Add static install manifests (#38)

* Add static install manifests
* Remove unused value

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+# 1.6.1
+* Add .global.fullnameOverride as new configuration for Policy Reporter Helm Chart
+* Add static manifests to install Policy Reporter without Helm or Kustomize
+
 # 1.6.0
 * Internal refactoring
     * Unification of PolicyReports and ClusterPolicyReports processing, APIs still stable

README.md

@@ -30,6 +30,10 @@ helm repo update
 helm install policy-reporter policy-reporter/policy-reporter -n policy-reporter --create-namespace
 ```
 
+### Installation without Helm or Kustomize
+
+To install Policy Reporter without Helm or Kustomize have a look at [manifests](https://github.com/fjogeleit/policy-reporter/tree/main/manifest).
+
 ## Policy Reporter UI
 
 You can use the Policy Reporter as standalone Application along with the optional UI SubChart.

charts/policy-reporter/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: monitoring
   repository: ""
-  version: 1.1.0
+  version: 1.2.0
 - name: ui
   repository: ""
-  version: 1.5.0
+  version: 1.6.0
 - name: kyvernoPlugin
   repository: ""
-  version: 0.1.1
-digest: sha256:a80a1c39cbd48116dca9d4d70da23d00456c4e523914a176355c36f0d73ecd1b
-generated: "2021-05-12T10:32:58.510553+02:00"
+  version: 0.2.0
+digest: sha256:c32c38e295ebe08651a81937858ba920212bd075aa7605189919c20820067e85
+generated: "2021-05-21T10:53:50.045598+02:00"

charts/policy-reporter/Chart.yaml

@@ -5,19 +5,19 @@ description: |
   It creates Prometheus Metrics and can send rule validation events to different targets like Loki, Elasticsearch, Slack or Discord
 
 type: application
-version: 1.6.0
+version: 1.6.1
 appVersion: 1.6.0
 
 dependencies:
   - name: monitoring
     condition: monitoring.enabled
     repository: ""
-    version: "1.1.0"
+    version: "1.2.0"
   - name: ui
     condition: ui.enabled
     repository: ""
-    version: "1.5.0"
+    version: "1.6.0"
   - name: kyvernoPlugin
     condition: kyvernoPlugin.enabled
     repository: ""
-    version: "0.1.1"
+    version: "0.2.0"

charts/policy-reporter/charts/kyvernoPlugin/Chart.yaml

@@ -3,5 +3,5 @@ name: kyvernoPlugin
 description: Policy Reporter Kyverno Plugin
 
 type: application
-version: 0.1.1
+version: 0.2.0
 appVersion: 0.1.1

charts/policy-reporter/charts/kyvernoPlugin/templates/_helpers.tpl

@@ -5,7 +5,9 @@ If release name contains chart name it will be used as a full name.
 */}}
 {{- define "kyvernoplugin.fullname" -}}
 {{- $name := "kyverno-plugin" }}
-{{- if contains $name .Release.Name }}
+{{- if .Values.global.fullnameOverride }}
+{{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
+{{- else if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}

charts/policy-reporter/charts/monitoring/Chart.yaml

@@ -3,5 +3,5 @@ name: monitoring
 description: Policy Reporter Monitoring with predefined ServiceMonitor and Grafana Dashboards
 
 type: application
-version: 1.1.0
+version: 1.2.0
 appVersion: 0.0.0

charts/policy-reporter/charts/monitoring/templates/_helpers.tpl

@@ -5,7 +5,9 @@ If release name contains chart name it will be used as a full name.
 */}}
 {{- define "monitoring.fullname" -}}
 {{- $name := .Chart.Name }}
-{{- if contains $name .Release.Name }}
+{{- if .Values.global.fullnameOverride }}
+{{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
+{{- else if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}

charts/policy-reporter/charts/ui/Chart.yaml

@@ -3,5 +3,5 @@ name: ui
 description: Policy Reporter UI
 
 type: application
-version: 1.5.0
+version: 1.6.0
 appVersion: 0.10.2

charts/policy-reporter/charts/ui/templates/_helpers.tpl

@@ -5,7 +5,9 @@ If release name contains chart name it will be used as a full name.
