabled: true
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
className: nginx
hosts:
- host: localhost
paths:
- path: "/ui/(.*)"
pathType: ImplementationSpecific
sources:
- name: Trivy ConfigAudit
type: severity
excludes:
results:
- pass
- error
- name: Trivy Vulnerability
type: severity
excludes:
results:
- pass
- error
- name: Falco
excludes:
results:
- pass
- skip
target:
slack:
name: Kyverno Channel
channel: kyverno
secretRef: webhook-secret
minimumSeverity: warning
skipExistingOnStartup: true
sources: [kyverno]
filter:
namespaces:
exclude: ['trivy-system']
channels:
- name: Trivy Operator
channel: trivy-operator
sources: [Trivy Vulnerability]
filter:
namespaces:
exclude: ['trivy-system']
```
```bash
helm upgrade --install policy-reporter policy-reporter/policy-reporter --create-namespace -n policy-reporter -f values.yaml --devel
```

View file

@ -1,4 +1,4 @@
FROM golang:1.22 as builder
FROM golang:1.23 AS builder
ARG LD_FLAGS='-s -w -linkmode external -extldflags "-static"'
ARG TARGETPLATFORM

149
Makefile
View file

@ -1,9 +1,142 @@
############
# DEFAULTS #
############
KIND_IMAGE ?= kindest/node:v1.30.2
KIND_NAME ?= kyverno
USE_CONFIG ?= standard,no-ingress,in-cluster,all-read-rbac
KUBECONFIG ?= ""
PIP ?= "pip3"
GO ?= go
BUILD ?= build
REPO ?= ghcr.io/kyverno/policy-reporter
IMAGE_TAG ?= 2.20.1
LD_FLAGS=-s -w -linkmode external -extldflags "-static"
PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x
IMAGE_TAG ?= 3.0.0
#############
# VARIABLES #
#############
GIT_SHA := $(shell git rev-parse HEAD)
TIMESTAMP := $(shell date '+%Y-%m-%d_%I:%M:%S%p')
GOOS ?= $(shell go env GOOS)
GOARCH ?= $(shell go env GOARCH)
REGISTRY ?= ghcr.io
OWNER ?= kyverno
KO_REGISTRY := ko.local
IMAGE ?= policy-reporter
LD_FLAGS := -s -w -linkmode external -extldflags "-static"
LOCAL_PLATFORM := linux/$(GOARCH)
PLATFORMS := linux/arm64,linux/amd64,linux/s390x
REPO := $(REGISTRY)/$(OWNER)/$(IMAGE)
COMMA := ,
ifndef VERSION
APP_VERSION := $(GIT_SHA)
else
APP_VERSION := $(VERSION)
endif
#########
# TOOLS #
#########
TOOLS_DIR := $(PWD)/.tools
KIND := $(TOOLS_DIR)/kind
KIND_VERSION := v0.24.0
KO := $(TOOLS_DIR)/ko
KO_VERSION := v0.15.1
HELM := $(TOOLS_DIR)/helm
HELM_VERSION := v3.10.1
HELM_DOCS := $(TOOLS_DIR)/helm-docs
HELM_DOCS_VERSION := v1.11.0
GCI := $(TOOLS_DIR)/gci
GCI_VERSION := v0.9.1
GOFUMPT := $(TOOLS_DIR)/gofumpt
GOFUMPT_VERSION := v0.4.0
TOOLS := $(HELM) $(HELM_DOCS) $(GCI) $(GOFUMPT)
$(HELM):
@echo Install helm... >&2
@GOBIN=$(TOOLS_DIR) go install helm.sh/helm/v3/cmd/helm@$(HELM_VERSION)
$(HELM_DOCS):
@echo Install helm-docs... >&2
@GOBIN=$(TOOLS_DIR) go install github.com/norwoodj/helm-docs/cmd/helm-docs@$(HELM_DOCS_VERSION)
$(GCI):
@echo Install gci... >&2
@GOBIN=$(TOOLS_DIR) go install github.com/daixiang0/gci@$(GCI_VERSION)
$(GOFUMPT):
@echo Install gofumpt... >&2
@GOBIN=$(TOOLS_DIR) go install mvdan.cc/gofumpt@$(GOFUMPT_VERSION)
$(KIND):
@echo Install kind... >&2
@GOBIN=$(TOOLS_DIR) go install sigs.k8s.io/kind@$(KIND_VERSION)
$(KO):
@echo Install ko... >&2
@GOBIN=$(TOOLS_DIR) go install github.com/google/ko@$(KO_VERSION)
.PHONY: gci
gci: $(GCI)
@echo "Running gci"
@$(GCI) write -s standard -s default -s "prefix(github.com/kyverno/policy-reporter)" .
.PHONY: gofumpt
gofumpt: $(GOFUMPT)
@echo "Running gofumpt"
@$(GOFUMPT) -w .
.PHONY: fmt
fmt: gci gofumpt
.PHONY: install-tools
install-tools: $(TOOLS) ## Install tools
.PHONY: clean-tools
clean-tools: ## Remove installed tools
@echo Clean tools... >&2
@rm -rf $(TOOLS_DIR)
########
# KIND #
########
.PHONY: kind-create-cluster
kind-create-cluster: $(KIND) ## Create kind cluster
@echo Create kind cluster... >&2
@$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config ./scripts/kind.yaml
@kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
@sleep 15
@kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=90s
.PHONY: kind-delete-cluster
kind-delete-cluster: $(KIND) ## Delete kind cluster
@echo Delete kind cluster... >&2
@$(KIND) delete cluster --name $(KIND_NAME)
.PHONY: kind-load
kind-load: $(KIND) ko-build ## Build playground image and load it in kind cluster
@echo Load playground image... >&2
@$(KIND) load docker-image --name $(KIND_NAME) ko.local/github.com/kyverno/policy-reporter:$(GIT_SHA)
###########
# CODEGEN #
###########
.PHONY: codegen-helm-docs
codegen-helm-docs: ## Generate helm docs
@echo Generate helm docs... >&2
@docker run -v ${PWD}/charts:/work -w /work jnorwood/helm-docs:v1.11.0 -s file
.PHONY: verify-helm-docs
verify-helm-docs: codegen-helm-docs ## Check Helm charts are up to date
@echo Checking helm charts are up to date... >&2
@git --no-pager diff -- charts
@echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-helm-docs".' >&2
@echo 'To correct this, locally run "make codegen-helm-docs", commit the changes, and re-run tests.' >&2
@git diff --quiet --exit-code -- charts
all: build
@ -41,11 +174,3 @@ docker-push:
.PHONY: docker-push-dev
docker-push-dev:
@docker buildx build --progress plane --platform $(PLATFORMS) --tag $(REPO):dev . --build-arg LD_FLAGS='$(LD_FLAGS) -X main.Version=$(IMAGE_TAG)-dev' --push
.PHONY: fmt
fmt:
$(call print-target)
@echo "Running gci"
@go run github.com/daixiang0/gci@v0.9.1 write -s standard -s default -s "prefix(github.com/kyverno/policy-reporter)" .
@echo "Running gofumpt"
@go run mvdan.cc/gofumpt@v0.4.0 -w .

View file

@ -1,17 +1,20 @@
# Policy Reporter
# Policy Reporter 3.x Preview
[![CI](https://github.com/kyverno/policy-reporter/actions/workflows/ci.yaml/badge.svg)](https://github.com/kyverno/policy-reporter/actions/workflows/ci.yaml) [![Go Report Card](https://goreportcard.com/badge/github.com/kyverno/policy-reporter)](https://goreportcard.com/report/github.com/kyverno/policy-reporter) [![Coverage Status](https://coveralls.io/repos/github/kyverno/policy-reporter/badge.svg?branch=main)](https://coveralls.io/github/kyverno/policy-reporter?branch=main)
## Motivation
Kyverno ships with two types of validation. You can either enforce a rule or audit it. If you don't want to block developers or if you want to try out a new rule, you can use the audit functionality. The audit configuration creates [PolicyReports](https://kyverno.io/docs/policy-reports/) which you can access with `kubectl`. Because I can't find a simple solution to get a general overview of this PolicyReports and PolicyReportResults, I created this tool to send information about PolicyReports to different targets like [Grafana Loki](https://grafana.com/oss/loki/), [Elasticsearch](https://www.elastic.co/de/elasticsearch/) or [Slack](https://slack.com/).
![Screenshot Policy Reporter UI v2](https://github.com/kyverno/policy-reporter/blob/3.x/docs/images/screen.png)
Policy Reporter provides also a Prometheus Metrics API as well as an standalone mode along with the [Policy Reporter UI](https://kyverno.github.io/policy-reporter/guide/getting-started#core--policy-reporter-ui).
This project is in an early stage. Please let me know if anything did not work as expected or if you want to send your audits to unsupported targets.
## Documentation
You can find detailed Information and Screens about Features and Configurations in the [Documentation](https://kyverno.github.io/policy-reporter).
Documentation for upcoming features and changes for the new Policy Reporter UI v2 are located in [Docs](https://github.com/kyverno/policy-reporter/tree/3.x/docs)
* [Installation](https://github.com/kyverno/policy-reporter/blob/3.x/docs/SETUP.md)
* [OAUth2 / OpenIDConnect](https://github.com/kyverno/policy-reporter/blob/3.x/docs/UI_AUTH.md)
* [UI CustomBoards](https://github.com/kyverno/policy-reporter/blob/3.x/docs/CUSTOM_BOARDS.md)
* [Kyverno PolicyExceptions](https://github.com/kyverno/policy-reporter/blob/3.x/docs/EXCEPTIONS.md)
The new documentation page for Policy Reporter v3 can be found here: [https://kyverno.github.io/policy-reporter-docs/](https://kyverno.github.io/policy-reporter-docs/)
## Getting Started
@ -25,60 +28,10 @@ helm repo add policy-reporter https://kyverno.github.io/policy-reporter
helm repo update
```
### Basic Installation
The basic installation provides optional Prometheus Metrics and/or optional REST APIs, for more details have a look at the [Documentation](https://kyverno.github.io/policy-reporter/guide/getting-started).
```bash
helm install policy-reporter policy-reporter/policy-reporter -n policy-reporter --set metrics.enabled=true --set rest.enabled=true --create-namespace
```
### Installation without Helm or Kustomize
To install Policy Reporter without Helm or Kustomize have a look at [manifests](https://github.com/kyverno/policy-reporter/tree/main/manifest).
## Policy Reporter UI
You can use the Policy Reporter as standalone Application along with the optional UI SubChart.
### Installation with Policy Reporter UI and Kyverno Plugin enabled
```bash
helm install policy-reporter policy-reporter/policy-reporter --set kyvernoPlugin.enabled=true --set ui.enabled=true --set ui.plugins.kyverno=true -n policy-reporter --create-namespace
helm install policy-reporter policy-reporter/policy-reporter --create-namespace -n policy-reporter --devel --set ui.enabled=true --set kyverno-plugin.enabled=true
kubectl port-forward service/policy-reporter-ui 8082:8080 -n policy-reporter
```
Open `http://localhost:8082/` in your browser.
Check the [Documentation](https://kyverno.github.io/policy-reporter/guide/getting-started#core--policy-reporter-ui) for Screens and additional Information
## Targets
Policy Reporter supports the following [Targets](https://kyverno.github.io/policy-reporter/core/targets) to send new (Cluster)PolicyReport Results too:
* [Grafana Loki](https://kyverno.github.io/policy-reporter/core/targets#grafana-loki)
* [Elasticsearch](https://kyverno.github.io/policy-reporter/core/targets#elasticsearch)
* [Microsoft Teams](https://kyverno.github.io/policy-reporter/core/targets#microsoft-teams)
* [Slack](https://kyverno.github.io/policy-reporter/core/targets#slack)
* [Discord](https://kyverno.github.io/policy-reporter/core/targets#discord)
* [Policy Reporter UI](https://kyverno.github.io/policy-reporter/core/targets#policy-reporter-ui)
* [Webhook](https://kyverno.github.io/policy-reporter/core/targets#webhook)
* [S3](https://kyverno.github.io/policy-reporter/core/targets#s3-compatible-storage)
* [AWS Kinesis compatible Services](https://kyverno.github.io/policy-reporter/core/targets#kinesis-compatible-services)
* [AWS SecurityHub](https://kyverno.github.io/policy-reporter/core/targets#aws-securityhub)
* [Google Cloud Storage](https://kyverno.github.io/policy-reporter/core/targets/#google-cloud-storage)
* [Telegram](https://kyverno.github.io/policy-reporter/core/targets#telegram)
* [Google Chat](https://kyverno.github.io/policy-reporter/core/targets#google-chat)
## Monitoring
The Helm Chart includes optional SubChart for [Prometheus Operator](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) Integration. The provided Dashboards working without Loki and are only based on the Prometheus Metrics.
Have a look into the [Documentation](https://kyverno.github.io/policy-reporter/guide/helm-chart-core/#configure-the-servicemonitor) for details.
### Grafana Dashboard Import
If you are not using the MonitoringStack you can import the dashboards from [Grafana](https://grafana.com/orgs/policyreporter/dashboards)
## Resources
* [[Video] 37. #EveryoneCanContribute cafe: Policy reporter for Kyverno](https://youtu.be/1mKywg9f5Fw)
* [[Video] Rawkode Live: Hands on Policy Reporter](https://www.youtube.com/watch?v=ZrOtTELNLyg)
* [[Blog] Monitor Security and Best Practices with Kyverno and Policy Reporter](https://blog.webdev-jogeleit.de/blog/monitor-security-with-kyverno-and-policy-reporter/)

View file

@ -1,12 +0,0 @@
dependencies:
- name: monitoring
repository: ""
version: 2.8.2
- name: ui
repository: ""
version: 2.10.5
- name: kyvernoPlugin
repository: ""
version: 1.6.5
digest: sha256:5ee2b291bc447466442a8ea81f94fc852352ac8ae15045525778fdea3769c7c2
generated: "2024-02-04T10:42:39.448841+01:00"

View file

@ -5,8 +5,8 @@ description: |
It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord
type: application
version: 2.24.2
appVersion: 2.20.2
version: 3.0.0-rc.1
appVersion: 3.0.0-rc.1
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
home: https://kyverno.github.io/policy-reporter
@ -14,14 +14,3 @@ sources:
- https://github.com/kyverno/policy-reporter
maintainers:
- name: Frank Jogeleit
dependencies:
- name: monitoring
condition: monitoring.enabled
version: "2.8.2"
- name: ui
condition: ui.enabled
version: "2.10.5"
- name: kyvernoPlugin
condition: kyvernoPlugin.enabled
version: "1.6.5"

