Add static install manifests (#38)

* Add static install manifests * Remove unused value
2024-12-14 11:57:32 +00:00 · 2021-05-21 12:29:51 +02:00 · 2021-05-21 12:29:51 +02:00 · ea0d079d01
commit ea0d079d01
parent af1285c08f
17 changed files with 785 additions and 18 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,9 @@
 # Changelog
 # 1.6.1
 * Add .global.fullnameOverride as new configuration for Policy Reporter Helm Chart
 * Add static manifests to install Policy Reporter without Helm or Kustomize
 # 1.6.0
 * Internal refactoring
    * Unification of PolicyReports and ClusterPolicyReports processing, APIs still stable
--- a/README.md
+++ b/README.md
@ -30,6 +30,10 @@ helm repo update
 helm install policy-reporter policy-reporter/policy-reporter -n policy-reporter --create-namespace
 ```
 ### Installation without Helm or Kustomize
 To install Policy Reporter without Helm or Kustomize have a look at [manifests](https://github.com/fjogeleit/policy-reporter/tree/main/manifest).
 ## Policy Reporter UI
 You can use the Policy Reporter as standalone Application along with the optional UI SubChart.
--- a/charts/policy-reporter/Chart.lock
+++ b/charts/policy-reporter/Chart.lock
@ -1,12 +1,12 @@
 dependencies:
 - name: monitoring
  repository: ""
-  version: 1.1.0
+  version: 1.2.0
 - name: ui
  repository: ""
-  version: 1.5.0
+  version: 1.6.0
 - name: kyvernoPlugin
  repository: ""
-  version: 0.1.1
+  version: 0.2.0
-digest: sha256:a80a1c39cbd48116dca9d4d70da23d00456c4e523914a176355c36f0d73ecd1b
+digest: sha256:c32c38e295ebe08651a81937858ba920212bd075aa7605189919c20820067e85
-generated: "2021-05-12T10:32:58.510553+02:00"
+generated: "2021-05-21T10:53:50.045598+02:00"
--- a/charts/policy-reporter/Chart.yaml
+++ b/charts/policy-reporter/Chart.yaml
@ -5,19 +5,19 @@ description: |
  It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord
 type: application
-version: 1.6.0
+version: 1.6.1
 appVersion: 1.6.0
 dependencies:
  - name: monitoring
    condition: monitoring.enabled
    repository: ""
-    version: "1.1.0"
+    version: "1.2.0"
  - name: ui
    condition: ui.enabled
    repository: ""
-    version: "1.5.0"
+    version: "1.6.0"
  - name: kyvernoPlugin
    condition: kyvernoPlugin.enabled
    repository: ""
-    version: "0.1.1"
+    version: "0.2.0"
--- a/charts/policy-reporter/charts/kyvernoPlugin/Chart.yaml
+++ b/charts/policy-reporter/charts/kyvernoPlugin/Chart.yaml
@ -3,5 +3,5 @@ name: kyvernoPlugin
 description: Policy Reporter Kyverno Plugin
 type: application
-version: 0.1.1
+version: 0.2.0
 appVersion: 0.1.1
--- a/charts/policy-reporter/charts/kyvernoPlugin/templates/_helpers.tpl
+++ b/charts/policy-reporter/charts/kyvernoPlugin/templates/_helpers.tpl
@ -5,7 +5,9 @@ If release name contains chart name it will be used as a full name.
 */}}
 {{- define "kyvernoplugin.fullname" -}}
 {{- $name := "kyverno-plugin" }}
-{{- if contains $name .Release.Name }}
+{{- if .Values.global.fullnameOverride }}
 {{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
 {{- else if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
--- a/charts/policy-reporter/charts/monitoring/Chart.yaml
+++ b/charts/policy-reporter/charts/monitoring/Chart.yaml
@ -3,5 +3,5 @@ name: monitoring
 description: Policy Reporter Monitoring with predefined ServiceMonitor and Grafana Dashboards
 type: application
-version: 1.1.0
+version: 1.2.0
 appVersion: 0.0.0
--- a/charts/policy-reporter/charts/monitoring/templates/_helpers.tpl
+++ b/charts/policy-reporter/charts/monitoring/templates/_helpers.tpl
@ -5,7 +5,9 @@ If release name contains chart name it will be used as a full name.