 */}}
 {{- define "ui.fullname" -}}
 {{- $name := .Chart.Name }}
-{{- if contains $name .Release.Name }}
+{{- if .Values.global.fullnameOverride }}
+{{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
+{{- else if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
@@ -53,3 +55,23 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{- define "ui.kyvernoPluginServiceName" -}}
+{{- $name := "kyverno-plugin" }}
+{{- if .Values.global.fullnameOverride }}
+{{- printf "%s-%s" .Values.global.fullnameOverride $name | trunc 63 | trimSuffix "-" }}
+{{- else if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+
+{{- define "ui.policyReportServiceName" -}}
+{{- $name := .Chart.Name }}
+{{- if .Values.global.fullnameOverride }}
+{{- .Values.global.fullnameOverride }}
+{{- else }}
+{{- .Values.global.backend }}
+{{- end }}
+{{- end }}

charts/policy-reporter/charts/ui/templates/deployment.yaml

@@ -42,10 +42,10 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           {{- end }}
           args:
-            - -backend=http://{{ .Values.global.backend }}:{{ .Values.global.port }}
+            - -backend=http://{{ include "ui.policyReportServiceName" . }}:{{ .Values.global.port }}
             - -log-size={{ .Values.log.size }}
             {{- if or .Values.plugins.kyverno .Values.global.plugins.kyverno }}
-            - -kyverno-plugin=http://policy-reporter-kyverno-plugin:8080
+            - -kyverno-plugin=http://{{ include "ui.kyvernoPluginServiceName" . }}:8080
             {{- end }}
           ports:
             - name: http

charts/policy-reporter/templates/_helpers.tpl

@@ -9,7 +9,9 @@ If release name contains chart name it will be used as a full name.
 */}}
 {{- define "policyreporter.fullname" -}}
 {{- $name := .Chart.Name }}
-{{- if contains $name .Release.Name }}
+{{- if .Values.global.fullnameOverride }}
+{{- .Values.global.fullnameOverride }}
+{{- else if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}

charts/policy-reporter/values.yaml

@@ -92,6 +92,7 @@ global:
   backend: policy-reporter
   # Service Port number
   port: 8080
+  fullnameOverride: ""
 
 # DEPRECTED - Can be removed
 # Policy Reporter watches now for both existing versions by default

manifest/README.md

@@ -0,0 +1,50 @@
+# Installation Manifests for Policy Reporter
+
+You can use this manifests to install Policy Reporter without additional tools like Helm or Kustomize. The manifests are structured into three installations.
+
+The installation requires a `policy-reporter` namespace. Because the installation includes RBAC resources which requires a serviceAccountName and a namespace configuration. The default namespace is `policy-reporter`. If this namespace will be created if it does not exist.
+
+## Policy Reporter
+
+The `policy-reporter` folder is the basic installation for Policy Reporter without the UI. Includes a basic Configuration Secret `policy-reporter-targets`, empty by default and the `http://policy-reporter:2112/metrics` Endpoint.
+
+### Installation
+
+```bash
+kubectl apply -f ./manifest/policy-reporter/install.yaml
+```
+
+## Default Policy Reporter UI
+
+The `default-policy-reporter-ui` folder is the extended Policy Reporter and the default Policy Reporter UI installation. 
+
+Enables: 
+* Policy Reporter REST API (`http://policy-reporter:8080`) 
+* Policy Reporter UI Endpoint (`http://policy-reporter-ui:8080`). 
+
+Configures Policy Reporter UI as Target for Policy Reporter.
+
+### Installation
+
+```bash
+kubectl apply -f ./manifest/default-policy-reporter-ui/install.yaml
+```
+
+## Kyverno Policy Reporter UI
+
+The `default-policy-reporter-ui` folder is the extended Policy Reporter, Policy Reporter Kyverno Plugin and the extended Policy Reporter UI installation. 
+
+Enables:
+* Policy Reporter REST API (`http://policy-reporter:8080`)
+* Policy Reporter Metrics API (`http://policy-reporter:2112/metrics`)
+* Kyverno Plugin Rest API (`http://policy-reporter-kyverno-plugin:2112/policies`)
+* Kyverno Plugin Metrics API (`http://policy-reporter-kyverno-plugin:2113/metrics`) 
+* Policy Reporter UI Endpoint (`http://policy-reporter-ui:8080`). 
+
+Configures Policy Reporter UI as Target for Policy Reporter and enables the Kyverno Dashboard.