View file

@ -1,16 +1,13 @@
# Policy Reporter
# policy-reporter
![Version: v2.24.1](https://img.shields.io/badge/Version-v2.24.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.20.1](https://img.shields.io/badge/AppVersion-v2.20.1-informational?style=flat-square)
Policy Reporter watches for PolicyReport Resources.
It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord
## Motivation
Kyverno ships with two types of validation. You can either enforce a rule or audit it. If you don't want to block developers or if you want to try out a new rule, you can use the audit functionality. The audit configuration creates [PolicyReports](https://kyverno.io/docs/policy-reports/) which you can access with `kubectl`. Because I can't find a simple solution to get a general overview of this PolicyReports and PolicyReportResults, I created this tool to send information about PolicyReports to different targets like [Grafana Loki](https://grafana.com/oss/loki/), [Elasticsearch](https://www.elastic.co/de/elasticsearch/) or [Slack](https://slack.com/).
![Version: 3.0.0-rc.1](https://img.shields.io/badge/Version-3.0.0--rc.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.0.0-rc.1](https://img.shields.io/badge/AppVersion-3.0.0--rc.1-informational?style=flat-square)
## Documentation
You can find detailed Information and Screens about Features and Configurations in the [Documentation](https://kyverno.github.io/policy-reporter/guide/02-getting-started#core--policy-reporter-ui).
## Getting Started
You can find detailed Information and Screens about Features and Configurations in the [Documentation](https://kyverno.github.io/policy-reporter-docs).
## Installation with Helm v3
@ -35,16 +32,549 @@ helm install policy-reporter policy-reporter/policy-reporter -n policy-reporter
You can use the Policy Reporter as standalone Application along with the optional UI SubChart.
### Installation with Policy Reporter UI and Kyverno Plugin enabled
```bash
helm install policy-reporter policy-reporter/policy-reporter --set kyvernoPlugin.enabled=true --set ui.enabled=true --set ui.plugins.kyverno=true -n policy-reporter --create-namespace
helm install policy-reporter policy-reporter/policy-reporter --set plugin.kyverno.enabled=true --set ui.enabled=true -n policy-reporter --create-namespace
kubectl port-forward service/policy-reporter-ui 8082:8080 -n policy-reporter
```
Open `http://localhost:8082/` in your browser.
Check the [Documentation](https://kyverno.github.io/policy-reporter/guide/02-getting-started#core--policy-reporter-ui) for Screens and additional Information
## Values
## Resources
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| nameOverride | string | `""` | Override the chart name used for all resources |
| fullnameOverride | string | `"policy-reporter"` | Overwrite the fullname of all resources |
| namespaceOverride | string | `""` | Overwrite the namespace of all resources |
| image.registry | string | `"ghcr.io"` | Image registry |
| image.repository | string | `"kyverno/policy-reporter"` | Image repository |
| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy |
| image.tag | string | `"12da466"` | Image tag |
| imagePullSecrets | list | `[]` | Image pullSecrets |
| priorityClassName | string | `""` | Deployment priorityClassName |
| replicaCount | int | `1` | Deployment replica count |
| revisionHistoryLimit | int | `10` | The number of revisions to keep |
| updateStrategy | object | `{}` | Deployment strategy |
| port | object | `{"name":"http","number":8080}` | Container port |
| annotations | object | `{}` | Key/value pairs that are attached to all resources. |
| rbac.enabled | bool | `true` | Create RBAC resources |
| serviceAccount.create | bool | `true` | Create ServiceAccount |
| serviceAccount.automount | bool | `true` | Enable ServiceAccount automaount |
| serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
| serviceAccount.name | string | `""` | The ServiceAccount name |
| service.enabled | bool | `true` | Create Service |
| service.type | string | `"ClusterIP"` | Service type |
| service.port | int | `8080` | Service port |
| service.annotations | object | `{}` | Service annotations |
| service.labels | object | `{}` | Service labels |
| podSecurityContext | object | `{"fsGroup":1234}` | Security context for the pod |
| securityContext.runAsUser | int | `1234` | |
| securityContext.runAsNonRoot | bool | `true` | |
| securityContext.privileged | bool | `false` | |
| securityContext.allowPrivilegeEscalation | bool | `false` | |
| securityContext.readOnlyRootFilesystem | bool | `true` | |
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| securityContext.podAnnotations | object | `{}` | Additional annotations to add to each pod |
| securityContext.podLabels | object | `{}` | Additional labels to add to each pod |
| resources | object | `{}` | Resource constraints |
| networkPolicy.enabled | bool | `false` | Create NetworkPolicy |
| networkPolicy.egress | list | `[{"ports":[{"port":6443,"protocol":"TCP"}],"to":null}]` | Egress rule to allowe Kubernetes API Server access |
| networkPolicy.ingress | list | `[]` | |
| ingress.enabled | bool | `false` | Create Ingress This ingress exposes the policy-reporter core app. |
| ingress.className | string | `""` | Ingress className |
| ingress.labels | object | `{}` | Labels for the Ingress |
| ingress.annotations | object | `{}` | Annotations for the Ingress |
| ingress.hosts | string | `nil` | Ingress host list |
| ingress.tls | list | `[]` | Ingress tls list |
| logging.server | bool | `false` | Enables server access logging |
| logging.encoding | string | `"console"` | Log encoding possible encodings are console and json |
| logging.logLevel | int | `0` | Log level default info |
| rest.enabled | bool | `false` | Enables the REST API |
| metrics.enabled | bool | `false` | Enables Prometheus Metrics |
| metrics.mode | string | `"detailed"` | Metric Mode allowes to customize labels Allowed values: detailed, simple, custom |
| metrics.customLabels | list | `[]` | List of used labels in custom mode Supported fields are: ["namespace", "rule", "policy", "report" // PolicyReport name, "kind" // resource kind, "name" // resource name, "status", "severity", "category", "source"] |
| metrics.filter | object | `{}` | Filter results to reduce cardinality |
| profiling.enabled | bool | `false` | Enable profiling with pprof |
| worker | int | `5` | Amount of queue workers for PolicyReport resource processing |
| reportFilter | object | `{}` | Filter PolicyReport resources to process |
| sourceConfig | list | `[]` | Customize source specific logic like result ID generation |
| sourceFilters[0].selector.source | string | `"kyverno"` | select PolicyReport by source |
| sourceFilters[0].uncontrolledOnly | bool | `true` | Filter out PolicyReports of controlled Pods and Jobs, only works for PolicyReport with scope resource |
| sourceFilters[0].disableClusterReports | bool | `false` | Filter out ClusterPolicyReports |
| sourceFilters[0].kinds | object | `{"exclude":["ReplicaSet"]}` | Filter out PolicyReports based on the scope resource kind |
| global.labels | object | `{}` | additional labels added on each resource |
| basicAuth.username | string | `""` | HTTP BasicAuth username |
| basicAuth.password | string | `""` | HTTP BasicAuth password |
| basicAuth.secretRef | optional | `""` | Secret reference to get username and/or password from |
| emailReports.clusterName | optional | `""` | - Displayed in the email report if configured |
| emailReports.titlePrefix | string | `"Report"` | Title prefix in the email subject |
| emailReports.resources | object | `{}` | Resource constraints for the created CronJobs |
| emailReports.smtp.secret | optional | `""` | Secret reference to provide the complete or partial SMTP configuration |
| emailReports.smtp.host | string | `""` | SMTP Server Host |
| emailReports.smtp.port | int | `465` | SMTP Server Port |
| emailReports.smtp.username | string | `""` | SMTP Username |
| emailReports.smtp.password | string | `""` | SMTP Password |
| emailReports.smtp.from | string | `""` | Displayed from email address |
| emailReports.smtp.encryption | string | `""` | SMTP Encryption Default is none, supports ssl/tls and starttls |
| emailReports.smtp.skipTLS | bool | `false` | Skip SMTP TLS verification |
| emailReports.smtp.certificate | string | `""` | SMTP Server Certificate file path |
| emailReports.summary.enabled | bool | `false` | Enable Summary E-Mail reports |
| emailReports.summary.schedule | string | `"0 8 * * *"` | CronJob schedule |
| emailReports.summary.activeDeadlineSeconds | int | `300` | CronJob activeDeadlineSeconds |
| emailReports.summary.backoffLimit | int | `3` | CronJob backoffLimit |
| emailReports.summary.ttlSecondsAfterFinished | int | `0` | CronJob ttlSecondsAfterFinished |
| emailReports.summary.restartPolicy | string | `"Never"` | CronJob restartPolicy |
| emailReports.summary.to | list | `[]` | List of receiver email addresses |
| emailReports.summary.filter | optional | `{}` | Report filter |
| emailReports.summary.channels | optional | `[]` | Channels can be used to to send only a subset of namespaces / sources to dedicated email addresses |
| emailReports.violations.enabled | bool | `false` | Enable Violation Summary E-Mail reports |
| emailReports.violations.schedule | string | `"0 8 * * *"` | CronJob schedule |
| emailReports.violations.activeDeadlineSeconds | int | `300` | CronJob activeDeadlineSeconds |
| emailReports.violations.backoffLimit | int | `3` | CronJob backoffLimit |
| emailReports.violations.ttlSecondsAfterFinished | int | `0` | CronJob ttlSecondsAfterFinished |
| emailReports.violations.restartPolicy | string | `"Never"` | CronJob restartPolicy |
| emailReports.violations.to | list | `[]` | List of receiver email addresses |
| emailReports.violations.filter | optional | `{}` | Report filter |
| emailReports.violations.channels | optional | `[]` | Channels can be used to to send only a subset of namespaces / sources to dedicated email addresses |
| existingTargetConfig.enabled | bool | `false` | Use an already existing configuration |
| existingTargetConfig.name | string | `""` | Name of the secret with the config |
| existingTargetConfig.subPath | string | `""` | SubPath within the secret (defaults to config.yaml) |
| target.loki.host | string | `""` | Host Address |
| target.loki.path | string | `""` | Loki API, defaults to "/loki/api/v1/push" |
| target.loki.certificate | string | `""` | Server Certificate file path Can be added under extraVolumes |
| target.loki.skipTLS | bool | `false` | Skip TLS verification |
| target.loki.secretRef | string | `""` | Read configuration from an already existing Secret |
| target.loki.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
| target.loki.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
| target.loki.sources | list | `[]` | List of sources which should send |
| target.loki.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
| target.loki.customFields | object | `{}` | Added as additional labels |
| target.loki.headers | object | `{}` | Additional HTTP Headers |
| target.loki.username | string | `""` | HTTP BasicAuth username |
| target.loki.password | string | `""` | HTTP BasicAuth password |
| target.loki.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
| target.loki.channels | list | `[]` | List of channels to route results to different configurations |
| target.elasticsearch.host | string | `""` | Host address |
| target.elasticsearch.certificate | string | `""` | Server Certificate file path Can be added under extraVolumes |
| target.elasticsearch.skipTLS | bool | `false` | Skip TLS verification |
| target.elasticsearch.index | string | `"policy-reporter"` | Elasticsearch index (default: policy-reporter) |
| target.elasticsearch.rotation | string | `"daily"` | Elasticsearch index rotation and index suffix Possible values: daily, monthly, annually, none (default: daily) |
| target.elasticsearch.typelessApi | bool | `false` | Enables Elasticsearch typless API https://www.elastic.co/blog/moving-from-types-to-typeless-apis-in-elasticsearch-7-0 keeping as false for retrocompatibility. |
| target.elasticsearch.username | string | `""` | HTTP BasicAuth username |
| target.elasticsearch.password | string | `""` | HTTP BasicAuth password |
| target.elasticsearch.apiKey | string | `""` | Elasticsearch API Key for api key authentication |
| target.elasticsearch.secretRef | string | `""` | Read configuration from an already existing Secret |
| target.elasticsearch.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
| target.elasticsearch.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
| target.elasticsearch.sources | list | `[]` | List of sources which should send |
| target.elasticsearch.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
| target.elasticsearch.customFields | object | `{}` | Added as additional labels |
| target.elasticsearch.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
| target.elasticsearch.channels | list | `[]` | List of channels to route results to different configurations |
| target.slack.webhook | string | `""` | Webhook Address |
| target.slack.channel | string | `""` | Slack Channel |
| target.slack.secretRef | string | `""` | Read configuration from an already existing Secret |
| target.slack.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
| target.slack.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
| target.slack.sources | list | `[]` | List of sources which should send |
| target.slack.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
| target.slack.customFields | object | `{}` | Added as additional labels |
| target.slack.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
| target.slack.channels | list | `[]` | List of channels to route results to different configurations |
| target.discord.webhook | string | `""` | Webhook Address |
| target.discord.secretRef | string | `""` | Read configuration from an already existing Secret |
| target.discord.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
| target.discord.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
| target.discord.sources | list | `[]` | List of sources which should send |
| target.discord.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
| target.discord.customFields | object | `{}` | Added as additional labels |
| target.discord.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
| target.discord.channels | list | `[]` | List of channels to route results to different configurations |
| target.teams.webhook | string | `""` | Webhook Address |
| target.teams.secretRef | string | `""` | Read configuration from an already existing Secret |
| target.teams.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
| target.teams.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
| target.teams.sources | list | `[]` | List of sources which should send |
| target.teams.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
| target.teams.customFields | object | `{}` | Added as additional labels |
| target.teams.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
| target.teams.channels | list | `[]` | List of channels to route results to different configurations |
| target.webhook.host | string | `""` | Webhook Address |
| target.webhook.headers | object | `{}` | Additional HTTP Headers |
| target.webhook.secretRef | string | `""` | Read configuration from an already existing Secret |
| target.webhook.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
| target.webhook.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
| target.webhook.sources | list | `[]` | List of sources which should send |
| target.webhook.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
| target.webhook.customFields | object | `{}` | Added as additional labels |
| target.webhook.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
| target.webhook.channels | list | `[]` | List of channels to route results to different configurations |
| target.telegram.token | string | `""` | Telegram bot token |
| target.telegram.chatId | string | `""` | Telegram chat id |
| target.telegram.host | optional | `""` | Telegram proxy host |
| target.telegram.headers | object | `{}` | Additional HTTP Headers |
| target.telegram.secretRef | string | `""` | Read configuration from an already existing Secret |
| target.telegram.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
| target.telegram.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
| target.telegram.sources | list | `[]` | List of sources which should send |
| target.telegram.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
| target.telegram.customFields | object | `{}` | Added as additional labels |
| target.telegram.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
| target.telegram.channels | list | `[]` | List of channels to route results to different configurations |
| target.googleChat.webhook | string | `""` | Webhook Address |
| target.googleChat.headers | object | `{}` | Additional HTTP Headers |
| target.googleChat.secretRef | string | `""` | Read configuration from an already existing Secret |
| target.googleChat.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
| target.googleChat.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
| target.googleChat.sources | list | `[]` | List of sources which should send |
| target.googleChat.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
| target.googleChat.customFields | object | `{}` | Added as additional labels |
| target.googleChat.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
| target.googleChat.channels | list | `[]` | List of channels to route results to different configurations |
| target.s3.accessKeyId | optional | `""` | S3 Access key |
| target.s3.secretAccessKey | optional | `""` | S3 SecretAccess key |
| target.s3.region | optional | `""` | S3 Storage region |
| target.s3.endpoint | optional | `""` | S3 Storage endpoint |
| target.s3.bucket | required | `""` | S3 Storage bucket name |
| target.s3.bucketKeyEnabled | bool | `false` | S3 Storage to use an S3 Bucket Key for object encryption with SSE-KMS |
| target.s3.kmsKeyId | string | `""` | S3 Storage KMS Key ID for object encryption with SSE-KMS |
| target.s3.serverSideEncryption | string | `""` | S3 Storage server-side encryption algorithm used when storing this object in Amazon S3, AES256, aws:kms |
| target.s3.pathStyle | bool | `false` | S3 Storage, force path style configuration |
| target.s3.prefix | string | `""` | Used prefix, keys will have format: s3://<bucket>/<prefix>/YYYY-MM-DD/YYYY-MM-DDTHH:mm:ss.s+01:00.json |
| target.s3.secretRef | string | `""` | Read configuration from an already existing Secret |
| target.s3.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
| target.s3.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
| target.s3.sources | list | `[]` | List of sources which should send |
| target.s3.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
| target.s3.customFields | object | `{}` | Added as additional labels |
| target.s3.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
| target.s3.channels | list | `[]` | List of channels to route results to different configurations |
| target.kinesis.accessKeyId | optional | `""` | Access key |
| target.kinesis.secretAccessKey | optional | `""` | SecretAccess key |
| target.kinesis.region | optional | `""` | Region |
| target.kinesis.endpoint | optional | `""` | Endpoint |
| target.kinesis.streamName | required | `""` | StreamName |
| target.kinesis.secretRef | string | `""` | Read configuration from an already existing Secret |
| target.kinesis.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
| target.kinesis.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
| target.kinesis.sources | list | `[]` | List of sources which should send |
| target.kinesis.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
| target.kinesis.customFields | object | `{}` | Added as additional labels |
| target.kinesis.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
| target.kinesis.channels | list | `[]` | List of channels to route results to different configurations |
| target.securityHub.accessKeyId | optional | `""` | Access key |
| target.securityHub.secretAccessKey | optional | `""` | SecretAccess key |
| target.securityHub.region | optional | `""` | Region |
| target.securityHub.endpoint | optional | `""` | Endpoint |
| target.securityHub.accountId | required | `""` | AccountId |
| target.securityHub.productName | optional | `""` | Used product name, defaults to "Polilcy Reporter" |
| target.securityHub.companyName | optional | `""` | Used company name, defaults to "Kyverno" |
| target.securityHub.synchronize | bool | `true` | Enable cleanup listener for SecurityHub |
| target.securityHub.delayInSeconds | int | `2` | Delay between AWS GetFindings API calls, to avoid hitting the API RequestLimit |
| target.securityHub.secretRef | string | `""` | Read configuration from an already existing Secret |
| target.securityHub.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
| target.securityHub.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
| target.securityHub.sources | list | `[]` | List of sources which should send |
| target.securityHub.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
| target.securityHub.customFields | object | `{}` | Added as additional labels |
| target.securityHub.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
| target.securityHub.channels | list | `[]` | List of channels to route results to different configurations |
| target.gcs.credentials | optional | `""` | GCS (Google Cloud Storage) Service Accout Credentials |
| target.gcs.bucket | required | `""` | GCS Bucket |
| target.gcs.secretRef | string | `""` | Read configuration from an already existing Secret |
| target.gcs.mountedSecret | string | `""` | Mounted secret path by Secrets Controller, secret should be in json format |
| target.gcs.minimumSeverity | string | `""` | Minimum severity: "" < info < low < medium < high < critical |
| target.gcs.sources | list | `[]` | List of sources which should send |
| target.gcs.skipExistingOnStartup | bool | `true` | Skip already existing PolicyReportResults on startup |
| target.gcs.customFields | object | `{}` | Added as additional labels |
| target.gcs.filter | object | `{}` | Filter Results which should send to this target Wildcars for namespaces and policies are supported, you can either define exclude or include values Filters are available for all targets except the UI |
| target.gcs.channels | list | `[]` | List of channels to route results to different configurations |
| leaderElection.releaseOnCancel | bool | `true` | |
| leaderElection.leaseDuration | int | `15` | |
| leaderElection.renewDeadline | int | `10` | |
| leaderElection.retryPeriod | int | `2` | |
| redis.enabled | bool | `false` | Enables Redis as external result cache, uses in memory cache by default |
| redis.address | string | `""` | Redis host |
| redis.database | int | `0` | Redis database |
| redis.prefix | string | `"policy-reporter"` | Redis key prefix |
| redis.username | optional | `""` | Username |
| redis.password | optional | `""` | Password |
| database.type | string | `""` | Use an external Database, supported: mysql, postgres, mariadb |
| database.database | string | `""` | Database |
| database.username | string | `""` | Username |
| database.password | string | `""` | Password |
| database.host | string | `""` | Host Address |
| database.enableSSL | bool | `false` | Enables SSL |
| database.dsn | string | `""` | Instead of configure the individual values you can also provide an DSN string example postgres: postgres://postgres:password@localhost:5432/postgres?sslmode=disable example mysql: root:password@tcp(localhost:3306)/test?tls=false |
| database.secretRef | string | `""` | Read configuration from an existing Secret supported fields: username, password, host, dsn, database |
| database.mountedSecret | string | `""` | |
| podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for policy-reporter disruptions. Cannot be used if `maxUnavailable` is set. |
| podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for policy-reporter disruptions. Cannot be used if `minAvailable` is set. |
| nodeSelector | object | `{}` | Node labels for pod assignment ref: https://kubernetes.io/docs/user-guide/node-selection/ |
| tolerations | list | `[]` | Tolerations for pod assignment ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ |
| affinity | object | `{}` | Anti-affinity to disallow deploying client and master nodes on the same worker node |
| topologySpreadConstraints | list | `[]` | Topology Spread Constraints to better spread pods |
| livenessProbe | object | `{"httpGet":{"path":"/ready","port":"http"}}` | Deployment livenessProbe for policy-reporter |
| readinessProbe | object | `{"httpGet":{"path":"/healthz","port":"http"}}` | Deployment readinessProbe for policy-reporter |
| extraVolumes.volumeMounts | list | `[]` | Deployment volumeMounts |
| extraVolumes.volumes | list | `[]` | Deployment values |
| sqliteVolume | object | `{}` | If set the volume for sqlite is freely configurable below "- name: sqlite". If no value is set an emptyDir is used. |
| envVars | list | `[]` | Allow additional env variables to be added |
| tmpVolume | object | `{}` | Allow custom configuration of the /tmp volume |
| ui.enabled | bool | `false` | Enable Policy Reporter UI |
| ui.image.registry | string | `"ghcr.io"` | Image registry |
| ui.image.repository | string | `"kyverno/policy-reporter-ui"` | Image repository |
| ui.image.pullPolicy | string | `"IfNotPresent"` | Image PullPolicy |
| ui.image.tag | string | `"2.0.0-rc.1"` | Image tag |
| ui.replicaCount | int | `1` | Deployment replica count |
| ui.tempDir | string | `"/tmp"` | Temporary Directory to persist session data for authentication |
| ui.logging.api | bool | `false` | Enables external api request logging |
| ui.logging.server | bool | `false` | Enables server access logging |
| ui.logging.encoding | string | `"console"` | Log encoding possible encodings are console and json |
| ui.logging.logLevel | int | `0` | Log level default info |
| ui.server.port | int | `8080` | Application port |
| ui.server.cors | bool | `true` | Enabled CORS header |
| ui.server.overwriteHost | bool | `true` | Overwrites Request Host with Proxy Host and adds `X-Forwarded-Host` and `X-Origin-Host` headers |
| ui.openIDConnect.enabled | bool | `false` | Enable openID Connect authentication |
| ui.openIDConnect.discoveryUrl | string | `""` | OpenID Connect Discovery URL |
| ui.openIDConnect.callbackUrl | string | `""` | OpenID Connect Callback URL |
| ui.openIDConnect.clientId | string | `""` | OpenID Connect ClientID |
| ui.openIDConnect.clientSecret | string | `""` | OpenID Connect ClientSecret |
| ui.openIDConnect.scopes | list | `[]` | OpenID Connect allowed Scopes |
| ui.openIDConnect.secretRef | string | `""` | Provide OpenID Connect configuration via Secret supported keys: `discoveryUrl`, `clientId`, `clientSecret` |
| ui.oauth.enabled | bool | `false` | Enable openID Connect authentication |
| ui.oauth.provider | string | `""` | OAuth2 Provider supported: amazon, gitlab, github, apple, google, yandex, azuread |
| ui.oauth.callbackUrl | string | `""` | OpenID Connect Callback URL |
| ui.oauth.clientId | string | `""` | OpenID Connect ClientID |
| ui.oauth.clientSecret | string | `""` | OpenID Connect ClientSecret |
| ui.oauth.scopes | list | `[]` | OpenID Connect allowed Scopes |
| ui.oauth.secretRef | string | `""` | Provide OpenID Connect configuration via Secret supported keys: `provider`, `clientId`, `clientSecret` |
| ui.banner | string | `""` | optional banner text |
| ui.displayMode | string | `""` | DisplayMode dark/light/colorblind/colorblinddark uses the OS configured prefered color scheme as default |
| ui.customBoards | list | `[]` | Additional customizable dashboards |
| ui.sources | list | `[]` | source specific configurations |
| ui.name | string | `"Default"` | |
| ui.clusters | list | `[]` | Connected Policy Reporter APIs |
| ui.imagePullSecrets | list | `[]` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
| ui.serviceAccount.create | bool | `true` | Create ServiceAccount |
| ui.serviceAccount.automount | bool | `true` | Enable ServiceAccount automaount |
| ui.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
| ui.serviceAccount.name | string | `""` | The ServiceAccount name |
| ui.extraManifests | list | `[]` | list of extra manifests |
| ui.sidecarContainers | object | `{}` | Add sidecar containers to the UI deployment sidecarContainers: oauth-proxy: image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 args: - --upstream=http://127.0.0.1:8080 - --http-address=0.0.0.0:8081 - ... ports: - containerPort: 8081 name: oauth-proxy protocol: TCP resources: {} |
| ui.podAnnotations | object | `{}` | Additional annotations to add to each pod |
| ui.podLabels | object | `{}` | Additional labels to add to each pod |
| ui.updateStrategy | object | `{}` | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
| ui.revisionHistoryLimit | int | `10` | The number of revisions to keep |
| ui.podSecurityContext | object | `{"runAsGroup":1234,"runAsUser":1234}` | Security context for the pod |
| ui.envVars | list | `[]` | Allow additional env variables to be added |
| ui.rbac.enabled | bool | `true` | Create RBAC resources |
| ui.securityContext.runAsUser | int | `1234` | |
| ui.securityContext.runAsNonRoot | bool | `true` | |
| ui.securityContext.privileged | bool | `false` | |
| ui.securityContext.allowPrivilegeEscalation | bool | `false` | |
| ui.securityContext.readOnlyRootFilesystem | bool | `true` | |
| ui.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| ui.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| ui.service.type | string | `"ClusterIP"` | Service type. |
| ui.service.port | int | `8080` | Service port. |
| ui.service.annotations | object | `{}` | Service annotations. |
| ui.service.labels | object | `{}` | Service labels. |
| ui.service.additionalPorts | list | `[]` | Additional service ports for e.g. Sidecars # - name: authenticated additionalPorts: - name: authenticated port: 8081 targetPort: 8081 |
| ui.ingress.enabled | bool | `false` | Create ingress resource. |
| ui.ingress.port | string | `nil` | Redirect ingress to an additional defined port on the service |
| ui.ingress.className | string | `""` | Ingress class name. |
| ui.ingress.labels | object | `{}` | Ingress labels. |
| ui.ingress.annotations | object | `{}` | Ingress annotations. |
| ui.ingress.hosts | list | `[]` | List of ingress host configurations. |
| ui.ingress.tls | list | `[]` | List of ingress TLS configurations. |
| ui.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
| ui.networkPolicy.egress | list | `[{"ports":[{"port":6443,"protocol":"TCP"}]}]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. Enables Kubernetes API Server by default |
| ui.networkPolicy.ingress | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| ui.resources | object | `{}` | Resource constraints |
| ui.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for kyvernoPlugin disruptions. Cannot be used if `maxUnavailable` is set. |
| ui.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for kyvernoPlugin disruptions. Cannot be used if `minAvailable` is set. |
| ui.nodeSelector | object | `{}` | Node labels for pod assignment |
| ui.tolerations | list | `[]` | List of node taints to tolerate |
| ui.affinity | object | `{}` | Affinity constraints. |
| plugin.kyverno.enabled | bool | `false` | Enable Kyverno Plugin |
| plugin.kyverno.image.registry | string | `"ghcr.io"` | Image registry |
| plugin.kyverno.image.repository | string | `"kyverno/policy-reporter/kyverno-plugin"` | Image repository |
| plugin.kyverno.image.pullPolicy | string | `"IfNotPresent"` | Image PullPolicy |
| plugin.kyverno.image.tag | string | `"0.3.0"` | Image tag Defaults to `Chart.AppVersion` if omitted |
| plugin.kyverno.replicaCount | int | `1` | Deployment replica count |
| plugin.kyverno.logging.api | bool | `false` | Enables external API request logging |
| plugin.kyverno.logging.server | bool | `false` | Enables Server access logging |
| plugin.kyverno.logging.encoding | string | `"console"` | log encoding possible encodings are console and json |
| plugin.kyverno.logging.logLevel | int | `0` | log level default info |
| plugin.kyverno.server.port | int | `8080` | Application port |
| plugin.kyverno.blockReports.enabled | bool | `false` | Enables he BlockReport feature |
| plugin.kyverno.blockReports.eventNamespace | string | `"default"` | Watches for Kyverno Events in the configured namespace leave blank to watch in all namespaces |
| plugin.kyverno.blockReports.results.maxPerReport | int | `200` | Max items per PolicyReport resource |
| plugin.kyverno.blockReports.results.keepOnlyLatest | bool | `false` | Keep only the latest of duplicated events |
| plugin.kyverno.imagePullSecrets | list | `[]` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
| plugin.kyverno.serviceAccount.create | bool | `true` | Create ServiceAccount |
| plugin.kyverno.serviceAccount.automount | bool | `true` | Enable ServiceAccount automaount |
| plugin.kyverno.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
| plugin.kyverno.serviceAccount.name | string | `""` | The ServiceAccount name |
| plugin.kyverno.podAnnotations | object | `{}` | Additional annotations to add to each pod |
| plugin.kyverno.podLabels | object | `{}` | Additional labels to add to each pod |
| plugin.kyverno.updateStrategy | object | `{}` | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
| plugin.kyverno.revisionHistoryLimit | int | `10` | The number of revisions to keep |
| plugin.kyverno.podSecurityContext | object | `{"runAsGroup":1234,"runAsUser":1234}` | Security context for the pod |
| plugin.kyverno.envVars | list | `[]` | Allow additional env variables to be added |
| plugin.kyverno.rbac.enabled | bool | `true` | Create RBAC resources |
| plugin.kyverno.securityContext.runAsUser | int | `1234` | |
| plugin.kyverno.securityContext.runAsNonRoot | bool | `true` | |
| plugin.kyverno.securityContext.privileged | bool | `false` | |
| plugin.kyverno.securityContext.allowPrivilegeEscalation | bool | `false` | |
| plugin.kyverno.securityContext.readOnlyRootFilesystem | bool | `true` | |
| plugin.kyverno.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| plugin.kyverno.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| plugin.kyverno.service.type | string | `"ClusterIP"` | Service type. |
| plugin.kyverno.service.port | int | `8080` | Service port. |
| plugin.kyverno.service.annotations | object | `{}` | Service annotations. |
| plugin.kyverno.service.labels | object | `{}` | Service labels. |
| plugin.kyverno.ingress.enabled | bool | `false` | Create ingress resource. |
| plugin.kyverno.ingress.className | string | `""` | Ingress class name. |
| plugin.kyverno.ingress.labels | object | `{}` | Ingress labels. |
| plugin.kyverno.ingress.annotations | object | `{}` | Ingress annotations. |
| plugin.kyverno.ingress.hosts | list | `[]` | List of ingress host configurations. |
| plugin.kyverno.ingress.tls | list | `[]` | List of ingress TLS configurations. |
| plugin.kyverno.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
| plugin.kyverno.networkPolicy.egress | list | `[{"ports":[{"port":6443,"protocol":"TCP"}]}]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. Enables Kubernetes API Server by default |
| plugin.kyverno.networkPolicy.ingress | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| plugin.kyverno.resources | object | `{}` | Resource constraints |
| plugin.kyverno.leaderElection.lockName | string | `"kyverno-plugin"` | Lock Name |
| plugin.kyverno.leaderElection.releaseOnCancel | bool | `true` | Released lock when the run context is cancelled. |
| plugin.kyverno.leaderElection.leaseDuration | int | `15` | LeaseDuration is the duration that non-leader candidates will wait to force acquire leadership. |
| plugin.kyverno.leaderElection.renewDeadline | int | `10` | RenewDeadline is the duration that the acting master will retry refreshing leadership before giving up. |
| plugin.kyverno.leaderElection.retryPeriod | int | `2` | RetryPeriod is the duration the LeaderElector clients should wait between tries of actions. |
| plugin.kyverno.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for kyvernoPlugin disruptions. Cannot be used if `maxUnavailable` is set. |
| plugin.kyverno.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for kyvernoPlugin disruptions. Cannot be used if `minAvailable` is set. |
| plugin.kyverno.nodeSelector | object | `{}` | Node labels for pod assignment |
| plugin.kyverno.tolerations | list | `[]` | List of node taints to tolerate |
| plugin.kyverno.affinity | object | `{}` | Affinity constraints. |
| plugin.trivy.enabled | bool | `false` | Enable Trivy Operator Plugin |
| plugin.trivy.image.registry | string | `"ghcr.io"` | Image registry |
| plugin.trivy.image.repository | string | `"kyverno/policy-reporter/trivy-plugin"` | Image repository |
| plugin.trivy.image.pullPolicy | string | `"IfNotPresent"` | Image PullPolicy |
| plugin.trivy.image.tag | string | `"0.2.0"` | Image tag Defaults to `Chart.AppVersion` if omitted |
| plugin.trivy.replicaCount | int | `1` | Deployment replica count |
| plugin.trivy.logging.api | bool | `false` | Enables external API request logging |
| plugin.trivy.logging.server | bool | `false` | Enables Server access logging |
| plugin.trivy.logging.encoding | string | `"console"` | log encoding possible encodings are console and json |
| plugin.trivy.logging.logLevel | int | `0` | log level default info |
| plugin.trivy.server.port | int | `8080` | Application port |
| plugin.trivy.policyReporter.skipTLS | bool | `false` | Skip TLS Verification |
| plugin.trivy.policyReporter.certificate | string | `""` | TLS Certificate |
| plugin.trivy.policyReporter.secretRef | string | `""` | Secret to read the API configuration from supports `host`, `certificate`, `skipTLS`, `username`, `password` key |
| plugin.trivy.imagePullSecrets | list | `[]` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
| plugin.trivy.serviceAccount.create | bool | `true` | Create ServiceAccount |
| plugin.trivy.serviceAccount.automount | bool | `true` | Enable ServiceAccount automaount |
| plugin.trivy.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
| plugin.trivy.serviceAccount.name | string | `""` | The ServiceAccount name |
| plugin.trivy.podAnnotations | object | `{}` | Additional annotations to add to each pod |
| plugin.trivy.podLabels | object | `{}` | Additional labels to add to each pod |
| plugin.trivy.updateStrategy | object | `{}` | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
| plugin.trivy.revisionHistoryLimit | int | `10` | The number of revisions to keep |
| plugin.trivy.podSecurityContext | object | `{"runAsGroup":1234,"runAsUser":1234}` | Security context for the pod |
| plugin.trivy.envVars | list | `[]` | Allow additional env variables to be added |
| plugin.trivy.rbac.enabled | bool | `true` | Create RBAC resources |
| plugin.trivy.securityContext.runAsUser | int | `1234` | |
| plugin.trivy.securityContext.runAsNonRoot | bool | `true` | |
| plugin.trivy.securityContext.privileged | bool | `false` | |
| plugin.trivy.securityContext.allowPrivilegeEscalation | bool | `false` | |
| plugin.trivy.securityContext.readOnlyRootFilesystem | bool | `true` | |
| plugin.trivy.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| plugin.trivy.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| plugin.trivy.service.type | string | `"ClusterIP"` | Service type. |
| plugin.trivy.service.port | int | `8080` | Service port. |
| plugin.trivy.service.annotations | object | `{}` | Service annotations. |
| plugin.trivy.service.labels | object | `{}` | Service labels. |
| plugin.trivy.ingress.enabled | bool | `false` | Create ingress resource. |
| plugin.trivy.ingress.className | string | `""` | Ingress class name. |
| plugin.trivy.ingress.labels | object | `{}` | Ingress labels. |
| plugin.trivy.ingress.annotations | object | `{}` | Ingress annotations. |
| plugin.trivy.ingress.hosts | list | `[]` | List of ingress host configurations. |
| plugin.trivy.ingress.tls | list | `[]` | List of ingress TLS configurations. |
| plugin.trivy.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
| plugin.trivy.networkPolicy.egress | list | `[{"ports":[{"port":6443,"protocol":"TCP"}]}]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. Enables Kubernetes API Server by default |
| plugin.trivy.networkPolicy.ingress | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| plugin.trivy.resources | object | `{}` | Resource constraints |
| plugin.trivy.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for kyvernoPlugin disruptions. Cannot be used if `maxUnavailable` is set. |
| plugin.trivy.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for kyvernoPlugin disruptions. Cannot be used if `minAvailable` is set. |
| plugin.trivy.nodeSelector | object | `{}` | Node labels for pod assignment |
| plugin.trivy.tolerations | list | `[]` | List of node taints to tolerate |
| plugin.trivy.affinity | object | `{}` | Affinity constraints. |
| monitoring.enabled | bool | `false` | Enables the Prometheus Operator integration |
| monitoring.annotations | object | `{}` | Key/value pairs that are attached to all resources. |
| monitoring.serviceMonitor.honorLabels | bool | `false` | HonorLabels chooses the metrics labels on collisions with target labels |
| monitoring.serviceMonitor.namespace | string | `nil` | Allow to override the namespace for serviceMonitor |
| monitoring.serviceMonitor.labels | object | `{}` | Labels to match the serviceMonitorSelector of the Prometheus Resource |
| monitoring.serviceMonitor.relabelings | list | `[]` | ServiceMonitor Relabelings https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig |
| monitoring.serviceMonitor.metricRelabelings | list | `[]` | See serviceMonitor.relabelings |
| monitoring.serviceMonitor.namespaceSelector | optional | `{}` | NamespaceSelector |
| monitoring.serviceMonitor.scrapeTimeout | optional | `nil` | ScrapeTimeout |
| monitoring.serviceMonitor.interval | optional | `nil` | Scrape interval |
| monitoring.grafana.namespace | string | `nil` | Naamespace for configMap of grafana dashboards |
| monitoring.grafana.dashboards.enabled | bool | `true` | Enable the deployment of grafana dashboards |
| monitoring.grafana.dashboards.label | string | `"grafana_dashboard"` | Label to find dashboards using the k8s sidecar |
| monitoring.grafana.dashboards.value | string | `"1"` | Label value to find dashboards using the k8s sidecar |
| monitoring.grafana.dashboards.labelFilter | list | `[]` | List of custom label filter Used to add filter for report label based metric labels defined in custom mode |
| monitoring.grafana.dashboards.multicluster.enabled | bool | `false` | Enable cluster filter in all dashboards |
| monitoring.grafana.dashboards.multicluster.label | string | `"cluster"` | Metric Label which is used to filter clusters |
| monitoring.grafana.dashboards.enable.overview | bool | `true` | Enable the Overview Dashboard |
| monitoring.grafana.dashboards.enable.policyReportDetails | bool | `true` | Enable the PolicyReport Dashboard |
| monitoring.grafana.dashboards.enable.clusterPolicyReportDetails | bool | `true` | Enable the ClusterPolicyReport Dashboard |
| monitoring.grafana.folder.annotation | string | `"grafana_folder"` | Annotation to enable folder storage using the k8s sidecar |
| monitoring.grafana.folder.name | string | `"Policy Reporter"` | Grafana folder in which to store the dashboards |
| monitoring.grafana.datasource.label | string | `"Prometheus"` | Grafana Datasource Label |
| monitoring.grafana.datasource.pluginId | string | `"prometheus"` | Grafana Datasource PluginId |
| monitoring.grafana.datasource.pluginName | string | `"Prometheus"` | Grafana Datasource PluginName |
| monitoring.grafana.grafanaDashboard.enabled | bool | `false` | Create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/ |
| monitoring.grafana.grafanaDashboard.folder | string | `"kyverno"` | Dashboard folder |
| monitoring.grafana.grafanaDashboard.allowCrossNamespaceImport | bool | `true` | Allow cross Namespace import |
| monitoring.grafana.grafanaDashboard.matchLabels | object | `{"dashboards":"grafana"}` | Label match selector |
| monitoring.policyReportDetails.firstStatusRow.height | int | `8` | |
| monitoring.policyReportDetails.secondStatusRow.enabled | bool | `true` | |
| monitoring.policyReportDetails.secondStatusRow.height | int | `2` | |
| monitoring.policyReportDetails.statusTimeline.enabled | bool | `true` | |
| monitoring.policyReportDetails.statusTimeline.height | int | `8` | |
| monitoring.policyReportDetails.passTable.enabled | bool | `true` | |
| monitoring.policyReportDetails.passTable.height | int | `8` | |
| monitoring.policyReportDetails.failTable.enabled | bool | `true` | |
| monitoring.policyReportDetails.failTable.height | int | `8` | |
| monitoring.policyReportDetails.warningTable.enabled | bool | `true` | |
| monitoring.policyReportDetails.warningTable.height | int | `4` | |
| monitoring.policyReportDetails.errorTable.enabled | bool | `true` | |
| monitoring.policyReportDetails.errorTable.height | int | `4` | |
| monitoring.clusterPolicyReportDetails.statusRow.height | int | `6` | |
| monitoring.clusterPolicyReportDetails.statusTimeline.enabled | bool | `true` | |
| monitoring.clusterPolicyReportDetails.statusTimeline.height | int | `8` | |
| monitoring.clusterPolicyReportDetails.passTable.enabled | bool | `true` | |
| monitoring.clusterPolicyReportDetails.passTable.height | int | `8` | |
| monitoring.clusterPolicyReportDetails.failTable.enabled | bool | `true` | |
| monitoring.clusterPolicyReportDetails.failTable.height | int | `8` | |
| monitoring.clusterPolicyReportDetails.warningTable.enabled | bool | `true` | |
| monitoring.clusterPolicyReportDetails.warningTable.height | int | `4` | |
| monitoring.clusterPolicyReportDetails.errorTable.enabled | bool | `true` | |
| monitoring.clusterPolicyReportDetails.errorTable.height | int | `4` | |
| monitoring.policyReportOverview.failingSummaryRow.height | int | `8` | |
| monitoring.policyReportOverview.failingTimeline.height | int | `10` | |
| monitoring.policyReportOverview.failingPolicyRuleTable.height | int | `10` | |
| monitoring.policyReportOverview.failingClusterPolicyRuleTable.height | int | `10` | |
* [[Video] 37. #EveryoneCanContribute cafe: Policy reporter for Kyverno](https://youtu.be/1mKywg9f5Fw)
* [[Video] Rawkode Live: Hands on Policy Reporter](https://www.youtube.com/watch?v=ZrOtTELNLyg)
* [[Blog] Monitor Security and Best Practices with Kyverno and Policy Reporter](https://blog.webdev-jogeleit.de/blog/monitor-security-with-kyverno-and-policy-reporter/)
## Source Code
* <https://github.com/kyverno/policy-reporter>
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
| Frank Jogeleit | | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