 */}}
 {{- define "monitoring.fullname" -}}
 {{- $name := .Chart.Name }}
-{{- if contains $name .Release.Name }}
+{{- if .Values.global.fullnameOverride }}
 {{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
 {{- else if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
--- a/charts/policy-reporter/charts/ui/Chart.yaml
+++ b/charts/policy-reporter/charts/ui/Chart.yaml
@ -3,5 +3,5 @@ name: ui
 description: Policy Reporter UI
 type: application
-version: 1.5.0
+version: 1.6.0
 appVersion: 0.10.2
--- a/charts/policy-reporter/charts/ui/templates/_helpers.tpl
+++ b/charts/policy-reporter/charts/ui/templates/_helpers.tpl
@ -5,7 +5,9 @@ If release name contains chart name it will be used as a full name.
 */}}
 {{- define "ui.fullname" -}}
 {{- $name := .Chart.Name }}
-{{- if contains $name .Release.Name }}
+{{- if .Values.global.fullnameOverride }}
 {{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
 {{- else if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
@ -53,3 +55,23 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
 {{- define "ui.kyvernoPluginServiceName" -}}
 {{- $name := "kyverno-plugin" }}
 {{- if .Values.global.fullnameOverride }}
 {{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
 {{- else if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{- end }}
 {{- define "ui.policyReportServiceName" -}}
 {{- $name := .Chart.Name }}
 {{- if .Values.global.fullnameOverride }}
 {{- .Values.global.fullnameOverride }}
 {{- else }}
 {{- .Values.global.backend }}
 {{- end }}
 {{- end }}
--- a/charts/policy-reporter/charts/ui/templates/deployment.yaml
+++ b/charts/policy-reporter/charts/ui/templates/deployment.yaml
@ -42,10 +42,10 @@ spec:
            {{- toYaml .Values.securityContext | nindent 12 }}
          {{- end }}
          args:
-            - -backend=http://{{ .Values.global.backend }}:{{ .Values.global.port }}
+            - -backend=http://{{ include "ui.policyReportServiceName" . }}:{{ .Values.global.port }}
            - -log-size={{ .Values.log.size }}
            {{- if or .Values.plugins.kyverno .Values.global.plugins.kyverno }}
-            - -kyverno-plugin=http://policy-reporter-kyverno-plugin:8080
+            - -kyverno-plugin=http://{{ include "ui.kyvernoPluginServiceName" . }}:8080
            {{- end }}
          ports:
            - name: http
--- a/charts/policy-reporter/templates/_helpers.tpl
+++ b/charts/policy-reporter/templates/_helpers.tpl
@ -9,7 +9,9 @@ If release name contains chart name it will be used as a full name.
 */}}
 {{- define "policyreporter.fullname" -}}
 {{- $name := .Chart.Name }}
-{{- if contains $name .Release.Name }}
+{{- if .Values.global.fullnameOverride }}
 {{- .Values.global.fullnameOverride }}
 {{- else if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
--- a/charts/policy-reporter/values.yaml
+++ b/charts/policy-reporter/values.yaml
@ -92,6 +92,7 @@ global:
  backend: policy-reporter
  # Service Port number
  port: 8080
  fullnameOverride: ""
 # DEPRECTED - Can be removed
 # Policy Reporter watches now for both existing versions by default
--- a/manifest/README.md
+++ b/manifest/README.md
@ -0,0 +1,50 @@
 # Installation Manifests for Policy Reporter
 You can use this manifests to install Policy Reporter without additional tools like Helm or Kustomize. The manifests are structured into three installations.
 The installation requires a `policy-reporter` namespace. Because the installation includes RBAC resources which requires a serviceAccountName and a namespace configuration. The default namespace is `policy-reporter`. If this namespace will be created if it does not exist.
 ## Policy Reporter
 The `policy-reporter` folder is the basic installation for Policy Reporter without the UI. Includes a basic Configuration Secret `policy-reporter-targets`, empty by default and the `http://policy-reporter:2112/metrics` Endpoint.
 ### Installation
 ```bash
 kubectl apply -f ./manifest/policy-reporter/install.yaml
 ```
 ## Default Policy Reporter UI
 The `default-policy-reporter-ui` folder is the extended Policy Reporter and the default Policy Reporter UI installation. 
 Enables: 
 * Policy Reporter REST API (`http://policy-reporter:8080`) 
 * Policy Reporter UI Endpoint (`http://policy-reporter-ui:8080`). 
 Configures Policy Reporter UI as Target for Policy Reporter.
 ### Installation
 ```bash
 kubectl apply -f ./manifest/default-policy-reporter-ui/install.yaml
 ```
 ## Kyverno Policy Reporter UI
 The `default-policy-reporter-ui` folder is the extended Policy Reporter, Policy Reporter Kyverno Plugin and the extended Policy Reporter UI installation. 