View file

@ -0,0 +1,50 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.description" . }}
{{ template "chart.badgesSection" . }}
## Documentation
You can find detailed Information and Screens about Features and Configurations in the [Documentation](https://kyverno.github.io/policy-reporter-docs).
## Installation with Helm v3
Installation via Helm Repository
### Add the Helm repository
```bash
helm repo add policy-reporter https://kyverno.github.io/policy-reporter
helm repo update
```
### Basic Installation
The basic installation provides an Prometheus Metrics Endpoint and different REST APIs, for more details have a look at the [Documentation](https://kyverno.github.io/policy-reporter/guide/02-getting-started).
```bash
helm install policy-reporter policy-reporter/policy-reporter -n policy-reporter --create-namespace
```
## Policy Reporter UI
You can use the Policy Reporter as standalone Application along with the optional UI SubChart.
### Installation with Policy Reporter UI and Kyverno Plugin enabled
```bash
helm install policy-reporter policy-reporter/policy-reporter --set plugin.kyverno.enabled=true --set ui.enabled=true -n policy-reporter --create-namespace
kubectl port-forward service/policy-reporter-ui 8082:8080 -n policy-reporter
```
Open `http://localhost:8082/` in your browser.
{{ template "chart.valuesSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
{{ template "chart.maintainersSection" . }}
{{ template "helm-docs.versionFooter" . }}

View file

@ -1,7 +0,0 @@
apiVersion: v2
name: kyvernoPlugin
description: Policy Reporter Kyverno Plugin
type: application
version: 1.6.5
appVersion: 1.6.3

View file

@ -1,21 +0,0 @@
blockReports:
{{- toYaml .Values.blockReports | nindent 2 }}
leaderElection:
enabled: {{ or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1) }}
releaseOnCancel: {{ .Values.leaderElection.releaseOnCancel }}
leaseDuration: {{ .Values.leaderElection.leaseDuration }}
renewDeadline: {{ .Values.leaderElection.renewDeadline }}
retryPeriod: {{ .Values.leaderElection.retryPeriod }}
logging:
encoding: {{ .Values.logging.encoding }}
logLevel: {{ include "kyvernoplugin.logLevel" . }}
development: {{ .Values.logging.development }}
api:
logging: {{ .Values.api.logging }}
basicAuth:
username: {{ .Values.global.basicAuth.username }}
password: {{ .Values.global.basicAuth.password }}
secretRef: {{ .Values.global.basicAuth.secretRef }}

View file

@ -1,105 +0,0 @@
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kyvernoplugin.fullname" -}}
{{- $name := "kyverno-plugin" }}
{{- if .Values.global.fullnameOverride }}
{{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
{{- else if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- define "kyvernoplugin.name" -}}
{{- "kyverno-plugin" }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kyvernoplugin.chart" -}}
{{- printf "kyverno-plugin-%s" .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "kyvernoplugin.labels" -}}
helm.sh/chart: {{ include "kyvernoplugin.chart" . }}
{{ include "kyvernoplugin.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/component: plugin
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/part-of: policy-reporter
{{- with .Values.global.labels }}
{{ toYaml . }}
{{- end -}}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "kyvernoplugin.selectorLabels" -}}
app.kubernetes.io/name: {{ include "kyvernoplugin.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Pod labels
*/}}
{{- define "kyvernoplugin.podLabels" -}}
helm.sh/chart: {{ include "kyvernoplugin.chart" . }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: policy-reporter
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "kyvernoplugin.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "kyvernoplugin.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "ui.selectorLabels" -}}
app.kubernetes.io/name: ui
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- define "kyvernoplugin.securityContext" -}}
{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
{{ toYaml (omit .Values.securityContext "seccompProfile") }}
{{- else }}
{{ toYaml .Values.securityContext }}
{{- end }}
{{- end }}
{{/* Get the namespace name. */}}
{{- define "kyvernoplugin.namespace" -}}
{{- if .Values.global.namespace -}}
{{- .Values.global.namespace -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/* Get the namespace name. */}}
{{- define "kyvernoplugin.logLevel" -}}
{{- if .Values.api.logging -}}
-1
{{- else -}}
{{- .Values.logging.logLevel -}}
{{- end -}}
{{- end -}}

View file

@ -1,20 +0,0 @@
{{- if and .Values.serviceAccount.create .Values.rbac.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kyvernoplugin.fullname" . }}
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "kyvernoplugin.labels" . | nindent 4 }}
roleRef:
kind: ClusterRole
name: {{ include "kyvernoplugin.fullname" . }}
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: "ServiceAccount"
name: {{ include "kyvernoplugin.serviceAccountName" . }}
namespace: {{ include "kyvernoplugin.namespace" . }}
{{- end -}}

View file

@ -1,14 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ include "kyvernoplugin.fullname" . }}-config
namespace: {{ include "kyvernoplugin.namespace" . }}
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "kyvernoplugin.labels" . | nindent 4 }}
type: Opaque
data:
config.yaml: {{ tpl (.Files.Get "config.yaml") . | b64enc }}

View file

@ -1,129 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kyvernoplugin.fullname" . }}
namespace: {{ include "kyvernoplugin.namespace" . }}
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "kyvernoplugin.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
{{- if .Values.deploymentStrategy }}
strategy:
{{- toYaml .Values.deploymentStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "kyvernoplugin.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "kyvernoplugin.selectorLabels" . | nindent 8 }}
{{- include "kyvernoplugin.podLabels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
checksum/secret: {{ include (print .Template.BasePath "/config-secret.yaml") . | sha256sum | quote }}
{{- with .Values.annotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.podSecurityContext }}
securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "kyvernoplugin.serviceAccountName" . }}
automountServiceAccountToken: true
containers:
- name: "kyverno-plugin"
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.securityContext }}
securityContext: {{ include "kyvernoplugin.securityContext" . | nindent 12 }}
{{- end }}
args:
- --port={{ .Values.port.number }}
- --metrics-enabled={{ .Values.metrics.enabled }}
- --rest-enabled={{ .Values.rest.enabled }}
- --lease-name={{ include "kyvernoplugin.fullname" . }}
ports:
- name: {{ .Values.port.name }}
containerPort: {{ .Values.port.number }}
protocol: TCP
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: config-file
mountPath: /app/config.yaml
subPath: config.yaml
readOnly: true
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1) }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- end }}
{{- if .Values.global.basicAuth.secretRef }}
- name: API_AUTH_USERNAME
valueFrom:
secretKeyRef:
name: {{ .Values.global.basicAuth.secretRef }}
key: username
optional: false
- name: API_AUTH_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.global.basicAuth.secretRef }}
key: password
optional: false
{{- end }}
{{- with .Values.envVars }}
{{- . | toYaml | trim | nindent 10 }}
{{- end }}
volumes:
- name: config-file
secret:
secretName: {{ include "kyvernoplugin.fullname" . }}-config
optional: true
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

View file

@ -1,61 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "kyvernoplugin.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ include "kyvernoplugin.namespace" . }}
labels:
{{- include "kyvernoplugin.labels" . | nindent 4 }}
{{- if or .Values.annotations .Values.ingress.annotations }}
annotations:
{{- with .Values.ingress.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.annotations }}
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- toYaml .Values.ingress.tls | nindent 4 }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

View file

@ -1,33 +0,0 @@
{{- if .Values.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels: {{- include "kyvernoplugin.labels" . | nindent 4 }}
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
name: {{ include "kyvernoplugin.fullname" . }}
namespace: {{ include "kyvernoplugin.namespace" . }}
spec:
podSelector:
matchLabels: {{- include "kyvernoplugin.selectorLabels" . | nindent 6 }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
{{- include "ui.selectorLabels" . | nindent 10 }}
ports:
- protocol: TCP
port: 8080
{{- with .Values.networkPolicy.ingress }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.networkPolicy.egress }}
egress:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

View file

@ -1,22 +0,0 @@
{{- if (gt (int .Values.replicaCount) 1) }}
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ template "kyvernoplugin.fullname" . }}
namespace: {{ include "kyvernoplugin.namespace" . }}
labels:
{{- include "kyvernoplugin.labels" . | nindent 4 }}
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
spec:
{{- include "policyreporter.podDisruptionBudget" . | indent 2 }}
selector:
matchLabels:
{{- include "kyvernoplugin.selectorLabels" . | nindent 6 }}
{{- end }}

View file

@ -1,24 +0,0 @@
{{- if and (and .Values.serviceAccount.create .Values.rbac.enabled) (and .Values.blockReports.enabled (or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1))) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "kyvernoplugin.labels" . | nindent 4 }}
name: {{ include "kyvernoplugin.fullname" . }}-leaderelection
namespace: {{ include "kyvernoplugin.namespace" . }}
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
{{- end -}}

View file

@ -1,21 +0,0 @@
{{- if and (and .Values.serviceAccount.create .Values.rbac.enabled) (and .Values.blockReports.enabled (or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1))) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kyvernoplugin.fullname" . }}-leaderelection
namespace: {{ include "kyvernoplugin.namespace" . }}
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "kyvernoplugin.labels" . | nindent 4 }}
roleRef:
kind: Role
name: {{ include "kyvernoplugin.fullname" . }}-leaderelection
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: "ServiceAccount"
name: {{ include "kyvernoplugin.serviceAccountName" . }}
namespace: {{ include "kyvernoplugin.namespace" . }}
{{- end -}}

View file

@ -1,19 +0,0 @@
{{- if and .Values.serviceAccount.create .Values.rbac.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "kyvernoplugin.labels" . | nindent 4 }}
name: {{ include "kyvernoplugin.fullname" . }}-secret-reader
namespace: {{ include "kyvernoplugin.namespace" . }}
rules:
- apiGroups: ['']
resources:
- secrets
verbs:
- get
{{- end -}}

View file

@ -1,21 +0,0 @@
{{- if and .Values.serviceAccount.create .Values.rbac.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kyvernoplugin.fullname" . }}-secret-reader
namespace: {{ include "kyvernoplugin.namespace" . }}
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "kyvernoplugin.labels" . | nindent 4 }}
roleRef:
kind: Role
name: {{ include "kyvernoplugin.fullname" . }}-secret-reader
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: "ServiceAccount"
name: {{ include "kyvernoplugin.serviceAccountName" . }}
namespace: {{ include "kyvernoplugin.namespace" . }}
{{- end -}}

View file

@ -1,30 +0,0 @@
{{- if .Values.service.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "kyvernoplugin.fullname" . }}
namespace: {{ include "kyvernoplugin.namespace" . }}
labels:
{{- include "kyvernoplugin.labels" . | nindent 4 }}
{{- with .Values.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if or .Values.annotations .Values.service.annotations }}
annotations:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.service.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: {{ .Values.port.name }}
protocol: TCP
name: rest
selector:
{{- include "kyvernoplugin.selectorLabels" . | nindent 4 }}
{{- end }}

View file

@ -1,18 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kyvernoplugin.serviceAccountName" . }}
namespace: {{ include "kyvernoplugin.namespace" . }}
labels:
{{- include "kyvernoplugin.labels" . | nindent 4 }}
{{- if or .Values.annotations .Values.serviceAccount.annotations }}
annotations:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.serviceAccount.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

View file

@ -1,211 +0,0 @@
image:
registry: ghcr.io
repository: kyverno/policy-reporter-kyverno-plugin
pullPolicy: IfNotPresent
tag: 1.6.3
imagePullSecrets: []
priorityClassName: ""
replicaCount: 1
revisionHistoryLimit: 10
deploymentStrategy: {}
# rollingUpdate:
# maxSurge: 25%
# maxUnavailable: 25%
# type: RollingUpdate
# When using a custom port together with the PolicyReporter UI
# the port has also to be changed in the UI subchart as well because it can't access values of other subcharts.
# You can change the port under `ui.kyvernoPlugin.port`
port:
name: rest
number: 8080
# Key/value pairs that are attached to all resources.
annotations: {}
# Create cluster role policies
rbac:
enabled: true
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
service:
enabled: true
## configuration of service
# key/value
annotations: {}
# key/value
labels: {}
port: 8080
type: ClusterIP
## Set to true to enable ingress record generation
# ref to: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
enabled: false
className: ""
# key/value
labels: {}
# key/value
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths: []
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
podSecurityContext:
runAsUser: 1234
runAsGroup: 1234
securityContext:
runAsUser: 1234
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# Key/value pairs that are attached to pods.
podAnnotations: {}
# Key/value pairs that are attached to pods.
podLabels: {}
# Allow additional env variables to be added
envVars: []
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# memory: 30Mi
# cpu: 10m
# requests:
# memory: 20Mi
# cpu: 5m
# Node labels for pod assignment
# ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
# Tolerations for pod assignment
# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# Anti-affinity to disallow deploying client and master nodes on the same worker node
affinity: {}
# Topology Spread Constraints to better spread pods
topologySpreadConstraints: []
# livenessProbe for policy-reporter-kyverno-plugin
livenessProbe:
httpGet:
path: /healthz
port: rest
# readinessProbe for policy-reporter-kyverno-plugin
readinessProbe:
httpGet:
path: /ready
port: rest
# REST API
rest:
enabled: true
# Prometheus Metrics API
metrics:
enabled: true
logging:
encoding: console # possible encodings are console and json
logLevel: 0 # default info
development: false # more human readable structure, enables stacktraces and removes log sampling
api:
logging: false # enable debug API access logging, sets logLevel to debug
# create PolicyReports for enforce policies,
# based on Events created by Kyverno (>= v1.7.0)
blockReports:
enabled: false
eventNamespace: default
results:
maxPerReport: 200
keepOnlyLatest: false
# required if policy-reporter-kyverno-plugin should run in HA mode and the "blockReports" feature is enabled
# if "blockReports" is disabled, leaderElection is also disabled automatically
# will be enabled when replicaCount > 1
leaderElection:
enabled: false
releaseOnCancel: true
leaseDuration: 15
renewDeadline: 10
retryPeriod: 2
# enabled if replicaCount > 1
podDisruptionBudget:
# -- Configures the minimum available pods for kyvernoPlugin disruptions.
# Cannot be used if `maxUnavailable` is set.
minAvailable: 1
# -- Configures the maximum unavailable pods for kyvernoPlugin disruptions.
# Cannot be used if `minAvailable` is set.
maxUnavailable:
# Enable a NetworkPolicy for this chart. Useful on clusters where Network Policies are
# used and configured in a default-deny fashion.
networkPolicy:
enabled: false
# Kubernetes API Server
egress:
- to:
ports:
- protocol: TCP
port: 6443
ingress: []
# Should be set in the parent chart only
global:
# available plugins
plugins:
# enable kyverno for Policy Reporter UI and monitoring
kyverno: false
# overwrite the fullname of all resources including subcharts
fullnameOverride: ""
# configure the namespace of all resources including subcharts
namespace: ""
# additional labels added on each resource
labels: {}
# basicAuth for APIs and metrics
basicAuth:
# HTTP BasicAuth username
username: ""
# HTTP BasicAuth password
password: ""
# read credentials from secret
secretRef: ""

View file

@ -1,7 +0,0 @@
apiVersion: v2
name: monitoring
description: Policy Reporter Monitoring with predefined ServiceMonitor and Grafana Dashboards
type: application
version: 2.8.2
appVersion: 0.0.0

View file

@ -1,85 +0,0 @@
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "monitoring.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if .Values.global.fullnameOverride }}
{{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
{{- else if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "monitoring.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "monitoring.labels" -}}
helm.sh/chart: {{ include "monitoring.chart" . }}
{{ include "monitoring.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/component: monitoring
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/part-of: kyverno
{{- with .Values.global.labels }}
{{ toYaml . }}
{{- end -}}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "monitoring.selectorLabels" -}}
app.kubernetes.io/name: {{ include "monitoring.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- define "monitoring.name" -}}
{{- "monitoring" }}
{{- end }}
{{- define "monitoring.namespace" -}}
{{- if .Values.grafana.namespace -}}
{{- .Values.grafana.namespace -}}
{{- else if .Values.global.namespace -}}
{{- .Values.global.namespace -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end }}
{{- end }}
{{- define "kyvernoplugin.selectorLabels" -}}
app.kubernetes.io/name: kyverno-plugin
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/* Get the namespace name. */}}
{{- define "monitoring.smNamespace" -}}
{{- if .Values.serviceMonitor.namespace -}}
{{- .Values.serviceMonitor.namespace -}}
{{- else if .Values.global.namespace -}}
{{- .Values.global.namespace -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end }}
{{- end }}
{{/*
Policy Reporter Selector labels
*/}}
{{- define "policyreporter.selectorLabels" -}}
app.kubernetes.io/name: policy-reporter
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}

View file

@ -1,17 +0,0 @@
{{- if and .Values.global.basicAuth.username .Values.global.basicAuth.password }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "monitoring.fullname" . }}-auth
namespace: {{ include "monitoring.smNamespace" . }}
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "monitoring.labels" . | nindent 4 }}
type: Opaque
data:
username: {{ .Values.global.basicAuth.username | b64enc }}
password: {{ .Values.global.basicAuth.password | b64enc }}
{{- end }}

View file

@ -1,20 +0,0 @@
{{- if and $.Values.grafana.dashboards.enabled $.Values.grafana.dashboards.enable.clusterPolicyReportDetails $.Values.grafana.grafanaDashboard.enabled }}
---
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDashboard
metadata:
labels:
{{ .Values.grafana.dashboards.label }}: {{ .Values.grafana.dashboards.value | quote }}
{{- include "monitoring.labels" . | nindent 4 }}
name: {{ include "monitoring.fullname" . }}-clusterpolicy-details-dashboard
namespace: {{ include "monitoring.namespace" . }}
spec:
allowCrossNamespaceImport: {{ $.Values.grafana.grafanaDashboard.allowCrossNamespaceImport }}
folder: {{ $.Values.grafana.grafanaDashboard.folder }}
instanceSelector:
matchLabels:
{{- toYaml $.Values.grafana.grafanaDashboard.matchLabels | nindent 6 }}
configMapRef:
name: {{ include "monitoring.fullname" . }}-clusterpolicy-details-dashboard
key: cluster-policy-reporter-details-dashboard.json
{{- end }}

View file

@ -1,63 +0,0 @@
{{- if or .Values.plugins.kyverno .Values.global.plugins.kyverno -}}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "monitoring.fullname" . }}-kyverno-plugin
namespace: {{ include "monitoring.smNamespace" . }}
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
labels:
{{- with .Values.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- include "monitoring.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "kyvernoplugin.selectorLabels" . | nindent 8 }}
{{- with .Values.kyverno.serviceMonitor.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
endpoints:
- port: rest
{{- if and .Values.global.basicAuth.username .Values.global.basicAuth.password }}
basicAuth:
password:
name: {{ include "monitoring.fullname" . }}-auth
key: password
username:
name: {{ include "monitoring.fullname" . }}-auth
key: username
{{- else if .Values.global.basicAuth.secretRef }}
basicAuth:
password:
name: {{ .Values.global.basicAuth.secretRef }}
key: password
username:
name: {{ .Values.global.basicAuth.secretRef }}
key: username
{{- end }}
honorLabels: {{ .Values.kyverno.serviceMonitor.honorLabels }}
{{- if .Values.kyverno.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.kyverno.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.kyverno.serviceMonitor.interval }}
interval: {{ .Values.kyverno.serviceMonitor.interval }}
{{- end }}
relabelings:
- action: labeldrop
regex: pod|service|container
- targetLabel: instance
replacement: policy-reporter
action: replace
{{- with .Values.kyverno.serviceMonitor.relabelings }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.kyverno.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

View file

@ -1,20 +0,0 @@
{{- if and $.Values.grafana.dashboards.enabled $.Values.grafana.dashboards.enable.overview $.Values.grafana.grafanaDashboard.enabled }}
---
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDashboard
metadata:
labels:
{{ .Values.grafana.dashboards.label }}: {{ .Values.grafana.dashboards.value | quote }}
{{- include "monitoring.labels" . | nindent 4 }}
name: {{ include "monitoring.fullname" . }}-overview-dashboard
namespace: {{ include "monitoring.namespace" . }}
spec:
allowCrossNamespaceImport: {{ $.Values.grafana.grafanaDashboard.allowCrossNamespaceImport }}
folder: {{ $.Values.grafana.grafanaDashboard.folder }}
instanceSelector:
matchLabels:
{{- toYaml $.Values.grafana.grafanaDashboard.matchLabels | nindent 6 }}
configMapRef:
name: {{ include "monitoring.fullname" . }}-overview-dashboard
key: policy-reporter-dashboard.json
{{- end }}

View file

@ -1,20 +0,0 @@
{{- if and $.Values.grafana.dashboards.enabled $.Values.grafana.dashboards.enable.policyReportDetails $.Values.grafana.grafanaDashboard.enabled }}
---
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDashboard
metadata:
labels:
{{ .Values.grafana.dashboards.label }}: {{ .Values.grafana.dashboards.value | quote }}
{{- include "monitoring.labels" . | nindent 4 }}
name: {{ include "monitoring.fullname" . }}-policy-details-dashboard
namespace: {{ include "monitoring.namespace" . }}
spec:
allowCrossNamespaceImport: {{ $.Values.grafana.grafanaDashboard.allowCrossNamespaceImport }}
folder: {{ $.Values.grafana.grafanaDashboard.folder }}
instanceSelector:
matchLabels:
{{- toYaml $.Values.grafana.grafanaDashboard.matchLabels | nindent 6 }}
configMapRef:
name: {{ include "monitoring.fullname" . }}-policy-details-dashboard
key: policy-reporter-details-dashboard.json
{{- end }}

View file

@ -1,150 +0,0 @@
# Override the chart name used for all resources
nameOverride: ""
plugins:
kyverno: false
# Key/value pairs that are attached to all resources.
annotations: {}
serviceMonitor:
# HonorLabels chooses the metrics labels on collisions with target labels
honorLabels: false
# allow to override the namespace for serviceMonitor
namespace:
# labels to match the serviceMonitorSelector of the Prometheus Resource
labels: {}
# https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig
relabelings: []
# see serviceMonitor.relabelings
metricRelabelings: []
# optional namespaceSelector
namespaceSelector: {}
# optional scrapeTimeout
scrapeTimeout:
# optional scrape interval
interval:
kyverno:
serviceMonitor:
# HonorLabels chooses the metrics labels on collisions with target labels
honorLabels: false
# see serviceMonitor.relabelings
relabelings: []
# see serviceMonitor.relabelings
metricRelabelings: []
# optional namespaceSelector
namespaceSelector: {}
# optional scrapeTimeout
scrapeTimeout:
# optional scrape interval
interval:
grafana:
# namespace for configMap of grafana dashboards
namespace:
dashboards:
# Enable the deployment of grafana dashboards
enabled: true
# Label to find dashboards using the k8s sidecar
label: grafana_dashboard
value: "1"
labelFilter: []
multicluster:
enabled: false
label: cluster
enable:
overview: true
policyReportDetails: true
clusterPolicyReportDetails: true
folder:
# Annotation to enable folder storage using the k8s sidecar
annotation: grafana_folder
# Grafana folder in which to store the dashboards
name: Policy Reporter
datasource:
label: Prometheus
pluginId: prometheus
pluginName: Prometheus
# -- create GrafanaDashboard custom resource referencing to the configMap.
# according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/
grafanaDashboard:
enabled: false
folder: kyverno
allowCrossNamespaceImport: true
matchLabels:
dashboards: "grafana"
policyReportDetails:
firstStatusRow:
height: 8
secondStatusRow:
enabled: true
height: 2
statusTimeline:
enabled: true
height: 8
passTable:
enabled: true
height: 8
failTable:
enabled: true
height: 8
warningTable:
enabled: true
height: 4
errorTable:
enabled: true
height: 4
clusterPolicyReportDetails:
statusRow:
height: 6
statusTimeline:
enabled: true
height: 8
passTable:
enabled: true
height: 8
failTable:
enabled: true
height: 8
warningTable:
enabled: true
height: 4
errorTable:
enabled: true
height: 4
policyReportOverview:
failingSummaryRow:
height: 8
failingTimeline:
height: 10
failingPolicyRuleTable:
height: 10
failingClusterPolicyRuleTable:
height: 10
# Should be set in the parent chart only
global:
# available plugins
plugins:
# enable kyverno for Policy Reporter UI and monitoring
kyverno: false
# overwrite the fullname of all resources including subcharts
fullnameOverride: ""
# configure the namespace of all resources including subcharts
namespace: ""
# additional labels added on each resource
labels: {}
# basicAuth for APIs and metrics
basicAuth:
# HTTP BasicAuth username
username: ""
# HTTP BasicAuth password
password: ""
# read credentials from secret
secretRef: ""

View file

@ -1,7 +0,0 @@
apiVersion: v2
name: ui
description: Policy Reporter UI
type: application
version: 2.10.5
appVersion: 1.9.2

View file

@ -1,140 +0,0 @@
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "ui.fullname" -}}
{{- $name := "ui" }}
{{- if .Values.global.fullnameOverride }}
{{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
{{- else if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- define "ui.name" -}}
{{- "ui" }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "ui.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "ui.labels" -}}
helm.sh/chart: {{ include "ui.chart" . }}
{{ include "ui.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/component: ui
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/part-of: policy-reporter
{{- with .Values.global.labels }}
{{ toYaml . }}
{{- end -}}
{{- with .Values.ingress.labels }}
{{ toYaml . }}
{{- end -}}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "ui.selectorLabels" -}}
app.kubernetes.io/name: {{ include "ui.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Pod labels
*/}}
{{- define "ui.podLabels" -}}
helm.sh/chart: {{ include "ui.chart" . }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/part-of: policy-reporter
{{- end }}
{{/*
Policy Reporter Selector labels
*/}}
{{- define "policyreporter.selectorLabels" -}}
app.kubernetes.io/name: policy-reporter
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Kyverno Plugin Selector labels
*/}}
{{- define "kyvernoplugin.selectorLabels" -}}
app.kubernetes.io/name: kyverno-plugin
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "ui.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "ui.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "ui.kyvernoPluginServiceName" -}}
{{- $name := "kyverno-plugin" }}
{{- if .Values.global.fullnameOverride }}
{{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
{{- else if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- define "ui.policyReportServiceName" -}}
{{- $name := "policy-reporter" }}
{{- if .Values.global.backend }}
{{- .Values.global.backend }}
{{- else if .Values.global.fullnameOverride }}
{{- .Values.global.fullnameOverride }}
{{- else if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- define "ui.securityContext" -}}
{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
{{ toYaml (omit .Values.securityContext "seccompProfile") }}
{{- else }}
{{ toYaml .Values.securityContext }}
{{- end }}
{{- end }}
{{/* Get the namespace name. */}}
{{- define "ui.namespace" -}}
{{- if .Values.global.namespace -}}
{{- .Values.global.namespace -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/* Get the namespace name. */}}
{{- define "ui.logLevel" -}}
{{- if .Values.api.logging -}}
-1
{{- else -}}
{{- .Values.logging.logLevel -}}
{{- end -}}
{{- end -}}

View file

@ -1,52 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "ui.fullname" . }}-config
namespace: {{ include "ui.namespace" . }}
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "ui.labels" . | nindent 4 }}
data:
config.yaml: |-
logSize: {{ .Values.log.size }}
displayMode: {{ .Values.displayMode | quote }}
refreshInterval: {{ .Values.refreshInterval }}
clusterName: {{ .Values.clusterName | quote }}
views:
dashboard:
policyReports: {{ .Values.views.dashboard.policyReports }}
clusterPolicyReports: {{ .Values.views.dashboard.clusterPolicyReports }}
logs: {{ .Values.views.logs }}
policyReports: {{ .Values.views.policyReports }}
clusterPolicyReports: {{ .Values.views.clusterPolicyReports }}
kyvernoPolicies: {{ .Values.views.kyvernoPolicies }}
kyvernoVerifyImages: {{ .Values.views.kyvernoVerifyImages }}
{{- with .Values.clusters }}
clusters:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.labelFilter }}
labelFilter:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.redis }}
redis:
{{- toYaml . | nindent 6 }}
{{- end }}
logging:
encoding: {{ .Values.logging.encoding }}
logLevel: {{ include "ui.logLevel" . }}
development: {{ .Values.logging.development }}
apiConfig:
logging: {{ .Values.api.logging }}
overwriteHost: {{ .Values.api.overwriteHost }}
basicAuth:
username: {{ .Values.global.basicAuth.username }}
password: {{ .Values.global.basicAuth.password }}
secretRef: {{ .Values.global.basicAuth.secretRef }}

View file

@ -1,123 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "ui.fullname" . }}
namespace: {{ include "ui.namespace" . }}
labels:
{{- include "ui.labels" . | nindent 4 }}
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
{{- if .Values.deploymentStrategy }}
strategy:
{{- toYaml .Values.deploymentStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "ui.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "ui.selectorLabels" . | nindent 8 }}
{{- include "ui.podLabels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
checksum/config: {{ include (print .Template.BasePath "/config.yaml") . | sha256sum | quote }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "ui.serviceAccountName" . }}
automountServiceAccountToken: true
containers:
- name: {{ default .Chart.Name .Values.nameOverride }}
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.securityContext }}
securityContext: {{ include "ui.securityContext" . | nindent 12 }}
{{- end }}
args:
- -config=/app/config.yaml
- -policy-reporter=http://{{ include "ui.policyReportServiceName" . }}:{{ .Values.policyReporter.port }}
{{- if or .Values.plugins.kyverno .Values.global.plugins.kyverno }}
- -kyverno-plugin=http://{{ include "ui.kyvernoPluginServiceName" . }}:{{ .Values.kyvernoPlugin.port }}
{{- end }}
ports:
- name: http
containerPort: 8080
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
volumeMounts:
- name: config-file
mountPath: /app/config.yaml
subPath: config.yaml
readOnly: true
{{- if .Values.volumes }}
{{- toYaml .Values.volumeMounts | nindent 10 }}
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.envVars }}
{{- . | toYaml | trim | nindent 10 }}
{{- end }}
{{- if .Values.sidecarContainers }}
{{- range $name, $spec := .Values.sidecarContainers }}
- name: {{ $name }}
{{- if kindIs "string" $spec }}
{{- tpl $spec $ | nindent 10 }}
{{- else }}
{{- toYaml $spec | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}
volumes:
- name: config-file
configMap:
name: {{ include "ui.fullname" . }}-config
{{- if .Values.volumes }}
{{- toYaml .Values.volumes | nindent 6 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

View file

@ -1,4 +0,0 @@
{{ range .Values.extraManifests }}
---
{{ tpl . $ }}
{{ end }}

View file

@ -1,44 +0,0 @@
{{- if .Values.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "ui.fullname" . }}
namespace: {{ include "ui.namespace" . }}
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "ui.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels: {{- include "ui.selectorLabels" . | nindent 6 }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
ports:
- protocol: TCP
port: {{ .Values.service.port }}
egress:
- to:
- podSelector:
matchLabels:
{{- include "policyreporter.selectorLabels" . | nindent 10 }}
ports:
- protocol: TCP
port: 8080
{{- if or .Values.plugins.kyverno .Values.global.plugins.kyverno }}
- to:
- podSelector:
matchLabels:
{{- include "kyvernoplugin.selectorLabels" . | nindent 10 }}
ports:
- protocol: TCP
port: 8080
{{- end }}
{{- with .Values.networkPolicy.egress }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