 Enables:
 * Policy Reporter REST API (`http://policy-reporter:8080`)
 * Policy Reporter Metrics API (`http://policy-reporter:2112/metrics`)
 * Kyverno Plugin Rest API (`http://policy-reporter-kyverno-plugin:2112/policies`)
 * Kyverno Plugin Metrics API (`http://policy-reporter-kyverno-plugin:2113/metrics`) 
 * Policy Reporter UI Endpoint (`http://policy-reporter-ui:8080`). 
 Configures Policy Reporter UI as Target for Policy Reporter and enables the Kyverno Dashboard.
 ### Installation
 ```bash
 kubectl apply -f ./manifest/kyverno-policy-reporter-ui/install.yaml
 ```
--- a/manifest/default-policy-reporter-ui/install.yaml
+++ b/manifest/default-policy-reporter-ui/install.yaml
@ -0,0 +1,211 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: policy-reporter
 spec: {}
 status: {}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: policy-reporter
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
  name: policy-reporter
 rules:
 - apiGroups:
  - '*'
  resources:
  - policyreports
  - policyreports/status
  - clusterpolicyreports
  - clusterpolicyreports/status
  verbs:
  - get
  - list
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: policy-reporter
 roleRef:
  kind: ClusterRole
  name: policy-reporter
  apiGroup: rbac.authorization.k8s.io
 subjects:
 - kind: "ServiceAccount"
  name: policy-reporter
  namespace: policy-reporter
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: policy-reporter-targets
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter
 type: Opaque
 data:
  config.yaml: bG9raToKICBob3N0OiAiIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCmVsYXN0aWNzZWFyY2g6CiAgaG9zdDogIiIKICBpbmRleDogInBvbGljeS1yZXBvcnRlciIKICByb3RhdGlvbjogImRheWxpIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCnNsYWNrOgogIHdlYmhvb2s6ICIiCiAgbWluaW11bVByaW9yaXR5OiAiIgogIHNraXBFeGlzdGluZ09uU3RhcnR1cDogdHJ1ZQoKZGlzY29yZDoKICB3ZWJob29rOiAiIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCnRlYW1zOgogIHdlYmhvb2s6ICIiCiAgbWluaW11bVByaW9yaXR5OiAiIgogIHNraXBFeGlzdGluZ09uU3RhcnR1cDogdHJ1ZQoKdWk6CiAgaG9zdDogaHR0cDovL3BvbGljeS1yZXBvcnRlci11aTo4MDgwCiAgbWluaW11bVByaW9yaXR5OiAid2FybmluZyIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUK
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: policy-reporter-ui
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter-ui
 spec:
  type: ClusterIP
  ports:
    - port: 8080
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: policy-reporter-ui
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: policy-reporter
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter
 spec:
  type: ClusterIP
  ports:
    - port: 2112
      targetPort: http
      protocol: TCP
      name: http
    - port: 8080
      targetPort: rest
      protocol: TCP
      name: rest
  selector:
    app.kubernetes.io/name: policy-reporter
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: policy-reporter-ui
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter-ui
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: policy-reporter-ui
  template:
    metadata:
      labels:
        app.kubernetes.io/name: policy-reporter-ui
    spec:
      automountServiceAccountToken: false
      containers:
        - name: ui
          image: "fjogeleit/policy-reporter-ui:0.10.2"
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - all
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 1234
          args:
            - -backend=http://policy-reporter:8080
            - -log-size=200
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /
              port: http
          readinessProbe:
            httpGet:
              path: /
              port: http
          resources:
            {}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: policy-reporter
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: policy-reporter
  template:
    metadata:
      labels:
        app.kubernetes.io/name: policy-reporter
        app.kubernetes.io/instance: policy-reporter
    spec:
      serviceAccountName: policy-reporter
      automountServiceAccountToken: true
      containers:
        - name: policy-reporter
          image: "fjogeleit/policy-reporter:1.6.0"
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - all
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 1234
          args:
            - --config=/app/config.yaml
            - --apiPort=8080
          ports:
            - name: http
              containerPort: 2112
              protocol: TCP
            - name: rest
              containerPort: 8080
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /metrics
              port: http
          readinessProbe:
            httpGet:
              path: /metrics
              port: http
          resources:
            {}
          volumeMounts:
          - name: config-file
            mountPath: /app/config.yaml
            subPath: config.yaml
          env:
          - name: NAMESPACE
            value: policy-reporter
      volumes:
      - name: config-file
        secret:
          secretName: policy-reporter-targets
          optional: true
--- a/manifest/kyverno-policy-reporter-ui/install.yaml