View file

@ -1,33 +0,0 @@
{{- if .Values.service.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "ui.fullname" . }}
namespace: {{ include "ui.namespace" . }}
labels:
{{- include "ui.labels" . | nindent 4 }}
{{- with .Values.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if or .Values.annotations .Values.service.annotations }}
annotations:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.service.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
{{- if .Values.service.additionalPorts }}
{{ toYaml .Values.service.additionalPorts | indent 4 }}
{{- end }}
selector:
{{- include "ui.selectorLabels" . | nindent 4 }}
{{- end }}

View file

@ -1,18 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "ui.serviceAccountName" . }}
namespace: {{ include "ui.namespace" . }}
labels:
{{- include "ui.labels" . | nindent 4 }}
{{- if or .Values.annotations .Values.serviceAccount.annotations }}
annotations:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.serviceAccount.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

View file

@ -1,279 +0,0 @@
enabled: false
# Override the chart name used for all resources
nameOverride: ""
priorityClassName: ""
image:
registry: ghcr.io
repository: kyverno/policy-reporter-ui
pullPolicy: IfNotPresent
tag: 1.9.2
# sidecarContainers - add more containers to Kyverno ui
# Key/Value where Key is the sidecar `- name: <Key>`
# Example:
# for adding OAuth authentication to Kyverno ui
# sidecarContainers:
# oauth-proxy:
# image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
# args:
# - --upstream=http://127.0.0.1:8080
# - --http-address=0.0.0.0:8081
# - ...
# ports:
# - containerPort: 8081
# name: oauth-proxy
# protocol: TCP
# resources: {}
sidecarContainers: {}
# possible default displayModes: light/dark
displayMode: ""
# default refreshInterval, set 0 to disable it
refreshInterval: 10000
# Key/value pairs that are attached to all resources.
annotations: {}
log:
# holds the latest 200 validation results in the UI Log
size: 200
# enable/disable views as needed in the Policy Reporter UI
# disabled log view will also disable the UI as push target
views:
dashboard:
policyReports: true
clusterPolicyReports: true
logs: true
policyReports: true
clusterPolicyReports: true
kyvernoPolicies: true
kyvernoVerifyImages: true
plugins:
kyverno: false
# Custom Cluster Name which is used in the ClusterSelect, if you configured additional clusters below.
clusterName: ""
# Attention: be sure that your APIs are not accessable for the outside world
# Use tools like VPN, private Networks or internal Network Load Balancer to expose your APIs in a secure way to the UI
clusters: []
# - name: External Cluster
# api: https://policy-reporter.external.cluster # reachable external Policy Reporter REST API
# kyvernoApi: https://policy-reporter-kyverno-plugin.external.cluster # (optional) reachable external Policy Reporter Kyverno Plugin REST API
# skipTLS: false
# certificate: "/app/certs/root.ca"
# secreRef: "" # name of an existing secret to read the clusterconfiguration from, supported keys: api, kyvernoApi, username, password, skipTLS, certificate
# basicAuth: # added as HTTP BasicAuthentication Header for all requests against api and kyvernoApi
# username: ""
# password: ""
# define custom filter for policy report results based on (Cluster)PolicyReport labels
# exmaple - use a owner label on all reports belonging to a dedicated team and add the label as additional custom filter
#
# apiVersion: wgpolicyk8s.io/v1alpha2
# kind: PolicyReport
# metadata:
# labels:
# app.kubernetes.io/managed-by: kyverno
# owner: team-a
# name: cpol-disallow-capabilities
# namespace: default
# results: [...]
#
# labelFilter: ["owner"]
labelFilter: []
# Proxy request logging
logging:
encoding: console # possible encodings are console and json
logLevel: 0 # default info
development: false # more human readable structure, removes log sampling
api:
logging: false # enables access logging for proxy requests, sets log level to debug
overwriteHost: true # overwrites request host and sets X-Forwarded--Host and X-Origin-Host headers
# use redis as external log storage instead of an in memory store
# recommended when using a HA setup with more then one replica
# to get all logs on each instance
redis:
enabled: false
address: ""
database: 0
prefix: "policy-reporter-ui"
username: ""
password: ""
# configurations related to the PolicyReporter API
policyReporter:
port: 8080
# configurations related to the RolicyReporter KyvernoPlugin API
kyvernoPlugin:
port: 8080
# configure additional volumes to e.g. mount custom certificate for proxy TLS
volumes: []
volumeMounts: []
imagePullSecrets: []
replicaCount: 1
revisionHistoryLimit: 10
deploymentStrategy: {}
# rollingUpdate:
# maxSurge: 25%
# maxUnavailable: 25%
# type: RollingUpdate
securityContext:
runAsUser: 1234
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# Key/value pairs that are attached to pods.
podAnnotations: {}
# Key/value pairs that are attached to pods.
podLabels: {}
# Allow additional env variables to be added
envVars: []
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# memory: 100Mi
# cpu: 50m
# requests:
# memory: 50Mi
# cpu: 10m
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# Create secret reader role and rolebinding
rbac:
enabled: true
service:
enabled: true
## configuration of service
# key/value
annotations: {}
# key/value
labels: {}
type: ClusterIP
# integer nubmer. This is port for service
port: 8080
# additionalPorts:
# - name: authenticated
# port: 8081
# targetPort: 8081
additionalPorts: []
# enabled if replicaCount > 1
podDisruptionBudget:
# -- Configures the minimum available pods for policy-reporter-ui disruptions.
# Cannot be used if `maxUnavailable` is set.
minAvailable: 1
# -- Configures the maximum unavailable pods for policy-reporter-ui disruptions.
# Cannot be used if `minAvailable` is set.
maxUnavailable:
## Set to true to enable ingress record generation
# ref to: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
enabled: false
className: ""
# key/value
labels: {}
# key/value
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
## Redirect ingress to an additional defined port on the service
# port: 8081
hosts:
- host: chart-example.local
paths: []
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
# Node labels for pod assignment
# ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
# Tolerations for pod assignment
# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# Anti-affinity to disallow deploying client and master nodes on the same worker node
affinity: {}
# Topology Spread Constraints to better spread pods
topologySpreadConstraints: []
# enable a NetworkPolicy for this chart. Useful on clusters where Network Policies are
# used and configured in a default-deny fashion.
networkPolicy:
enabled: false
egress: []
# Should be set in the parent chart only
global:
# available plugins
plugins:
# enable kyverno for Policy Reporter UI and monitoring
kyverno: false
# overwrite the fullname of all resources including subcharts
fullnameOverride: ""
# configure the namespace of all resources including subcharts
namespace: ""
# additional labels added on each resource
labels: {}
# basicAuth for APIs and metrics
basicAuth:
# HTTP BasicAuth username
username: ""
# HTTP BasicAuth password
password: ""
# read credentials from secret
secretRef: ""
# Extra manifests to deploy as an array
extraManifests: []
# - |
# apiVersion: v1
# kind: ConfigMap
# metadata:
# labels:
# name: kyverno-extra
# data:
# extra-data: "value"

View file

@ -1,416 +0,0 @@
loki:
host: {{ .Values.target.loki.host | quote }}
certificate: {{ .Values.target.loki.certificate | quote }}
skipTLS: {{ .Values.target.loki.skipTLS }}
path: {{ .Values.target.loki.path | quote }}
secretRef: {{ .Values.target.loki.secretRef | quote }}
mountedSecret: {{ .Values.target.loki.mountedSecret | quote }}
minimumPriority: {{ .Values.target.loki.minimumPriority | quote }}
skipExistingOnStartup: {{ .Values.target.loki.skipExistingOnStartup }}
username: {{ .Values.target.loki.username | quote }}
password: {{ .Values.target.loki.password | quote }}
{{- with .Values.target.loki.customLabels }}
customLabels:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.loki.sources }}
sources:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.loki.filter }}
filter:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.loki.headers }}
headers:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.loki.channels }}
channels:
{{- toYaml . | nindent 4 }}
{{- end }}
elasticsearch:
host: {{ .Values.target.elasticsearch.host | quote }}
certificate: {{ .Values.target.elasticsearch.certificate | quote }}
skipTLS: {{ .Values.target.elasticsearch.skipTLS }}
username: {{ .Values.target.elasticsearch.username | quote }}
password: {{ .Values.target.elasticsearch.password | quote }}
apiKey: {{ .Values.target.elasticsearch.apiKey | quote }}
secretRef: {{ .Values.target.elasticsearch.secretRef | quote }}
mountedSecret: {{ .Values.target.elasticsearch.mountedSecret | quote }}
index: {{ .Values.target.elasticsearch.index | default "policy-reporter" | quote }}
rotation: {{ .Values.target.elasticsearch.rotation | default "daily" | quote }}
minimumPriority: {{ .Values.target.elasticsearch.minimumPriority | quote }}
skipExistingOnStartup: {{ .Values.target.elasticsearch.skipExistingOnStartup }}
typelessApi: {{ .Values.target.elasticsearch.typelessApi }}
{{- with .Values.target.elasticsearch.sources }}
sources:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.elasticsearch.customFields }}
customFields:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.elasticsearch.filter }}
filter:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.elasticsearch.channels }}
channels:
{{- toYaml . | nindent 4 }}
{{- end }}
slack:
webhook: {{ .Values.target.slack.webhook | quote }}
channel: {{ .Values.target.slack.channel | quote }}
secretRef: {{ .Values.target.slack.secretRef | quote }}
mountedSecret: {{ .Values.target.slack.mountedSecret | quote }}
minimumPriority: {{ .Values.target.slack.minimumPriority | quote }}
skipExistingOnStartup: {{ .Values.target.slack.skipExistingOnStartup }}
{{- with .Values.target.slack.customFields }}
customFields:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.slack.sources }}
sources:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.slack.filter }}
filter:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.slack.channels }}
channels:
{{- toYaml . | nindent 4 }}
{{- end }}
discord:
webhook: {{ .Values.target.discord.webhook | quote }}
secretRef: {{ .Values.target.discord.secretRef | quote }}
mountedSecret: {{ .Values.target.discord.mountedSecret | quote }}
minimumPriority: {{ .Values.target.discord.minimumPriority | quote }}
skipExistingOnStartup: {{ .Values.target.discord.skipExistingOnStartup }}
{{- with .Values.target.discord.customFields }}
customFields:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.discord.sources }}
sources:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.discord.filter }}
filter:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.discord.channels }}
channels:
{{- toYaml . | nindent 4 }}
{{- end }}
teams:
webhook: {{ .Values.target.teams.webhook | quote }}
certificate: {{ .Values.target.teams.certificate | quote }}
skipTLS: {{ .Values.target.teams.skipTLS }}
secretRef: {{ .Values.target.teams.secretRef | quote }}
mountedSecret: {{ .Values.target.teams.mountedSecret | quote }}
minimumPriority: {{ .Values.target.teams.minimumPriority | quote }}
skipExistingOnStartup: {{ .Values.target.teams.skipExistingOnStartup }}
{{- with .Values.target.teams.customFields }}
customFields:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.teams.sources }}
sources:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.teams.filter }}
filter:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.teams.channels }}
channels:
{{- toYaml . | nindent 4 }}
{{- end }}
webhook:
host: {{ .Values.target.webhook.host | quote }}
certificate: {{ .Values.target.webhook.certificate | quote }}
skipTLS: {{ .Values.target.webhook.skipTLS }}
secretRef: {{ .Values.target.webhook.secretRef | quote }}
mountedSecret: {{ .Values.target.webhook.mountedSecret | quote }}
minimumPriority: {{ .Values.target.webhook.minimumPriority | quote }}
skipExistingOnStartup: {{ .Values.target.webhook.skipExistingOnStartup }}
{{- with .Values.target.webhook.headers }}
headers:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.webhook.sources }}
sources:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.webhook.customFields }}
customFields:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.webhook.filter }}
filter:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.webhook.channels }}
channels:
{{- toYaml . | nindent 4 }}
{{- end }}
telegram:
token: {{ .Values.target.telegram.token | quote }}
chatID: {{ .Values.target.telegram.chatID | quote }}
host: {{ .Values.target.telegram.host | quote }}
certificate: {{ .Values.target.telegram.certificate | quote }}
skipTLS: {{ .Values.target.telegram.skipTLS }}
secretRef: {{ .Values.target.telegram.secretRef | quote }}
mountedSecret: {{ .Values.target.telegram.mountedSecret | quote }}
minimumPriority: {{ .Values.target.telegram.minimumPriority | quote }}
skipExistingOnStartup: {{ .Values.target.telegram.skipExistingOnStartup }}
{{- with .Values.target.telegram.headers }}
headers:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.telegram.sources }}
sources:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.telegram.customFields }}
customFields:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.telegram.filter }}
filter:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.telegram.channels }}
channels:
{{- toYaml . | nindent 4 }}
{{- end }}
googleChat:
webhook: {{ .Values.target.googleChat.webhook | quote }}
certificate: {{ .Values.target.googleChat.certificate | quote }}
skipTLS: {{ .Values.target.googleChat.skipTLS }}
secretRef: {{ .Values.target.googleChat.secretRef | quote }}
mountedSecret: {{ .Values.target.googleChat.mountedSecret | quote }}
minimumPriority: {{ .Values.target.googleChat.minimumPriority | quote }}
skipExistingOnStartup: {{ .Values.target.googleChat.skipExistingOnStartup }}
{{- with .Values.target.googleChat.headers }}
headers:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.googleChat.sources }}
sources:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.googleChat.customFields }}
customFields:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.googleChat.filter }}
filter:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.googleChat.channels }}
channels:
{{- toYaml . | nindent 4 }}
{{- end }}
ui:
host: {{ include "policyreporter.uihost" . }}
certificate: {{ .Values.target.ui.certificate | quote }}
skipTLS: {{ .Values.target.ui.skipTLS }}
minimumPriority: {{ .Values.target.ui.minimumPriority | quote }}
skipExistingOnStartup: {{ .Values.target.ui.skipExistingOnStartup }}
{{- with .Values.target.ui.sources }}
sources:
{{- toYaml . | nindent 4 }}
{{- end }}
s3:
accessKeyID: {{ .Values.target.s3.accessKeyID }}
secretAccessKey: {{ .Values.target.s3.secretAccessKey }}
secretRef: {{ .Values.target.s3.secretRef | quote }}
mountedSecret: {{ .Values.target.s3.mountedSecret }}
region: {{ .Values.target.s3.region }}
endpoint: {{ .Values.target.s3.endpoint }}
bucket: {{ .Values.target.s3.bucket }}
bucketKeyEnabled: {{ .Values.target.s3.bucketKeyEnabled }}
kmsKeyId: {{ .Values.target.s3.kmsKeyId }}
serverSideEncryption: {{ .Values.target.s3.serverSideEncryption }}
pathStyle: {{ .Values.target.s3.pathStyle }}
prefix: {{ .Values.target.s3.prefix }}
minimumPriority: {{ .Values.target.s3.minimumPriority | quote }}
skipExistingOnStartup: {{ .Values.target.s3.skipExistingOnStartup }}
{{- with .Values.target.s3.sources }}
sources:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.s3.customFields }}
customFields:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.s3.filter }}
filter:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.s3.channels }}
channels:
{{- toYaml . | nindent 4 }}
{{- end }}
kinesis:
accessKeyID: {{ .Values.target.kinesis.accessKeyID }}
secretAccessKey: {{ .Values.target.kinesis.secretAccessKey }}
secretRef: {{ .Values.target.kinesis.secretRef | quote }}
mountedSecret: {{ .Values.target.kinesis.mountedSecret | quote }}
region: {{ .Values.target.kinesis.region }}
endpoint: {{ .Values.target.kinesis.endpoint }}
streamName: {{ .Values.target.kinesis.streamName }}
minimumPriority: {{ .Values.target.kinesis.minimumPriority | quote }}
skipExistingOnStartup: {{ .Values.target.kinesis.skipExistingOnStartup }}
{{- with .Values.target.kinesis.sources }}
sources:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.kinesis.customFields }}
customFields:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.kinesis.filter }}
filter:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.kinesis.channels }}
channels:
{{- toYaml . | nindent 4 }}
{{- end }}
securityHub:
accountID: {{ .Values.target.securityHub.accountID }}
accessKeyID: {{ .Values.target.securityHub.accessKeyID }}
secretAccessKey: {{ .Values.target.securityHub.secretAccessKey }}
delayInSeconds: {{ .Values.target.securityHub.delayInSeconds }}
cleanup: {{ .Values.target.securityHub.cleanup }}
secretRef: {{ .Values.target.securityHub.secretRef | quote }}
mountedSecret: {{ .Values.target.securityHub.mountedSecret | quote }}
productName: {{ .Values.target.securityHub.productName | quote }}
companyName: {{ .Values.target.securityHub.companyName | quote }}
region: {{ .Values.target.securityHub.region }}
endpoint: {{ .Values.target.securityHub.endpoint }}
minimumPriority: {{ .Values.target.securityHub.minimumPriority | quote }}
skipExistingOnStartup: {{ .Values.target.securityHub.skipExistingOnStartup }}
{{- with .Values.target.securityHub.sources }}
sources:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.securityHub.customFields }}
customFields:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.securityHub.filter }}
filter:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.securityHub.channels }}
channels:
{{- toYaml . | nindent 4 }}
{{- end }}
gcs:
credentials: {{ .Values.target.gcs.credentials }}
secretRef: {{ .Values.target.gcs.secretRef | quote }}
mountedSecret: {{ .Values.target.gcs.mountedSecret | quote }}
bucket: {{ .Values.target.gcs.bucket }}
prefix: {{ .Values.target.gcs.prefix }}
minimumPriority: {{ .Values.target.gcs.minimumPriority | quote }}
skipExistingOnStartup: {{ .Values.target.gcs.skipExistingOnStartup }}
{{- with .Values.target.gcs.sources }}
sources:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.gcs.customFields }}
customFields:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.gcs.filter }}
filter:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.target.gcs.channels }}
channels:
{{- toYaml . | nindent 4 }}
{{- end }}
worker: {{ .Values.worker }}
metrics:
mode: {{ .Values.metrics.mode }}
{{- with .Values.metrics.filter }}
filter:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.metrics.customLabels }}
customLabels:
{{- toYaml . | nindent 4 }}
{{- end }}
reportFilter:
namespaces:
{{- with .Values.reportFilter.namespaces.include }}
include:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.reportFilter.namespaces.exclude }}
exclude:
{{- toYaml . | nindent 6 }}
{{- end }}
clusterReports:
disabled: {{ .Values.reportFilter.clusterReports.disabled }}
leaderElection:
enabled: {{ or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1) }}
releaseOnCancel: {{ .Values.leaderElection.releaseOnCancel }}
leaseDuration: {{ .Values.leaderElection.leaseDuration }}
renewDeadline: {{ .Values.leaderElection.renewDeadline }}
retryPeriod: {{ .Values.leaderElection.retryPeriod }}
{{- with .Values.redis }}
redis:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.sourceConfig }}
sourceConfig:
{{- toYaml . | nindent 2 }}
{{- end }}
logging:
encoding: {{ .Values.logging.encoding }}
logLevel: {{ include "policyreporter.logLevel" . }}
development: {{ .Values.logging.development }}
api:
logging: {{ .Values.api.logging }}
basicAuth:
username: {{ .Values.global.basicAuth.username }}
password: {{ .Values.global.basicAuth.password }}
secretRef: {{ .Values.global.basicAuth.secretRef }}
database:
type: {{ .Values.database.type }}
database: {{ .Values.database.database }}
username: {{ .Values.database.username }}
password: {{ .Values.database.password }}
host: {{ .Values.database.host }}
enableSSL: {{ .Values.database.enableSSL }}
dsn: {{ .Values.database.dsn }}
secretRef: {{ .Values.database.secretRef }}
mountedSecret: {{ .Values.database.mountedSecret }}

View file

@ -0,0 +1,176 @@
target:
loki:
{{- include "target.loki" .Values.target.loki | nindent 4 }}
{{- if and .Values.target.loki .Values.target.loki.channels }}
channels:
{{- range .Values.target.loki.channels }}
-
{{- include "target.loki" . | nindent 8 }}
{{- end }}
{{- end }}
elasticsearch:
{{- include "target.elasticsearch" .Values.target.elasticsearch | nindent 4 }}
{{- if and .Values.target.elasticsearch .Values.target.elasticsearch.channels }}
channels:
{{- range .Values.target.elasticsearch.channels }}
-
{{- include "target.elasticsearch" . | nindent 8 }}
{{- end }}
{{- end }}
slack:
{{- include "target.slack" .Values.target.slack | nindent 4 }}
{{- if and .Values.target.slack .Values.target.slack.channels }}
channels:
{{- range .Values.target.slack.channels }}
-
{{- include "target.slack" . | nindent 8 }}
{{- end }}
{{- end }}
discord:
{{- include "target.webhook" .Values.target.discord | nindent 4 }}
{{- if and .Values.target.discord .Values.target.discord.channels }}
channels:
{{- range .Values.target.discord.channels }}
-
{{- include "target.webhook" . | nindent 8 }}
{{- end }}
{{- end }}
teams:
{{- include "target.webhook" .Values.target.teams | nindent 4 }}
{{- if and .Values.target.teams .Values.target.teams.channels }}
channels:
{{- range .Values.target.teams.channels }}
-
{{- include "target.webhook" . | nindent 8 }}
{{- end }}
{{- end }}
webhook:
{{- include "target.webhook" .Values.target.webhook | nindent 4 }}
{{- if and .Values.target.webhook .Values.target.webhook.channels }}
channels:
{{- range .Values.target.webhook.channels }}
-
{{- include "target.webhook" . | nindent 8 }}
{{- end }}
{{- end }}
telegram:
{{- include "target.telegram" .Values.target.telegram | nindent 4 }}
{{- if and .Values.target.telegram .Values.target.telegram.channels }}
channels:
{{- range .Values.target.telegram.channels }}
-
{{- include "target.telegram" . | nindent 8 }}
{{- end }}
{{- end }}
googleChat:
{{- include "target.webhook" .Values.target.googleChat | nindent 4 }}
{{- if and .Values.target.webhook .Values.target.googleChat.channels }}
channels:
{{- range .Values.target.googleChat.channels }}
-
{{- include "target.webhook" . | nindent 8 }}
{{- end }}
{{- end }}
s3:
{{- include "target.s3" .Values.target.s3 | nindent 4 }}
{{- if and .Values.target.s3 .Values.target.s3.channels }}
channels:
{{- range .Values.target.s3.channels }}
-
{{- include "target.s3" . | nindent 8 }}
{{- end }}
{{- end }}
kinesis:
{{- include "target.kinesis" .Values.target.kinesis | nindent 4 }}
{{- if and .Values.target.kinesis .Values.target.kinesis.channels }}
channels:
{{- range .Values.target.kinesis.channels }}
-
{{- include "target.kinesis" . | nindent 8 }}
{{- end }}
{{- end }}
securityHub:
{{- include "target.securityhub" .Values.target.securityHub | nindent 4 }}
{{- if and .Values.target.securityHub .Values.target.securityHub.channels }}
channels:
{{- range .Values.target.securityHub.channels }}
-
{{- include "target.securityhub" . | nindent 8 }}
{{- end }}
{{- end }}
gcs:
{{- include "target.gcs" .Values.target.gcs | nindent 4 }}
{{- if and .Values.target.gcs .Values.target.gcs.channels }}
channels:
{{- range .Values.target.gcs.channels }}
-
{{- include "target.gcs" . | nindent 8 }}
{{- end }}
{{- end }}
worker: {{ .Values.worker }}
{{- with .Values.metrics }}
metrics:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.reportFilter }}
reportFilter:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.sourceFilters }}
sourceFilters:
{{- toYaml . | nindent 2 }}
{{- end }}
leaderElection:
enabled: {{ gt (int .Values.replicaCount) 1 }}
releaseOnCancel: {{ .Values.leaderElection.releaseOnCancel }}
leaseDuration: {{ .Values.leaderElection.leaseDuration }}
renewDeadline: {{ .Values.leaderElection.renewDeadline }}
retryPeriod: {{ .Values.leaderElection.retryPeriod }}
{{- with .Values.redis }}
redis:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.sourceConfig }}
sourceConfig:
{{- toYaml . | nindent 2 }}
{{- end }}
logging:
server: {{ .Values.logging.server }}
encoding: {{ .Values.logging.encoding }}
logLevel: {{ include "policyreporter.logLevel" . }}
api:
basicAuth:
username: {{ .Values.basicAuth.username }}
password: {{ .Values.basicAuth.password }}
secretRef: {{ .Values.basicAuth.secretRef }}
database:
type: {{ .Values.database.type }}
database: {{ .Values.database.database }}
username: {{ .Values.database.username }}
password: {{ .Values.database.password }}
host: {{ .Values.database.host }}
enableSSL: {{ .Values.database.enableSSL }}
dsn: {{ .Values.database.dsn }}
secretRef: {{ .Values.database.secretRef }}
mountedSecret: {{ .Values.database.mountedSecret }}

View file

@ -0,0 +1,27 @@
leaderElection:
enabled: {{ gt (int .Values.plugin.kyverno.replicaCount) 1 }}
releaseOnCancel: {{ .Values.plugin.kyverno.leaderElection.releaseOnCancel }}
leaseDuration: {{ .Values.plugin.kyverno.leaderElection.leaseDuration }}
renewDeadline: {{ .Values.plugin.kyverno.leaderElection.renewDeadline }}
retryPeriod: {{ .Values.plugin.kyverno.leaderElection.retryPeriod }}
lockName: {{ .Values.plugin.kyverno.leaderElection.lockName }}
logging:
api: {{ .Values.plugin.kyverno.logging.api }}
server: {{ .Values.plugin.kyverno.logging.server }}
encoding: {{ .Values.plugin.kyverno.logging.encoding }}
logLevel: {{ .Values.plugin.kyverno.logging.logLevel }}
server:
basicAuth:
username: {{ .Values.basicAuth.username }}
password: {{ .Values.basicAuth.password }}
secretRef: {{ .Values.basicAuth.secretRef }}
core:
host: {{ printf "http://%s:%d" (include "policyreporter.fullname" .) (.Values.service.port | int) }}
{{- with .Values.plugin.kyverno.blockReports }}
blockReports:
{{- toYaml . | nindent 4 }}
{{- end }}

View file

@ -0,0 +1,20 @@
logging:
api: {{ .Values.plugin.trivy.logging.api }}
server: {{ .Values.plugin.trivy.logging.server }}
encoding: {{ .Values.plugin.trivy.logging.encoding }}
logLevel: {{ .Values.plugin.trivy.logging.logLevel }}
server:
basicAuth:
username: {{ .Values.basicAuth.username }}
password: {{ .Values.basicAuth.password }}
secretRef: {{ .Values.basicAuth.secretRef }}
core:
host: {{ printf "http://%s:%d" (include "policyreporter.fullname" .) (.Values.service.port | int) }}
skipTLS: {{ .Values.plugin.trivy.policyReporter.skipTLS }}
certificate: {{ .Values.plugin.trivy.policyReporter.certificate }}
secretRef: {{ .Values.plugin.trivy.policyReporter.secretRef }}
basicAuth:
username: {{ .Values.basicAuth.username }}
password: {{ .Values.basicAuth.password }}

View file

@ -0,0 +1,70 @@
namespace: {{ .Release.Namespace }}
tempDir: {{ .Values.ui.tempDir }}
logging:
api: {{ .Values.ui.logging.api }}
server: {{ .Values.ui.logging.server }}
encoding: {{ .Values.ui.logging.encoding }}
logLevel: {{ .Values.ui.logging.logLevel }}
server:
port: {{ .Values.ui.server.port }}
cors: {{ .Values.ui.server.cors }}
overwriteHost: {{ .Values.ui.server.overwriteHost }}
ui:
displayMode: {{ .Values.ui.displayMode }}
banner: {{ .Values.ui.banner }}
{{- $default := false -}}
{{- range .Values.ui.clusters }}
{{- if eq .name .Values.ui.name -}}
{{- $default = true -}}
{{- end -}}
{{- end }}
clusters:
{{- if not $default }}
- name: {{ .Values.ui.name }}
secretRef: {{ include "ui.fullname" . }}-default-cluster
{{- end }}
{{- with .Values.ui.clusters }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.ui.customBoards }}
customBoards:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- $kyverno := false -}}
{{- range .Values.ui.sources }}
{{- if eq .name "kyverno" -}}
{{- $kyverno = true -}}
{{- end -}}
{{- end }}
sources:
{{- if not $kyverno }}
- name: kyverno
chartType: result
exceptions: false
excludes:
results:
- warn
- error
{{- end }}
{{- with .Values.ui.sources }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.ui.openIDConnect }}
openIDConnect:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.ui.oauth }}
oauth:
{{- toYaml . | nindent 4 }}
{{- end }}

View file

@ -9,8 +9,8 @@ If release name contains chart name it will be used as a full name.
*/}}
{{- define "policyreporter.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if .Values.global.fullnameOverride }}
{{- .Values.global.fullnameOverride }}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride }}
{{- else if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
@ -78,8 +78,6 @@ Create UI target host based on configuration
{{- .Values.target.ui.host }}
{{- else if not .Values.ui.enabled }}
{{- "" }}
{{- else if and .Values.ui.enabled (and .Values.ui.views.logs .Values.ui.service.enabled) }}
{{- printf "http://%s:%s" (include "ui.fullname" .) (.Values.ui.service.port | toString) }}
{{- else }}
{{- "" }}
{{- end }}
@ -95,7 +93,7 @@ Create UI target host based on configuration
{{- define "policyreporter.podDisruptionBudget" -}}
{{- if and .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable }}
{{- fail "Cannot set both .Values.podDisruptionBudget.minAvailable and .Values.podDisruptionBudget.maxUnavailable" -}}
{{- fail "Cannot set both minAvailable and maxUnavailable" -}}
{{- end }}
{{- if not .Values.podDisruptionBudget.maxUnavailable }}
minAvailable: {{ default 1 .Values.podDisruptionBudget.minAvailable }}
@ -107,8 +105,8 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{/* Get the namespace name. */}}
{{- define "policyreporter.namespace" -}}
{{- if .Values.global.namespace -}}
{{- .Values.global.namespace -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
@ -116,9 +114,137 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{/* Get the namespace name. */}}
{{- define "policyreporter.logLevel" -}}
{{- if .Values.api.logging -}}
{{- if .Values.logging.server -}}
-1
{{- else -}}
{{- .Values.logging.logLevel -}}
{{- end -}}
{{- end -}}
{{- define "target" -}}
name: {{ .name | quote }}
secretRef: {{ .secretRef | quote }}
mountedSecret: {{ .mountedSecret | quote }}
minimumSeverity: {{ .minimumSeverity | quote }}
skipExistingOnStartup: {{ .skipExistingOnStartup }}
{{- with .customFields }}
customFields:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .sources }}
sources:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .filter }}
filter:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- define "target.loki" -}}
config:
host: {{ .host | quote }}
certificate: {{ .certificate | quote }}
skipTLS: {{ .skipTLS }}
path: {{ .path | quote }}
{{ include "target" . }}
{{- end }}
{{- define "target.elasticsearch" -}}
config:
host: {{ .host | quote }}
certificate: {{ .certificate | quote }}
skipTLS: {{ .skipTLS }}
username: {{ .username | quote }}
password: {{ .password | quote }}
apiKey: {{ .apiKey | quote }}
index: {{ .index| quote }}
rotation: {{ .rotation | quote }}
{{ include "target" . }}
{{- end }}
{{- define "target.slack" -}}
config:
webhook: {{ .webhook | quote }}
channel: {{ .channel | quote }}
certificate: {{ .certificate | quote }}
skipTLS: {{ .skipTLS }}
{{- with .headers }}
headers:
{{- toYaml . | nindent 4 }}
{{- end }}
{{ include "target" . }}
{{- end }}
{{- define "target.webhook" -}}
config:
webhook: {{ .webhook | quote }}
certificate: {{ .certificate | quote }}
skipTLS: {{ .skipTLS }}
{{- with .headers }}
headers:
{{- toYaml . | nindent 4 }}
{{- end }}
{{ include "target" . }}
{{- end }}
{{- define "target.telegram" -}}
config:
chatId: {{ .chatId | quote }}
token: {{ .token | quote }}
webhook: {{ .webhook | quote }}
certificate: {{ .certificate | quote }}
skipTLS: {{ .skipTLS }}
{{- with .headers }}
headers:
{{- toYaml . | nindent 4 }}
{{- end }}
{{ include "target" . }}
{{- end }}
{{- define "target.s3" -}}
config:
accessKeyId: {{ .accessKeyId }}
secretAccessKey: {{ .secretAccessKey }}
region: {{ .region }}
endpoint: {{ .endpoint }}
bucket: {{ .bucket }}
bucketKeyEnabled: {{ .bucketKeyEnabled }}
kmsKeyId: {{ .kmsKeyId }}
serverSideEncryption: {{ .serverSideEncryption }}
pathStyle: {{ .pathStyle }}
prefix: {{ .prefix }}
{{ include "target" . }}
{{- end }}
{{- define "target.kinesis" -}}
config:
accessKeyId: {{ .accessKeyId }}
secretAccessKey: {{ .secretAccessKey }}
region: {{ .region }}
endpoint: {{ .endpoint }}
streamName: {{ .streamName }}
{{ include "target" . }}
{{- end }}
{{- define "target.securityhub" -}}
config:
accessKeyId: {{ .accessKeyId }}
secretAccessKey: {{ .secretAccessKey }}
region: {{ .region }}
endpoint: {{ .endpoint }}
accountId: {{ .accountId }}
productName: {{ .productName }}
companyName: {{ .companyName }}
delayInSeconds: {{ .delayInSeconds }}
synchronize: {{ .synchronize }}
{{ include "target" . }}
{{- end }}
{{- define "target.gcs" -}}
config:
credentials: {{ .credentials }}
bucket: {{ .bucket }}
prefix: {{ .prefix }}
{{ include "target" . }}
{{- end }}

View file

@ -0,0 +1,26 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ include "ui.fullname" . }}-default-cluster
namespace: {{ include "policyreporter.namespace" . }}
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "policyreporter.labels" . | nindent 4 }}
type: Opaque
data:
{{- $username := .Values.basicAuth.username }}
{{- $password := .Values.basicAuth.password }}
host: {{ printf "http://%s:%d" (include "policyreporter.fullname" .) (.Values.service.port | int) | b64enc }}
{{- if .Values.plugin.kyverno.enabled }}
{{- $host := printf "http://%s:%d" (include "kyverno-plugin.fullname" .) (.Values.plugin.kyverno.service.port | int) }}
plugin.kyverno: {{ (printf "{\"host\":\"%s\", \"name\":\"kyverno\", \"username\":\"%s\", \"password\":\"%s\"}" $host $username $password) | b64enc }}
{{- end }}
{{- if .Values.plugin.trivy.enabled }}
{{- $host := printf "http://%s:%d/vulnr" (include "trivy-plugin.fullname" .) (.Values.plugin.trivy.service.port | int) }}
plugin.trivy: {{ (printf "{\"host\":\"%s\", \"name\":\"Trivy Vulnerability\", \"username\":\"%s\", \"password\":\"%s\"}" $host $username $password) | b64enc }}
username: {{ $username | b64enc }}
password: {{ $password | b64enc }}
{{- end }}

View file

@ -22,4 +22,22 @@ rules:
- get
- list
- watch
- apiGroups:
- ''
resources:
- namespaces
verbs:
- list
- apiGroups:
- ''
resources:
- pods
verbs:
- get
- apiGroups:
- 'batch'
resources:
- jobs
verbs:
- get
{{- end -}}

View file

@ -12,5 +12,5 @@ metadata:
{{- include "policyreporter.labels" . | nindent 4 }}
type: Opaque
data:
config.yaml: {{ tpl (.Files.Get "config-email-reports.yaml") . | b64enc }}
config.yaml: {{ tpl (.Files.Get "configs/email-reports.tmpl") . | b64enc }}
{{- end }}

View file

@ -12,5 +12,5 @@ metadata:
{{- include "policyreporter.labels" . | nindent 4 }}
type: Opaque
data:
config.yaml: {{ tpl (.Files.Get "config.yaml") . | b64enc }}
config.yaml: {{ tpl (.Files.Get "configs/core.tmpl") . | b64enc }}
{{- end }}

View file

@ -51,7 +51,7 @@ spec:
{{- end }}
restartPolicy: {{ .Values.emailReports.summary.restartPolicy }}
containers:
- name: {{ default .Chart.Name .Values.nameOverride }}
- name: policy-reporter
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.securityContext }}

View file

@ -51,7 +51,7 @@ spec:
{{- end }}
restartPolicy: {{ .Values.emailReports.violations.restartPolicy }}
containers:
- name: {{ default .Chart.Name .Values.nameOverride }}
- name: policy-reporter
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.securityContext }}

View file

@ -12,9 +12,9 @@ metadata:
spec:
replicas: {{ .Values.replicaCount }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
{{- if .Values.deploymentStrategy }}
{{- with .Values.plugin.kyverno.updateStrategy }}
strategy:
{{- toYaml .Values.deploymentStrategy | nindent 4 }}
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
@ -53,11 +53,11 @@ spec:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- end }}
containers:
- name: {{ default .Chart.Name .Values.nameOverride }}
- name: policy-reporter
image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.securityContext }}
securityContext: {{ include "policyreporter.securityContext" . | nindent 12 }}
securityContext: {{- include "policyreporter.securityContext" . | nindent 12 }}
{{- end }}
args:
- --port={{ .Values.port.number }}
@ -99,7 +99,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1) }}
{{- if gt (int .Values.replicaCount) 1 }}
- name: POD_NAME
valueFrom:
fieldRef:

View file

@ -0,0 +1,56 @@
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "monitoring.fullname" -}}
{{ template "policyreporter.fullname" . }}-monitoring
{{- end }}
{{- define "monitoring.name" -}}
{{ template "policyreporter.name" . }}-monitoring
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "monitoring.chart" -}}
{{ template "policyreporter.chart" . }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "monitoring.labels" -}}
helm.sh/chart: {{ include "monitoring.chart" . }}
{{ include "monitoring.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/component: monitoring
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/part-of: kyverno
{{- with .Values.global.labels }}
{{ toYaml . }}
{{- end -}}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "monitoring.selectorLabels" -}}
app.kubernetes.io/name: {{ include "monitoring.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/* Get the namespace name. */}}
{{- define "monitoring.smNamespace" -}}
{{- if .Values.monitoring.serviceMonitor.namespace -}}
{{- .Values.monitoring.serviceMonitor.namespace -}}
{{- else if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end }}
{{- end }}

View file

@ -0,0 +1,19 @@
{{- if and .Values.monitoring.enabled }}
{{- if and .Values.basicAuth.username .Values.basicAuth.password }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "monitoring.fullname" . }}-auth
namespace: {{ include "monitoring.smNamespace" . }}
{{- if .Values.monitoring.annotations }}
annotations:
{{- toYaml .Values.monitoring.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "monitoring.labels" . | nindent 4 }}
type: Opaque
data:
username: {{ .Values.basicAuth.username | b64enc }}
password: {{ .Values.basicAuth.password | b64enc }}
{{- end }}
{{- end }}

View file

@ -1,11 +1,13 @@
{{- if and $.Values.grafana.dashboards.enabled $.Values.grafana.dashboards.enable.clusterPolicyReportDetails }}
{{- $filters := .Values.grafana.dashboards.labelFilter }}
{{- if and .Values.grafana.dashboards.multicluster.enabled .Values.grafana.dashboards.multicluster.label }}
{{- $filters = append $filters .Values.grafana.dashboards.multicluster.label }}
{{ $root := .Values.monitoring }}
{{- if and $root.grafana.dashboards.enabled $root.grafana.dashboards.enable.clusterPolicyReportDetails }}
{{- $filters := $root.grafana.dashboards.labelFilter }}
{{- if and $root.grafana.dashboards.multicluster.enabled $root.grafana.dashboards.multicluster.label }}
{{- $filters = append $filters $root.grafana.dashboards.multicluster.label }}
{{- end }}
{{- $nsLabel := "exported_namespace" }}
{{- if .Values.serviceMonitor.honorLabels }}
{{- if $root.serviceMonitor.honorLabels }}
{{- $nsLabel = "namespace" }}
{{- end }}
@ -13,14 +15,14 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "monitoring.fullname" . }}-clusterpolicy-details-dashboard
namespace: {{ include "monitoring.namespace" . }}
namespace: {{ include "policyreporter.namespace" . }}
annotations:
{{ .Values.grafana.folder.annotation }}: {{ .Values.grafana.folder.name }}
{{ $root.grafana.folder.annotation }}: {{ $root.grafana.folder.name }}
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{ .Values.grafana.dashboards.label }}: {{ .Values.grafana.dashboards.value | quote }}
{{ $root.grafana.dashboards.label }}: {{ $root.grafana.dashboards.value | quote }}
{{- include "monitoring.labels" . | nindent 4 }}
data:
cluster-policy-reporter-details-dashboard.json: |
@ -28,11 +30,11 @@ data:
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "{{ .Values.grafana.datasource.label }}",
"label": "{{ $root.grafana.datasource.label }}",
"description": "",
"type": "datasource",
"pluginId": "{{ .Values.grafana.datasource.pluginId }}",
"pluginName": "{{ .Values.grafana.datasource.pluginName }}"
"pluginId": "{{ $root.grafana.datasource.pluginId }}",
"pluginName": "{{ $root.grafana.datasource.pluginName }}"
}
],
"__requires": [
@ -101,7 +103,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.clusterPolicyReportDetails.statusRow.height }},
"h": {{ $root.clusterPolicyReportDetails.statusRow.height }},
"w": 6,
"x": 0,
"y": 0
@ -124,7 +126,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} })",
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod))",
"instant": true,
"interval": "",
"legendFormat": "",
@ -158,7 +160,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.clusterPolicyReportDetails.statusRow.height }},
"h": {{ $root.clusterPolicyReportDetails.statusRow.height }},
"w": 6,
"x": 6,
"y": 0
@ -181,7 +183,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} })",
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod))",
"instant": true,
"interval": "",
"legendFormat": "",
@ -215,7 +217,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.clusterPolicyReportDetails.statusRow.height }},
"h": {{ $root.clusterPolicyReportDetails.statusRow.height }},
"w": 6,
"x": 12,
"y": 0
@ -238,7 +240,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} })",
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod))",
"instant": true,
"interval": "",
"legendFormat": "",
@ -272,7 +274,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.clusterPolicyReportDetails.statusRow.height }},
"h": {{ $root.clusterPolicyReportDetails.statusRow.height }},
"w": 6,
"x": 18,
"y": 0
@ -295,7 +297,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} })",
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod))",
"instant": true,
"interval": "",
"legendFormat": "",
@ -307,7 +309,7 @@ data:
"title": "Policy Error Status",
"type": "stat"
}
{{- if .Values.clusterPolicyReportDetails.statusTimeline.enabled }}
{{- if $root.clusterPolicyReportDetails.statusTimeline.enabled }}
,{
"datasource": {
"uid": "${DS_PROMETHEUS}",
@ -412,7 +414,7 @@ data:
]
},
"gridPos": {
"h": {{ .Values.clusterPolicyReportDetails.statusTimeline.height }},
"h": {{ $root.clusterPolicyReportDetails.statusTimeline.height }},
"w": 24,
"x": 0,
"y": 6
@ -421,7 +423,7 @@ data:
"pluginVersion": "10.4.1",
"targets": [
{
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (status)",
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (status, pod)) by (status)",
"interval": "",
"legendFormat": "{{`{{ status }}`}}",
"refId": "A",
@ -451,7 +453,7 @@ data:
"timeShift": null
}
{{- end }}
{{- if .Values.clusterPolicyReportDetails.passTable.enabled }}
{{- if $root.clusterPolicyReportDetails.passTable.enabled }}
,{
"datasource": "${DS_PROMETHEUS}",
"fieldConfig": {
@ -477,7 +479,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.clusterPolicyReportDetails.passTable.height }},
"h": {{ $root.clusterPolicyReportDetails.passTable.height }},
"w": 24,
"x": 0,
"y": 15
@ -489,7 +491,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", kind=~\"$kind\", source=~\"$source\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})",
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", kind=~\"$kind\", source=~\"$source\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod,policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})",
"format": "table",
"instant": true,
"interval": "",
@ -506,7 +508,6 @@ data:
"options": {
"excludeByName": {
"Time": true,
"Value": true,
"status": false
},
"indexByName": {
@ -530,7 +531,7 @@ data:
"type": "table"
}
{{- end }}
{{- if .Values.clusterPolicyReportDetails.failTable.enabled }}
{{- if $root.clusterPolicyReportDetails.failTable.enabled }}
,{
"datasource": "${DS_PROMETHEUS}",
"fieldConfig": {
@ -556,7 +557,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.clusterPolicyReportDetails.failTable.height }},
"h": {{ $root.clusterPolicyReportDetails.failTable.height }},
"w": 24,
"x": 0,
"y": 23
@ -568,7 +569,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})",
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod, policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})",
"format": "table",
"instant": true,
"interval": "",
@ -585,7 +586,6 @@ data:
"options": {
"excludeByName": {
"Time": true,
"Value": true,
"status": false
},
"indexByName": {
@ -609,7 +609,7 @@ data:
"type": "table"
}
{{- end }}
{{- if .Values.clusterPolicyReportDetails.warningTable.enabled }}
{{- if $root.clusterPolicyReportDetails.warningTable.enabled }}
,{
"datasource": "${DS_PROMETHEUS}",
"fieldConfig": {
@ -632,7 +632,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.clusterPolicyReportDetails.warningTable.height }},
"h": {{ $root.clusterPolicyReportDetails.warningTable.height }},
"w": 24,
"x": 0,
"y": 31
@ -644,7 +644,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }} )",
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod,policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})",
"format": "table",
"instant": true,
"interval": "",
@ -661,7 +661,6 @@ data:
"options": {
"excludeByName": {
"Time": true,
"Value": true,
"status": false
},
"indexByName": {
@ -685,7 +684,7 @@ data:
"type": "table"
}
{{- end }}
{{- if .Values.clusterPolicyReportDetails.errorTable.enabled }}
{{- if $root.clusterPolicyReportDetails.errorTable.enabled }}
,{
"datasource": "${DS_PROMETHEUS}",
"fieldConfig": {
@ -708,7 +707,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.clusterPolicyReportDetails.errorTable.height }},
"h": {{ $root.clusterPolicyReportDetails.errorTable.height }},
"w": 24,
"x": 0,
"y": 36
@ -720,7 +719,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})",
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod, policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})) by (policy,rule,kind,name,status,severity,category,source{{ range $filters }},{{.}}{{ end }})",
"format": "table",
"instant": true,
"interval": "",
@ -737,7 +736,6 @@ data:
"options": {
"excludeByName": {
"Time": true,
"Value": true,
"status": false
},
"indexByName": {