+++ b/manifest/kyverno-policy-reporter-ui/install.yaml
@ -0,0 +1,333 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: policy-reporter
 spec: {}
 status: {}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: policy-reporter
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
  name: policy-reporter
 rules:
 - apiGroups:
  - '*'
  resources:
  - policyreports
  - policyreports/status
  - clusterpolicyreports
  - clusterpolicyreports/status
  verbs:
  - get
  - list
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: policy-reporter
 roleRef:
  kind: ClusterRole
  name: policy-reporter
  apiGroup: rbac.authorization.k8s.io
 subjects:
 - kind: "ServiceAccount"
  name: policy-reporter
  namespace: policy-reporter
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: policy-reporter-kyverno-plugin
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: kyverno-plugin
    app.kubernetes.io/instance: policy-reporter
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: policy-reporter-targets
  namespace: policy-reporter
  labels:
    helm.sh/chart: policy-reporter-1.6.0
    app.kubernetes.io/name: policy-reporter
    app.kubernetes.io/instance: policy-reporter
    app.kubernetes.io/version: "1.6.0"
    app.kubernetes.io/managed-by: Helm
 type: Opaque
 data:
  config.yaml: bG9raToKICBob3N0OiAiIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCmVsYXN0aWNzZWFyY2g6CiAgaG9zdDogIiIKICBpbmRleDogInBvbGljeS1yZXBvcnRlciIKICByb3RhdGlvbjogImRheWxpIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCnNsYWNrOgogIHdlYmhvb2s6ICIiCiAgbWluaW11bVByaW9yaXR5OiAiIgogIHNraXBFeGlzdGluZ09uU3RhcnR1cDogdHJ1ZQoKZGlzY29yZDoKICB3ZWJob29rOiAiIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCnRlYW1zOgogIHdlYmhvb2s6ICIiCiAgbWluaW11bVByaW9yaXR5OiAiIgogIHNraXBFeGlzdGluZ09uU3RhcnR1cDogdHJ1ZQoKdWk6CiAgaG9zdDogaHR0cDovL3BvbGljeS1yZXBvcnRlci11aTo4MDgwCiAgbWluaW11bVByaW9yaXR5OiAid2FybmluZyIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUK
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
  name: policy-reporter-kyverno-plugin
 rules:
 - apiGroups:
  - '*'
  resources:
  - policies
  - policies/status
  - clusterpolicies
  - clusterpolicies/status
  verbs:
  - get
  - list
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: policy-reporter-kyverno-plugin
 roleRef:
  kind: ClusterRole
  name: policy-reporter-kyverno-plugin
  apiGroup: rbac.authorization.k8s.io
 subjects:
 - kind: "ServiceAccount"
  name: policy-reporter-kyverno-plugin
  namespace: policy-reporter
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: policy-reporter-kyverno-plugin
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: kyverno-plugin
    app.kubernetes.io/instance: policy-reporter
 spec:
  type: ClusterIP
  ports:
    - port: 2113
      targetPort: http
      protocol: TCP
      name: http
    - port: 8080
      targetPort: rest
      protocol: TCP
      name: rest
  selector:
    app.kubernetes.io/name: kyverno-plugin
    app.kubernetes.io/instance: policy-reporter
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: policy-reporter-ui
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter-ui
 spec:
  type: ClusterIP
  ports:
    - port: 8080
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: policy-reporter-ui
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: policy-reporter
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter
 spec:
  type: ClusterIP
  ports:
    - port: 2112
      targetPort: http
      protocol: TCP
      name: http
    - port: 8080
      targetPort: rest
      protocol: TCP
      name: rest
  selector:
    app.kubernetes.io/name: policy-reporter
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: policy-reporter-kyverno-plugin
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: kyverno-plugin
    app.kubernetes.io/instance: policy-reporter
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: kyverno-plugin
      app.kubernetes.io/instance: policy-reporter
  template:
    metadata:
      labels:
        app.kubernetes.io/name: kyverno-plugin
        app.kubernetes.io/instance: policy-reporter
    spec:
      serviceAccountName: policy-reporter-kyverno-plugin
      automountServiceAccountToken: true
      containers:
        - name: "kyverno-plugin"
          image: "fjogeleit/policy-reporter-kyverno-plugin:0.1.1"
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - all
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 1234
          args:
            - --apiPort=8080
          ports:
            - name: http
              containerPort: 2113
              protocol: TCP
            - name: rest
              containerPort: 8080
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /policies
              port: rest
          readinessProbe:
            httpGet:
              path: /policies
              port: rest
          resources:
            {}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: policy-reporter-ui
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter-ui
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: policy-reporter-ui
  template:
    metadata:
      labels:
        app.kubernetes.io/name: policy-reporter-ui
    spec:
      containers:
        - name: ui
          image: "fjogeleit/policy-reporter-ui:0.10.2"
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - all
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 1234
          args:
            - -backend=http://policy-reporter:8080
            - -log-size=200
            - -kyverno-plugin=http://policy-reporter-kyverno-plugin:8080
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /
              port: http
          readinessProbe:
            httpGet:
              path: /
              port: http
          resources:
            {}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: policy-reporter
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: policy-reporter
  template:
    metadata:
      labels:
        app.kubernetes.io/name: policy-reporter
    spec:
      serviceAccountName: policy-reporter
      automountServiceAccountToken: true
      containers:
        - name: policy-reporter
          image: "fjogeleit/policy-reporter:1.6.0"
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - all
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 1234
          args:
            - --config=/app/config.yaml
            - --apiPort=8080
          ports:
            - name: http
              containerPort: 2112
              protocol: TCP
            - name: rest
              containerPort: 8080
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /metrics
              port: http
          readinessProbe:
            httpGet:
              path: /metrics
              port: http
          resources:
            {}
          volumeMounts:
          - name: config-file
            mountPath: /app/config.yaml
            subPath: config.yaml
          env:
          - name: NAMESPACE
            value: policy-reporter
      volumes:
      - name: config-file
        secret:
          secretName: policy-reporter-targets
          optional: true
--- a/manifest/policy-reporter/install.yaml
+++ b/manifest/policy-reporter/install.yaml
@ -0,0 +1,136 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: policy-reporter
 spec: {}
 status: {}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: policy-reporter
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: policy-reporter-targets
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter
 type: Opaque
 data:
  config.yaml: bG9raToKICBob3N0OiAiIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCmVsYXN0aWNzZWFyY2g6CiAgaG9zdDogIiIKICBpbmRleDogInBvbGljeS1yZXBvcnRlciIKICByb3RhdGlvbjogImRheWxpIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCnNsYWNrOgogIHdlYmhvb2s6ICIiCiAgbWluaW11bVByaW9yaXR5OiAiIgogIHNraXBFeGlzdGluZ09uU3RhcnR1cDogdHJ1ZQoKZGlzY29yZDoKICB3ZWJob29rOiAiIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCnRlYW1zOgogIHdlYmhvb2s6ICIiCiAgbWluaW11bVByaW9yaXR5OiAiIgogIHNraXBFeGlzdGluZ09uU3RhcnR1cDogdHJ1ZQoKdWk6CiAgaG9zdDogCiAgbWluaW11bVByaW9yaXR5OiAid2FybmluZyIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUK
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
  name: policy-reporter
 rules:
 - apiGroups:
  - '*'
  resources:
  - policyreports
  - policyreports/status
  - clusterpolicyreports
  - clusterpolicyreports/status
  verbs:
  - get
  - list
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: policy-reporter
 roleRef:
  kind: ClusterRole
  name: policy-reporter
  apiGroup: rbac.authorization.k8s.io
 subjects:
 - kind: "ServiceAccount"
  name: policy-reporter
  namespace: policy-reporter
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: policy-reporter
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter
 spec:
  type: ClusterIP
  ports:
    - port: 2112
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: policy-reporter
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: policy-reporter
  namespace: policy-reporter
  labels:
    app.kubernetes.io/name: policy-reporter
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: policy-reporter
  template:
    metadata:
      labels:
        app.kubernetes.io/name: policy-reporter
    spec:
      serviceAccountName: policy-reporter
      automountServiceAccountToken: true
      containers:
        - name: policy-reporter
          image: "fjogeleit/policy-reporter:1.6.0"
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - all
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 1234
          args:
            - --config=/app/config.yaml
          ports:
            - name: http
              containerPort: 2112
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /metrics
              port: http
          readinessProbe:
            httpGet:
              path: /metrics
              port: http
          resources:
            {}
          volumeMounts:
          - name: config-file
            mountPath: /app/config.yaml
            subPath: config.yaml
          env:
          - name: NAMESPACE
            value: policy-reporter
      volumes:
      - name: config-file
        secret:
          secretName: policy-reporter-targets
          optional: true