View file

@ -0,0 +1,19 @@
{{- if and .Values.monitoring.grafana.dashboards.enabled .Values.monitoring.grafana.dashboards.enable.clusterPolicyReportDetails .Values.monitoring.grafana.grafanaDashboard.enabled }}
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDashboard
metadata:
labels:
{{ .Values.monitoring.grafana.dashboards.label }}: {{ .Values.monitoring.grafana.dashboards.value | quote }}
{{- include "monitoring.labels" . | nindent 4 }}
name: {{ include "monitoring.fullname" . }}-clusterpolicy-details-dashboard
namespace: {{ include "policyreporter.namespace" . }}
spec:
allowCrossNamespaceImport: {{ .Values.monitoring.grafana.grafanaDashboard.allowCrossNamespaceImport }}
folder: {{ .Values.monitoring.grafana.grafanaDashboard.folder }}
instanceSelector:
matchLabels:
{{- toYaml .Values.monitoring.grafana.grafanaDashboard.matchLabels | nindent 6 }}
configMapRef:
name: {{ include "monitoring.fullname" . }}-clusterpolicy-details-dashboard
key: cluster-policy-reporter-details-dashboard.json
{{- end }}

View file

@ -1,11 +1,13 @@
{{- if and $.Values.grafana.dashboards.enabled $.Values.grafana.dashboards.enable.overview }}
{{- $filters := .Values.grafana.dashboards.labelFilter }}
{{- if and .Values.grafana.dashboards.multicluster.enabled .Values.grafana.dashboards.multicluster.label }}
{{- $filters = append $filters .Values.grafana.dashboards.multicluster.label }}
{{ $root := .Values.monitoring }}
{{- if and $root.grafana.dashboards.enabled $root.grafana.dashboards.enable.overview }}
{{- $filters := $root.grafana.dashboards.labelFilter }}
{{- if and $root.grafana.dashboards.multicluster.enabled $root.grafana.dashboards.multicluster.label }}
{{- $filters = append $filters $root.grafana.dashboards.multicluster.label }}
{{- end }}
{{- $nsLabel := "exported_namespace" }}
{{- if .Values.serviceMonitor.honorLabels }}
{{- if $root.serviceMonitor.honorLabels }}
{{- $nsLabel = "namespace" }}
{{- end }}
@ -13,15 +15,15 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "monitoring.fullname" . }}-overview-dashboard
namespace: {{ include "monitoring.namespace" . }}
namespace: {{ include "policyreporter.namespace" . }}
annotations:
{{ .Values.grafana.folder.annotation }}: {{ .Values.grafana.folder.name }}
{{ $root.grafana.folder.annotation }}: {{ $root.grafana.folder.name }}
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{ .Values.grafana.dashboards.label }}: {{ .Values.grafana.dashboards.value | quote }}
{{- with .Values.serviceMonitor.labels }}
{{ $root.grafana.dashboards.label }}: {{ $root.grafana.dashboards.value | quote }}
{{- with $root.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- include "monitoring.labels" . | nindent 4 }}
@ -31,11 +33,11 @@ data:
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "{{ .Values.grafana.datasource.label }}",
"label": "{{ $root.grafana.datasource.label }}",
"description": "",
"type": "datasource",
"pluginId": "{{ .Values.grafana.datasource.pluginId }}",
"pluginName": "{{ .Values.grafana.datasource.pluginName }}"
"pluginId": "{{ $root.grafana.datasource.pluginId }}",
"pluginName": "{{ $root.grafana.datasource.pluginName }}"
}
],
"__requires": [
@ -94,7 +96,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.policyReportOverview.failingSummaryRow.height }},
"h": {{ $root.policyReportOverview.failingSummaryRow.height }},
"w": 15,
"x": 0,
"y": 0
@ -115,7 +117,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }})",
"expr": "max(sum(policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }}, pod)) by ({{ $nsLabel }})",
"instant": true,
"interval": "",
"legendFormat": "{{ printf `{{%s}}` $nsLabel }}",
@ -153,7 +155,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.policyReportOverview.failingSummaryRow.height }},
"h": {{ $root.policyReportOverview.failingSummaryRow.height }},
"w": 9,
"x": 15,
"y": 0
@ -176,7 +178,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (status)",
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (status, pod)) by (status)",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
@ -292,7 +294,7 @@ data:
]
},
"gridPos": {
"h": {{ .Values.policyReportOverview.failingTimeline.height }},
"h": {{ $root.policyReportOverview.failingTimeline.height }},
"w": 24,
"x": 0,
"y": 8
@ -301,7 +303,7 @@ data:
"pluginVersion": "10.4.1",
"targets": [
{
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (policy)",
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (policy, pod)) by (policy)",
"interval": "",
"legendFormat": "{{`{{ policy }}`}}",
"refId": "A",
@ -310,7 +312,7 @@ data:
}
},
{
"expr": "sum(policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (policy)",
"expr": "max(sum(policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (policy, pod)) by (policy)",
"interval": "",
"legendFormat": "{{`{{ policy }}`}}",
"refId": "B",
@ -363,7 +365,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.policyReportOverview.failingPolicyRuleTable.height }},
"h": {{ $root.policyReportOverview.failingPolicyRuleTable.height }},
"w": 24,
"x": 0,
"y": 18
@ -375,7 +377,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},policy,rule,kind,name,status,category,severity,source{{ range $filters }},{{.}}{{ end }})",
"expr": "max(sum(policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (pod,{{ $nsLabel }},policy,rule,kind,name,status,category,severity,source{{ range $filters }},{{.}}{{ end }})) by ({{ $nsLabel }},policy,rule,kind,name,status,category,severity,source{{ range $filters }},{{.}}{{ end }})",
"format": "table",
"instant": true,
"interval": "",
@ -391,8 +393,7 @@ data:
"id": "organize",
"options": {
"excludeByName": {
"Time": true,
"Value": true
"Time": true
},
"indexByName": {
"source": 0,
@ -403,7 +404,8 @@ data:
"name": 5,
"policy": 6,
"rule": 7,
"status": 8
"status": 8,
"Value": 9
},
"renameByName": {
"{{ $nsLabel }}": "namespace"
@ -438,7 +440,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.policyReportOverview.failingClusterPolicyRuleTable.height }},
"h": {{ $root.policyReportOverview.failingClusterPolicyRuleTable.height }},
"w": 24,
"x": 0,
"y": 28
@ -450,7 +452,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by (policy,rule,kind,name,status,category,severity,source{{ range $filters }},{{.}}{{ end }})",
"expr": "max(sum(cluster_policy_report_result{policy=~\"$policy\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", status=~\"fail|error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} })by (pod,policy,rule,kind,name,status,category,severity,source{{ range $filters }},{{.}}{{ end }})) by (policy,rule,kind,name,status,category,severity,source{{ range $filters }},{{.}}{{ end }})",
"format": "table",
"instant": true,
"interval": "",
@ -467,7 +469,6 @@ data:
"options": {
"excludeByName": {
"Time": true,
"Value": true,
"__name__": true,
"endpoint": true,
"instance": true,
@ -486,7 +487,8 @@ data:
"name": 4,
"policy": 5,
"rule": 6,
"status": 7
"status": 7,
"Value": 8
},
"renameByName": {}
}

View file

@ -0,0 +1,19 @@
{{- if and .Values.monitoring.grafana.dashboards.enabled .Values.monitoring.grafana.dashboards.enable.overview .Values.monitoring.grafana.grafanaDashboard.enabled }}
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDashboard
metadata:
labels:
{{ .Values.monitoring.grafana.dashboards.label }}: {{ .Values.monitoring.grafana.dashboards.value | quote }}
{{- include "monitoring.labels" . | nindent 4 }}
name: {{ include "monitoring.fullname" . }}-overview-dashboard
namespace: {{ include "policyreporter.namespace" . }}
spec:
allowCrossNamespaceImport: {{ .Values.monitoring.grafana.grafanaDashboard.allowCrossNamespaceImport }}
folder: {{ .Values.monitoring.grafana.grafanaDashboard.folder }}
instanceSelector:
matchLabels:
{{- toYaml .Values.monitoring.grafana.grafanaDashboard.matchLabels | nindent 6 }}
configMapRef:
name: {{ include "monitoring.fullname" . }}-overview-dashboard
key: policy-reporter-dashboard.json
{{- end }}

View file

@ -1,11 +1,13 @@
{{- if and $.Values.grafana.dashboards.enabled $.Values.grafana.dashboards.enable.policyReportDetails }}
{{- $filters := .Values.grafana.dashboards.labelFilter }}
{{- if and .Values.grafana.dashboards.multicluster.enabled .Values.grafana.dashboards.multicluster.label }}
{{- $filters = append $filters .Values.grafana.dashboards.multicluster.label }}
{{ $root := .Values.monitoring }}
{{- if and $root.grafana.dashboards.enabled $root.grafana.dashboards.enable.policyReportDetails }}
{{- $filters := $root.grafana.dashboards.labelFilter }}
{{- if and $root.grafana.dashboards.multicluster.enabled $root.grafana.dashboards.multicluster.label }}
{{- $filters = append $filters $root.grafana.dashboards.multicluster.label }}
{{- end }}
{{- $nsLabel := "exported_namespace" }}
{{- if .Values.serviceMonitor.honorLabels }}
{{- if $root.serviceMonitor.honorLabels }}
{{- $nsLabel = "namespace" }}
{{- end }}
@ -13,15 +15,15 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "monitoring.fullname" . }}-policy-details-dashboard
namespace: {{ include "monitoring.namespace" . }}
namespace: {{ include "policyreporter.namespace" . }}
annotations:
{{ .Values.grafana.folder.annotation }}: {{ .Values.grafana.folder.name }}
{{ $root.grafana.folder.annotation }}: {{ $root.grafana.folder.name }}
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{ .Values.grafana.dashboards.label }}: {{ .Values.grafana.dashboards.value | quote }}
{{- with .Values.serviceMonitor.labels }}
{{ $root.grafana.dashboards.label }}: {{ $root.grafana.dashboards.value | quote }}
{{- with $root.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- include "monitoring.labels" . | nindent 4 }}
@ -31,11 +33,11 @@ data:
"__inputs": [
{
"name": "DS_PROMETHEUS",
"label": "{{ .Values.grafana.datasource.label }}",
"label": "{{ $root.grafana.datasource.label }}",
"description": "",
"type": "datasource",
"pluginId": "{{ .Values.grafana.datasource.pluginId }}",
"pluginName": "{{ .Values.grafana.datasource.pluginName }}"
"pluginId": "{{ $root.grafana.datasource.pluginId }}",
"pluginName": "{{ $root.grafana.datasource.pluginName }}"
}
],
"__requires": [
@ -104,7 +106,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.policyReportDetails.firstStatusRow.height }},
"h": {{ $root.policyReportDetails.firstStatusRow.height }},
"w": 12,
"x": 0,
"y": 0
@ -125,7 +127,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }})",
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }}, pod)) by ({{ $nsLabel }})",
"instant": true,
"interval": "",
"legendFormat": "{{ printf `{{%s}}` $nsLabel }}",
@ -159,7 +161,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.policyReportDetails.firstStatusRow.height }},
"h": {{ $root.policyReportDetails.firstStatusRow.height }},
"w": 12,
"x": 12,
"y": 0
@ -180,7 +182,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }})",
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }}, pod)) by ({{ $nsLabel }})",
"instant": true,
"interval": "",
"legendFormat": "{{ printf `{{%s}}` $nsLabel }}",
@ -192,7 +194,7 @@ data:
"title": "Policy Fail Status",
"type": "bargauge"
}
{{- if .Values.policyReportDetails.secondStatusRow.enabled }}
{{- if $root.policyReportDetails.secondStatusRow.enabled }}
,{
"datasource": "${DS_PROMETHEUS}",
"fieldConfig": {
@ -215,7 +217,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.policyReportDetails.secondStatusRow.height }},
"h": {{ $root.policyReportDetails.secondStatusRow.height }},
"w": 12,
"x": 0,
"y": 7
@ -236,7 +238,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }})",
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }}, pod)) by ({{ $nsLabel }})",
"instant": true,
"interval": "",
"legendFormat": "{{ printf `{{%s}}` $nsLabel }}",
@ -270,7 +272,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.policyReportDetails.secondStatusRow.height }},
"h": {{ $root.policyReportDetails.secondStatusRow.height }},
"w": 12,
"x": 12,
"y": 7
@ -291,7 +293,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }})",
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by ({{ $nsLabel }}, pod)) by ({{ $nsLabel }})",
"instant": true,
"interval": "",
"legendFormat": "{{ printf `{{%s}}` $nsLabel }}",
@ -304,7 +306,7 @@ data:
"type": "bargauge"
}
{{- end }}
{{- if .Values.policyReportDetails.statusTimeline.enabled }}
{{- if $root.policyReportDetails.statusTimeline.enabled }}
,{
"datasource": {
"uid": "${DS_PROMETHEUS}"
@ -408,7 +410,7 @@ data:
]
},
"gridPos": {
"h": {{ .Values.policyReportDetails.statusTimeline.height }},
"h": {{ $root.policyReportDetails.statusTimeline.height }},
"w": 24,
"x": 0,
"y": 10
@ -417,7 +419,7 @@ data:
"pluginVersion": "10.4.1",
"targets": [
{
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (status, {{ $nsLabel }})",
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} } > 0) by (status, pod, {{ $nsLabel }})) by (status, {{ $nsLabel }})",
"interval": "",
"legendFormat": "{{ printf `{{%s}}` $nsLabel }} {{`{{ status }}`}}",
"refId": "A",
@ -446,7 +448,7 @@ data:
"timeShift": null
}
{{- end }}
{{- if .Values.policyReportDetails.passTable.enabled }}
{{- if $root.policyReportDetails.passTable.enabled }}
,{
"datasource": "${DS_PROMETHEUS}",
"fieldConfig": {
@ -472,7 +474,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.policyReportDetails.passTable.height }},
"h": {{ $root.policyReportDetails.passTable.height }},
"w": 24,
"x": 0,
"y": 19
@ -484,7 +486,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }} )",
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"pass\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})",
"format": "table",
"instant": true,
"interval": "",
@ -501,7 +503,6 @@ data:
"options": {
"excludeByName": {
"Time": true,
"Value": true,
"status": false
},
"indexByName": {
@ -526,7 +527,7 @@ data:
"type": "table"
}
{{- end }}
{{- if .Values.policyReportDetails.failTable.enabled }}
{{- if $root.policyReportDetails.failTable.enabled }}
,{
"datasource": "${DS_PROMETHEUS}",
"fieldConfig": {
@ -552,7 +553,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.policyReportDetails.failTable.height }},
"h": {{ $root.policyReportDetails.failTable.height }},
"w": 24,
"x": 0,
"y": 27
@ -564,7 +565,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})",
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"fail\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})",
"format": "table",
"instant": true,
"interval": "",
@ -581,7 +582,6 @@ data:
"options": {
"excludeByName": {
"Time": true,
"Value": true,
"status": false
},
"indexByName": {
@ -606,7 +606,7 @@ data:
"type": "table"
}
{{- end }}
{{- if .Values.policyReportDetails.warningTable.enabled }}
{{- if $root.policyReportDetails.warningTable.enabled }}
,{
"datasource": "${DS_PROMETHEUS}",
"fieldConfig": {
@ -629,7 +629,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.policyReportDetails.warningTable.height }},
"h": {{ $root.policyReportDetails.warningTable.height }},
"w": 24,
"x": 0,
"y": 35
@ -641,7 +641,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }} )",
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"warn\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }} )",
"format": "table",
"instant": true,
"interval": "",
@ -658,7 +658,6 @@ data:
"options": {
"excludeByName": {
"Time": true,
"Value": true,
"status": false
},
"indexByName": {
@ -683,7 +682,7 @@ data:
"type": "table"
}
{{- end }}
{{- if .Values.policyReportDetails.errorTable.enabled }}
{{- if $root.policyReportDetails.errorTable.enabled }}
,{
"datasource": "${DS_PROMETHEUS}",
"fieldConfig": {
@ -706,7 +705,7 @@ data:
"overrides": []
},
"gridPos": {
"h": {{ .Values.policyReportDetails.errorTable.height }},
"h": {{ $root.policyReportDetails.errorTable.height }},
"w": 24,
"x": 0,
"y": 40
@ -718,7 +717,7 @@ data:
"pluginVersion": "7.1.5",
"targets": [
{
"expr": "sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }} )",
"expr": "max(sum(policy_report_result{policy=~\"$policy\", rule=~\"$rule\", category=~\"$category\", severity=~\"$severity\", source=~\"$source\", kind=~\"$kind\", {{ $nsLabel }}=~\"$namespace\", status=\"error\"{{ range $filters }}, {{.}}=~\"${{.}}\"{{ end }} }) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})) by ({{ $nsLabel }},category,policy,rule,kind,name,severity,status,source{{ range $filters }},{{.}}{{ end }})",
"format": "table",
"instant": true,
"interval": "",
@ -735,12 +734,10 @@ data:
"options": {
"excludeByName": {
"Time": true,
"Value": true,
"status": false
},
"indexByName": {
"Time": 0,
"Value": 9,
"category": 1,
"{{ $nsLabel }}": 3,
"kind": 4,
@ -748,7 +745,8 @@ data:
"policy": 6,
"rule": 7,
"severity": 2,
"status": 8
"status": 8,
"Value": 9
},
"renameByName": {
"{{ $nsLabel }}": "namespace"

View file

@ -0,0 +1,19 @@
{{- if and .Values.monitoring.grafana.dashboards.enabled .Values.monitoring.grafana.dashboards.enable.policyReportDetails .Values.monitoring.grafana.grafanaDashboard.enabled }}
apiVersion: grafana.integreatly.org/v1beta1
kind: GrafanaDashboard
metadata:
labels:
{{ .Values.monitoring.grafana.dashboards.label }}: {{ .Values.monitoring.grafana.dashboards.value | quote }}
{{- include "monitoring.labels" . | nindent 4 }}
name: {{ include "monitoring.fullname" . }}-policy-details-dashboard
namespace: {{ include "policyreporter.namespace" . }}
spec:
allowCrossNamespaceImport: {{ .Values.monitoring.grafana.grafanaDashboard.allowCrossNamespaceImport }}
folder: {{ .Values.monitoring.grafana.grafanaDashboard.folder }}
instanceSelector:
matchLabels:
{{- toYaml .Values.monitoring.grafana.grafanaDashboard.matchLabels | nindent 6 }}
configMapRef:
name: {{ include "monitoring.fullname" . }}-policy-details-dashboard
key: policy-reporter-details-dashboard.json
{{- end }}

View file

@ -1,28 +1,29 @@
{{- if and .Values.monitoring.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "monitoring.fullname" . }}
namespace: {{ include "monitoring.smNamespace" . }}
{{- if .Values.annotations }}
{{- if .Values.monitoring.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- toYaml .Values.monitoring.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "monitoring.labels" . | nindent 4 }}
{{- with .Values.serviceMonitor.labels }}
{{- with .Values.monitoring.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "policyreporter.selectorLabels" . | nindent 8 }}
{{- with .Values.serviceMonitor.namespaceSelector }}
{{- with .Values.monitoring.serviceMonitor.namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
endpoints:
- port: http
{{- if and .Values.global.basicAuth.username .Values.global.basicAuth.password }}
{{- if and .Values.basicAuth.username .Values.basicAuth.password }}
basicAuth:
password:
name: {{ include "monitoring.fullname" . }}-auth
@ -30,32 +31,28 @@ spec:
username:
name: {{ include "monitoring.fullname" . }}-auth
key: username
{{- else if .Values.global.basicAuth.secretRef }}
{{- else if .Values.basicAuth.secretRef }}
basicAuth:
password:
name: {{ .Values.global.basicAuth.secretRef }}
name: {{ .Values.basicAuth.secretRef }}
key: password
username:
name: {{ .Values.global.basicAuth.secretRef }}
name: {{ .Values.basicAuth.secretRef }}
key: username
{{- end }}
honorLabels: {{ .Values.serviceMonitor.honorLabels }}
{{- if .Values.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
honorLabels: {{ .Values.monitoring.serviceMonitor.honorLabels }}
{{- if .Values.monitoring.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.monitoring.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.serviceMonitor.interval }}
interval: {{ .Values.serviceMonitor.interval }}
{{- if .Values.monitoring.serviceMonitor.interval }}
interval: {{ .Values.monitoring.serviceMonitor.interval }}
{{- end }}
{{- with .Values.monitoring.serviceMonitor.relabelings }}
relabelings:
- action: labeldrop
regex: pod|service|container
- targetLabel: instance
replacement: policy-reporter
action: replace
{{- with .Values.serviceMonitor.relabelings }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.serviceMonitor.metricRelabelings }}
{{- with .Values.monitoring.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

View file

@ -22,21 +22,21 @@ spec:
matchLabels: {{- include "ui.selectorLabels" . | nindent 10 }}
ports:
- protocol: TCP
port: 8080
port: {{ .Values.ui.service.port }}
{{- end }}
{{- if .Values.plugin.trivy.enabled }}
- from:
- podSelector:
matchLabels: {{- include "trivy-plugin.selectorLabels" . | nindent 10 }}
ports:
- protocol: TCP
port: {{ .Values.plugin.trivy.service.port }}
{{- end }}
{{- with .Values.networkPolicy.ingress }}
{{- toYaml . | nindent 2 }}
{{- end }}
egress:
{{- if .Values.ui.enabled }}
- to:
- podSelector:
matchLabels: {{- include "ui.selectorLabels" . | nindent 10 }}
ports:
- protocol: TCP
port: {{ .Values.ui.service.port }}
{{- end }}
{{- with .Values.networkPolicy.egress }}
egress:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,68 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "kyverno-plugin.name" -}}
{{ template "policyreporter.name" . }}-kyverno-plugin
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kyverno-plugin.fullname" -}}
{{ template "policyreporter.fullname" . }}-kyverno-plugin
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kyverno-plugin.chart" -}}
{{ template "policyreporter.chart" . }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "kyverno-plugin.labels" -}}
helm.sh/chart: {{ include "kyverno-plugin.chart" . }}
{{ include "kyverno-plugin.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.global.labels }}
{{ toYaml . }}
{{- end -}}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "kyverno-plugin.selectorLabels" -}}
app.kubernetes.io/name: {{ include "kyverno-plugin.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "kyverno-plugin.serviceAccountName" -}}
{{- if .Values.plugin.kyverno.serviceAccount.create }}
{{- default (include "kyverno-plugin.fullname" .) .Values.plugin.kyverno.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.plugin.kyverno.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "kyverno-plugin.podDisruptionBudget" -}}
{{- if and .Values.plugin.kyverno.podDisruptionBudget.minAvailable .Values.plugin.kyverno.podDisruptionBudget.maxUnavailable }}
{{- fail "Cannot set both" -}}
{{- end }}
{{- if not .Values.plugin.kyverno.podDisruptionBudget.maxUnavailable }}
minAvailable: {{ default 1 .Values.plugin.kyverno.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.plugin.kyverno.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.plugin.kyverno.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- end }}

View file

@ -1,15 +1,12 @@
{{- if .Values.rbac.enabled -}}
{{- if .Values.plugin.kyverno.enabled -}}
{{- if .Values.plugin.kyverno.rbac.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
{{- if .Values.annotations }}
annotations:
{{- toYaml .Values.annotations | nindent 4 }}
{{- end }}
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "kyvernoplugin.labels" . | nindent 4 }}
name: {{ include "kyvernoplugin.fullname" . }}
{{- include "kyverno-plugin.labels" . | nindent 4 }}
name: {{ include "kyverno-plugin.fullname" . }}
rules:
- apiGroups:
- '*'
@ -21,8 +18,7 @@ rules:
verbs:
- get
- list
- watch
{{- if .Values.blockReports.enabled }}
{{- if .Values.plugin.kyverno.blockReports.enabled }}
- apiGroups:
- ""
resources:
@ -44,14 +40,6 @@ rules:
- create
- update
- delete
{{- else }}
- apiGroups:
- '*'
resources:
- policyreports
- clusterpolicyreports
verbs:
- get
- list
{{- end }}
{{- end -}}
{{- end }}
{{- end }}

View file

@ -0,0 +1,18 @@
{{- if .Values.plugin.kyverno.enabled -}}
{{- if and .Values.plugin.kyverno.serviceAccount.create .Values.plugin.kyverno.rbac.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kyverno-plugin.fullname" . }}
labels:
{{- include "kyverno-plugin.labels" . | nindent 4 }}
roleRef:
kind: ClusterRole
name: {{ include "kyverno-plugin.fullname" . }}
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: "ServiceAccount"
name: {{ include "kyverno-plugin.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,12 @@
{{- if .Values.plugin.kyverno.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "kyverno-plugin.fullname" . }}-config
namespace: {{ include "policyreporter.namespace" . }}
labels:
{{- include "kyverno-plugin.labels" . | nindent 4 }}
type: Opaque
data:
config.yaml: {{ tpl (.Files.Get "configs/kyverno-plugin.tmpl") . | b64enc }}
{{- end }}

View file

@ -0,0 +1,103 @@
{{- if .Values.plugin.kyverno.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kyverno-plugin.fullname" . }}
namespace: {{ include "policyreporter.namespace" . }}
labels:
{{- include "kyverno-plugin.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.plugin.kyverno.replicaCount }}
revisionHistoryLimit: {{ .Values.plugin.kyverno.revisionHistoryLimit }}
{{- with .Values.plugin.kyverno.updateStrategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "kyverno-plugin.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/secret: {{ include (print .Template.BasePath "/plugins/kyverno/config-secret.yaml") . | sha256sum | quote }}
{{- with .Values.plugin.kyverno.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "kyverno-plugin.labels" . | nindent 8 }}
{{- with .Values.plugin.kyverno.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.plugin.kyverno.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "kyverno-plugin.serviceAccountName" . }}
{{- if .Values.plugin.kyverno.podSecurityContext }}
securityContext:
{{- toYaml .Values.plugin.kyverno.podSecurityContext | nindent 8 }}
{{- end }}
containers:
- name: policy-reporter-kyverno-plugin
{{- if .Values.plugin.kyverno.securityContext }}
securityContext:
{{- toYaml .Values.plugin.kyverno.securityContext | nindent 12 }}
{{- end }}
image: "{{ .Values.plugin.kyverno.image.registry }}/{{ .Values.plugin.kyverno.image.repository }}:{{ .Values.plugin.kyverno.image.tag }}"
imagePullPolicy: {{ .Values.plugin.kyverno.image.pullPolicy }}
args:
- run
- --config=/app/config.yaml
- --port={{ .Values.plugin.kyverno.server.port }}
ports:
- name: http
containerPort: {{ .Values.plugin.kyverno.server.port }}
protocol: TCP
livenessProbe:
httpGet:
path: /api/v1/policies
port: http
readinessProbe:
httpGet:
path: /api/v1/policies
port: http
resources:
{{- toYaml .Values.plugin.kyverno.resources | nindent 12 }}
volumeMounts:
- name: config-file
mountPath: /app/config.yaml
subPath: config.yaml
readOnly: true
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if gt (int .Values.plugin.kyverno.replicaCount) 1 }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
{{- end }}
{{- with .Values.plugin.kyverno.envVars }}
{{- . | toYaml | trim | nindent 10 }}
{{- end }}
volumes:
- name: config-file
secret:
secretName: {{ include "kyverno-plugin.fullname" . }}-config
optional: true
{{- with .Values.plugin.kyverno.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.plugin.kyverno.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.plugin.kyverno.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,61 @@
{{- if .Values.plugin.kyverno.enabled -}}
{{- if .Values.plugin.kyverno.ingress.enabled -}}
{{- $fullName := include "kyverno-plugin.fullname" . -}}
{{- $svcPort := .Values.plugin.kyverno.service.port -}}
{{- if and .Values.plugin.kyverno.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.plugin.kyverno.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.plugin.kyverno.ingress.annotations "kubernetes.io/ingress.class" .Values.plugin.kyverno.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ include "policyreporter.namespace" . }}
labels:
{{- include "kyverno-plugin.labels" . | nindent 4 }}
{{- with .Values.plugin.kyverno.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.plugin.kyverno.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.plugin.kyverno.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.plugin.kyverno.ingress.className }}
{{- end }}
{{- if .Values.plugin.kyverno.ingress.tls }}
tls:
{{- toYaml .Values.plugin.kyverno.ingress.tls | nindent 4 }}
{{- end }}
rules:
{{- range .Values.plugin.kyverno.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,24 @@
{{- if .Values.plugin.kyverno.enabled -}}
{{- if .Values.plugin.kyverno.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels: {{- include "kyverno-plugin.labels" . | nindent 4 }}
name: {{ include "kyverno-plugin.fullname" . }}
namespace: {{ include "policyreporter.namespace" . }}
spec:
podSelector:
matchLabels: {{- include "kyverno-plugin.selectorLabels" . | nindent 6 }}
policyTypes:
- Ingress
- Egress
{{- with .Values.plugin.kyverno.networkPolicy.ingress }}
ingress:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.plugin.kyverno.networkPolicy.egress }}
egress:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,19 @@
{{- if .Values.plugin.kyverno.enabled -}}
{{- if (gt (int .Values.plugin.kyverno.replicaCount) 1) }}
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ include "kyverno-plugin.fullname" . }}
labels:
{{- include "kyverno-plugin.labels" . | nindent 4 }}
spec:
{{- include "kyverno-plugin.podDisruptionBudget" . | indent 2 }}
selector:
matchLabels:
{{- include "kyverno-plugin.selectorLabels" . | nindent 6 }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,22 @@
{{- if .Values.plugin.kyverno.enabled -}}
{{- if and (and .Values.plugin.kyverno.serviceAccount.create .Values.plugin.kyverno.rbac.enabled) (and .Values.plugin.kyverno.blockReports.enabled (gt (int .Values.plugin.kyverno.replicaCount) 1)) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
{{- include "kyverno-plugin.labels" . | nindent 4 }}
name: {{ include "kyverno-plugin.fullname" . }}-leaderelection
namespace: {{ include "policyreporter.namespace" . }}
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
{{- end }}
{{- end }}

View file

@ -0,0 +1,19 @@
{{- if .Values.plugin.kyverno.enabled -}}
{{- if and (and .Values.plugin.kyverno.serviceAccount.create .Values.plugin.kyverno.rbac.enabled) (and .Values.plugin.kyverno.blockReports.enabled (gt (int .Values.plugin.kyverno.replicaCount) 1)) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kyverno-plugin.fullname" . }}-leaderelection
namespace: {{ include "policyreporter.namespace" . }}
labels:
{{- include "kyverno-plugin.labels" . | nindent 4 }}
roleRef:
kind: Role
name: {{ include "kyverno-plugin.fullname" . }}-leaderelection
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: "ServiceAccount"
name: {{ include "kyverno-plugin.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,17 @@
{{- if .Values.plugin.kyverno.enabled -}}
{{- if and .Values.plugin.kyverno.serviceAccount.create .Values.plugin.kyverno.rbac.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
{{- include "kyverno-plugin.labels" . | nindent 4 }}
name: {{ include "kyverno-plugin.fullname" . }}-secret-reader
namespace: {{ include "policyreporter.namespace" . }}
rules:
- apiGroups: ['']
resources:
- secrets
verbs:
- get
{{- end }}
{{- end }}

View file

@ -0,0 +1,19 @@
{{- if .Values.plugin.kyverno.enabled -}}
{{- if and .Values.plugin.kyverno.serviceAccount.create .Values.plugin.kyverno.rbac.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kyverno-plugin.fullname" . }}-secret-reader
namespace: {{ include "policyreporter.namespace" . }}
labels:
{{- include "kyverno-plugin.labels" . | nindent 4 }}
roleRef:
kind: Role
name: {{ include "kyverno-plugin.fullname" . }}-secret-reader
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: "ServiceAccount"
name: {{ include "kyverno-plugin.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,25 @@
{{- if .Values.plugin.kyverno.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "kyverno-plugin.fullname" . }}
namespace: {{ include "policyreporter.namespace" . }}
labels:
{{- include "kyverno-plugin.labels" . | nindent 4 }}
{{- with .Values.plugin.kyverno.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.plugin.kyverno.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.plugin.kyverno.service.type }}
ports:
- port: {{ .Values.plugin.kyverno.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "kyverno-plugin.selectorLabels" . | nindent 4 }}
{{- end }}

View file

@ -0,0 +1,16 @@
{{- if .Values.plugin.kyverno.enabled -}}
{{- if .Values.plugin.kyverno.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kyverno-plugin.serviceAccountName" . }}
namespace: {{ include "policyreporter.namespace" . }}
labels:
{{- include "kyverno-plugin.labels" . | nindent 4 }}
{{- with .Values.plugin.kyverno.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.plugin.kyverno.serviceAccount.automount }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,68 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "trivy-plugin.name" -}}
{{ template "policyreporter.name" . }}-trivy-plugin
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "trivy-plugin.fullname" -}}
{{ template "policyreporter.fullname" . }}-trivy-plugin
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "trivy-plugin.chart" -}}
{{ template "policyreporter.chart" . }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "trivy-plugin.labels" -}}
helm.sh/chart: {{ include "trivy-plugin.chart" . }}
{{ include "trivy-plugin.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.global.labels }}
{{ toYaml . }}
{{- end -}}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "trivy-plugin.selectorLabels" -}}
app.kubernetes.io/name: {{ include "trivy-plugin.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "trivy-plugin.serviceAccountName" -}}
{{- if .Values.plugin.trivy.serviceAccount.create }}
{{- default (include "trivy-plugin.fullname" .) .Values.plugin.trivy.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.plugin.trivy.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "trivy-plugin.podDisruptionBudget" -}}
{{- if and .Values.plugin.trivy.podDisruptionBudget.minAvailable .Values.plugin.trivy.podDisruptionBudget.maxUnavailable }}
{{- fail "Cannot set both" -}}
{{- end }}
{{- if not .Values.plugin.trivy.podDisruptionBudget.maxUnavailable }}
minAvailable: {{ default 1 .Values.plugin.trivy.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.plugin.trivy.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.plugin.trivy.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,12 @@
{{- if .Values.plugin.trivy.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "trivy-plugin.fullname" . }}-config
namespace: {{ include "policyreporter.namespace" . }}
labels:
{{- include "trivy-plugin.labels" . | nindent 4 }}
type: Opaque
data:
config.yaml: {{ tpl (.Files.Get "configs/trivy-plugin.tmpl") . | b64enc }}
{{- end }}

View file

@ -0,0 +1,97 @@
{{- if .Values.plugin.trivy.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "trivy-plugin.fullname" . }}
namespace: {{ include "policyreporter.namespace" . }}
labels:
{{- include "trivy-plugin.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.plugin.trivy.replicaCount }}
revisionHistoryLimit: {{ .Values.plugin.trivy.revisionHistoryLimit }}
{{- with .Values.plugin.trivy.updateStrategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "trivy-plugin.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
checksum/secret: {{ include (print .Template.BasePath "/plugins/trivy/config-secret.yaml") . | sha256sum | quote }}
{{- with .Values.plugin.trivy.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "trivy-plugin.labels" . | nindent 8 }}
{{- with .Values.plugin.trivy.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.plugin.trivy.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "trivy-plugin.serviceAccountName" . }}
{{- if .Values.plugin.trivy.podSecurityContext }}
securityContext:
{{- toYaml .Values.plugin.trivy.podSecurityContext | nindent 8 }}
{{- end }}
containers:
- name: policy-reporter-trivy-plugin
{{- if .Values.plugin.trivy.securityContext }}
securityContext:
{{- toYaml .Values.plugin.trivy.securityContext | nindent 12 }}
{{- end }}
image: "{{ .Values.plugin.trivy.image.registry }}/{{ .Values.plugin.trivy.image.repository }}:{{ .Values.plugin.trivy.image.tag }}"
imagePullPolicy: {{ .Values.plugin.trivy.image.pullPolicy }}
args:
- run
- --config=/app/config.yaml
- --port={{ .Values.plugin.trivy.server.port }}
ports:
- name: http
containerPort: {{ .Values.plugin.trivy.server.port }}
protocol: TCP
livenessProbe:
httpGet:
path: /api/vulnr/v1/policies
port: http
readinessProbe:
httpGet:
path: /api/vulnr/v1/policies
port: http
resources:
{{- toYaml .Values.plugin.trivy.resources | nindent 12 }}
volumeMounts:
- name: config-file
mountPath: /app/config.yaml
subPath: config.yaml
readOnly: true
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.plugin.trivy.envVars }}
{{- . | toYaml | trim | nindent 10 }}
{{- end }}
volumes:
- name: config-file
secret:
secretName: {{ include "trivy-plugin.fullname" . }}-config
optional: true
{{- with .Values.plugin.trivy.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.plugin.trivy.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.plugin.trivy.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,61 @@
{{- if .Values.plugin.trivy.enabled -}}
{{- if .Values.plugin.trivy.ingress.enabled -}}
{{- $fullName := include "trivy-plugin.fullname" . -}}
{{- $svcPort := .Values.plugin.trivy.service.port -}}
{{- if and .Values.plugin.trivy.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.plugin.trivy.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.plugin.trivy.ingress.annotations "kubernetes.io/ingress.class" .Values.plugin.trivy.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ include "policyreporter.namespace" . }}
labels:
{{- include "trivy-plugin.labels" . | nindent 4 }}
{{- with .Values.plugin.trivy.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.plugin.trivy.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.plugin.trivy.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.plugin.trivy.ingress.className }}
{{- end }}
{{- if .Values.plugin.trivy.ingress.tls }}
tls:
{{- toYaml .Values.plugin.trivy.ingress.tls | nindent 4 }}
{{- end }}
rules:
{{- range .Values.plugin.trivy.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,31 @@
{{- if .Values.plugin.trivy.enabled -}}
{{- if .Values.plugin.trivy.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels: {{- include "trivy-plugin.labels" . | nindent 4 }}
name: {{ include "trivy-plugin.fullname" . }}
namespace: {{ include "policyreporter.namespace" . }}
spec:
podSelector:
matchLabels: {{- include "trivy-plugin.selectorLabels" . | nindent 6 }}
policyTypes:
- Ingress
- Egress
{{- with .Values.plugin.trivy.networkPolicy.ingress }}
ingress:
{{- toYaml . | nindent 2 }}
{{- end }}
egress:
- to:
- podSelector:
matchLabels:
{{- include "policyreporter.selectorLabels" . | nindent 10 }}
ports:
- protocol: TCP
port: {{ .Values.service.port }}
{{- with .Values.plugin.trivy.networkPolicy.egress }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,20 @@
{{- if .Values.plugin.trivy.enabled -}}
{{- if (gt (int .Values.plugin.trivy.replicaCount) 1) }}
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ include "trivy-plugin.fullname" . }}
namespace: {{ include "policyreporter.namespace" . }}
labels:
{{- include "trivy-plugin.labels" . | nindent 4 }}
spec:
{{- include "trivy-plugin.podDisruptionBudget" . | indent 2 }}
selector:
matchLabels:
{{- include "trivy-plugin.selectorLabels" . | nindent 6 }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,17 @@
{{- if .Values.plugin.trivy.enabled -}}
{{- if and .Values.plugin.trivy.serviceAccount.create .Values.plugin.trivy.rbac.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
{{- include "trivy-plugin.labels" . | nindent 4 }}
name: {{ include "trivy-plugin.fullname" . }}-secret-reader
namespace: {{ include "policyreporter.namespace" . }}
rules:
- apiGroups: ['']
resources:
- secrets
verbs:
- get
{{- end }}
{{- end }}

View file

@ -0,0 +1,19 @@
{{- if .Values.plugin.trivy.enabled -}}
{{- if and .Values.plugin.trivy.serviceAccount.create .Values.plugin.trivy.rbac.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "trivy-plugin.fullname" . }}-secret-reader
namespace: {{ include "policyreporter.namespace" . }}
labels:
{{- include "trivy-plugin.labels" . | nindent 4 }}
roleRef:
kind: Role
name: {{ include "trivy-plugin.fullname" . }}-secret-reader
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: "ServiceAccount"
name: {{ include "trivy-plugin.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}

View file

@ -0,0 +1,25 @@
{{- if .Values.plugin.trivy.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "trivy-plugin.fullname" . }}
namespace: {{ include "policyreporter.namespace" . }}
labels:
{{- include "trivy-plugin.labels" . | nindent 4 }}
{{- with .Values.plugin.trivy.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.plugin.trivy.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.plugin.trivy.service.type }}
ports:
- port: {{ .Values.plugin.trivy.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "trivy-plugin.selectorLabels" . | nindent 4 }}
{{- end }}

View file

@ -0,0 +1,16 @@
{{- if .Values.plugin.trivy.enabled -}}
{{- if .Values.plugin.trivy.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "trivy-plugin.serviceAccountName" . }}
namespace: {{ include "policyreporter.namespace" . }}
labels:
{{- include "trivy-plugin.labels" . | nindent 4 }}
{{- with .Values.plugin.trivy.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.plugin.trivy.serviceAccount.automount }}
{{- end }}
{{- end }}

View file

@ -1,4 +1,4 @@
{{- if and .Values.rbac.enabled (or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1)) -}}
{{- if and .Values.rbac.enabled (gt (int .Values.replicaCount) 1) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:

View file

@ -1,4 +1,4 @@
{{- if and .Values.rbac.enabled (or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1)) -}}
{{- if and .Values.rbac.enabled (gt (int .Values.replicaCount) 1) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:

Some files were not shown because too many files have changed in this diff Show more