+
+### Installation
+
+```bash
+kubectl apply -f ./manifest/kyverno-policy-reporter-ui/install.yaml
+```

manifest/default-policy-reporter-ui/install.yaml

@@ -0,0 +1,211 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: policy-reporter
+spec: {}
+status: {}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: policy-reporter
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: policy-reporter
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - policyreports
+  - policyreports/status
+  - clusterpolicyreports
+  - clusterpolicyreports/status
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: policy-reporter
+roleRef:
+  kind: ClusterRole
+  name: policy-reporter
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: "ServiceAccount"
+  name: policy-reporter
+  namespace: policy-reporter
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: policy-reporter-targets
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter
+type: Opaque
+data:
+  config.yaml: bG9raToKICBob3N0OiAiIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCmVsYXN0aWNzZWFyY2g6CiAgaG9zdDogIiIKICBpbmRleDogInBvbGljeS1yZXBvcnRlciIKICByb3RhdGlvbjogImRheWxpIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCnNsYWNrOgogIHdlYmhvb2s6ICIiCiAgbWluaW11bVByaW9yaXR5OiAiIgogIHNraXBFeGlzdGluZ09uU3RhcnR1cDogdHJ1ZQoKZGlzY29yZDoKICB3ZWJob29rOiAiIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCnRlYW1zOgogIHdlYmhvb2s6ICIiCiAgbWluaW11bVByaW9yaXR5OiAiIgogIHNraXBFeGlzdGluZ09uU3RhcnR1cDogdHJ1ZQoKdWk6CiAgaG9zdDogaHR0cDovL3BvbGljeS1yZXBvcnRlci11aTo4MDgwCiAgbWluaW11bVByaW9yaXR5OiAid2FybmluZyIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUK
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: policy-reporter-ui
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter-ui
+spec:
+  type: ClusterIP
+  ports:
+    - port: 8080
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: policy-reporter-ui
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: policy-reporter
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter
+spec:
+  type: ClusterIP
+  ports:
+    - port: 2112
+      targetPort: http
+      protocol: TCP
+      name: http
+    - port: 8080
+      targetPort: rest
+      protocol: TCP
+      name: rest
+  selector:
+    app.kubernetes.io/name: policy-reporter
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: policy-reporter-ui
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter-ui
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: policy-reporter-ui
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: policy-reporter-ui
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        - name: ui
+          image: "fjogeleit/policy-reporter-ui:0.10.2"
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - all
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1234
+          args:
+            - -backend=http://policy-reporter:8080
+            - -log-size=200
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: policy-reporter
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: policy-reporter
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: policy-reporter
+        app.kubernetes.io/instance: policy-reporter
+    spec:
+      serviceAccountName: policy-reporter
+      automountServiceAccountToken: true
+      containers:
+        - name: policy-reporter
+          image: "fjogeleit/policy-reporter:1.6.0"
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - all
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1234
+          args:
+            - --config=/app/config.yaml
+            - --apiPort=8080
+          ports:
+            - name: http
+              containerPort: 2112
+              protocol: TCP
+            - name: rest
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /metrics
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /metrics
+              port: http
+          resources:
+            {}
+          volumeMounts:
+          - name: config-file
+            mountPath: /app/config.yaml
+            subPath: config.yaml
+          env:
+          - name: NAMESPACE
+            value: policy-reporter
+      volumes:
+      - name: config-file
+        secret:
+          secretName: policy-reporter-targets
+          optional: true

manifest/kyverno-policy-reporter-ui/install.yaml

@@ -0,0 +1,333 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: policy-reporter
+spec: {}
+status: {}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: policy-reporter
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: policy-reporter
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - policyreports
+  - policyreports/status
+  - clusterpolicyreports
+  - clusterpolicyreports/status
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: policy-reporter
+roleRef:
+  kind: ClusterRole
+  name: policy-reporter
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: "ServiceAccount"
+  name: policy-reporter
+  namespace: policy-reporter
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: policy-reporter-kyverno-plugin
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: kyverno-plugin
+    app.kubernetes.io/instance: policy-reporter
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: policy-reporter-targets
+  namespace: policy-reporter
+  labels:
+    helm.sh/chart: policy-reporter-1.6.0
+    app.kubernetes.io/name: policy-reporter
+    app.kubernetes.io/instance: policy-reporter
+    app.kubernetes.io/version: "1.6.0"
+    app.kubernetes.io/managed-by: Helm
+type: Opaque
+data:
+  config.yaml: bG9raToKICBob3N0OiAiIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCmVsYXN0aWNzZWFyY2g6CiAgaG9zdDogIiIKICBpbmRleDogInBvbGljeS1yZXBvcnRlciIKICByb3RhdGlvbjogImRheWxpIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCnNsYWNrOgogIHdlYmhvb2s6ICIiCiAgbWluaW11bVByaW9yaXR5OiAiIgogIHNraXBFeGlzdGluZ09uU3RhcnR1cDogdHJ1ZQoKZGlzY29yZDoKICB3ZWJob29rOiAiIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCnRlYW1zOgogIHdlYmhvb2s6ICIiCiAgbWluaW11bVByaW9yaXR5OiAiIgogIHNraXBFeGlzdGluZ09uU3RhcnR1cDogdHJ1ZQoKdWk6CiAgaG9zdDogaHR0cDovL3BvbGljeS1yZXBvcnRlci11aTo4MDgwCiAgbWluaW11bVByaW9yaXR5OiAid2FybmluZyIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUK
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: policy-reporter-kyverno-plugin
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - policies
+  - policies/status
+  - clusterpolicies
+  - clusterpolicies/status
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: policy-reporter-kyverno-plugin
+roleRef:
+  kind: ClusterRole
+  name: policy-reporter-kyverno-plugin
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: "ServiceAccount"
+  name: policy-reporter-kyverno-plugin
+  namespace: policy-reporter
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: policy-reporter-kyverno-plugin
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: kyverno-plugin
+    app.kubernetes.io/instance: policy-reporter
+spec:
+  type: ClusterIP
+  ports:
+    - port: 2113
+      targetPort: http
+      protocol: TCP
+      name: http
+    - port: 8080
+      targetPort: rest
+      protocol: TCP
+      name: rest
+  selector:
+    app.kubernetes.io/name: kyverno-plugin
+    app.kubernetes.io/instance: policy-reporter
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: policy-reporter-ui
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter-ui
+spec:
+  type: ClusterIP
+  ports:
+    - port: 8080
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: policy-reporter-ui
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: policy-reporter
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter
+spec:
+  type: ClusterIP
+  ports:
+    - port: 2112
+      targetPort: http
+      protocol: TCP
+      name: http
+    - port: 8080
+      targetPort: rest
+      protocol: TCP
+      name: rest
+  selector:
+    app.kubernetes.io/name: policy-reporter
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: policy-reporter-kyverno-plugin
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: kyverno-plugin
+    app.kubernetes.io/instance: policy-reporter
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kyverno-plugin
+      app.kubernetes.io/instance: policy-reporter
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: kyverno-plugin
+        app.kubernetes.io/instance: policy-reporter
+    spec:
+      serviceAccountName: policy-reporter-kyverno-plugin
+      automountServiceAccountToken: true
+      containers:
+        - name: "kyverno-plugin"
+          image: "fjogeleit/policy-reporter-kyverno-plugin:0.1.1"
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - all
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1234
+          args:
+            - --apiPort=8080
+          ports:
+            - name: http
+              containerPort: 2113
+              protocol: TCP
+            - name: rest
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /policies
+              port: rest
+          readinessProbe:
+            httpGet:
+              path: /policies
+              port: rest
+          resources:
+            {}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: policy-reporter-ui
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter-ui
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: policy-reporter-ui
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: policy-reporter-ui
+    spec:
+      containers:
+        - name: ui
+          image: "fjogeleit/policy-reporter-ui:0.10.2"
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - all
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1234
+          args:
+            - -backend=http://policy-reporter:8080
+            - -log-size=200
+            - -kyverno-plugin=http://policy-reporter-kyverno-plugin:8080
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: policy-reporter
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: policy-reporter
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: policy-reporter
+    spec:
+      serviceAccountName: policy-reporter
+      automountServiceAccountToken: true
+      containers:
+        - name: policy-reporter
+          image: "fjogeleit/policy-reporter:1.6.0"
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - all
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1234
+          args:
+            - --config=/app/config.yaml
+            - --apiPort=8080
+          ports:
+            - name: http
+              containerPort: 2112
+              protocol: TCP
+            - name: rest
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /metrics
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /metrics
+              port: http
+          resources:
+            {}
+          volumeMounts:
+          - name: config-file
+            mountPath: /app/config.yaml
+            subPath: config.yaml
+          env:
+          - name: NAMESPACE
+            value: policy-reporter
+      volumes:
+      - name: config-file
+        secret:
+          secretName: policy-reporter-targets
+          optional: true

manifest/policy-reporter/install.yaml

@@ -0,0 +1,136 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: policy-reporter
+spec: {}
+status: {}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: policy-reporter
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: policy-reporter-targets
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter
+type: Opaque
+data:
+  config.yaml: bG9raToKICBob3N0OiAiIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCmVsYXN0aWNzZWFyY2g6CiAgaG9zdDogIiIKICBpbmRleDogInBvbGljeS1yZXBvcnRlciIKICByb3RhdGlvbjogImRheWxpIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCnNsYWNrOgogIHdlYmhvb2s6ICIiCiAgbWluaW11bVByaW9yaXR5OiAiIgogIHNraXBFeGlzdGluZ09uU3RhcnR1cDogdHJ1ZQoKZGlzY29yZDoKICB3ZWJob29rOiAiIgogIG1pbmltdW1Qcmlvcml0eTogIiIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUKCnRlYW1zOgogIHdlYmhvb2s6ICIiCiAgbWluaW11bVByaW9yaXR5OiAiIgogIHNraXBFeGlzdGluZ09uU3RhcnR1cDogdHJ1ZQoKdWk6CiAgaG9zdDogCiAgbWluaW11bVByaW9yaXR5OiAid2FybmluZyIKICBza2lwRXhpc3RpbmdPblN0YXJ0dXA6IHRydWUK
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: policy-reporter
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - policyreports
+  - policyreports/status
+  - clusterpolicyreports
+  - clusterpolicyreports/status
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: policy-reporter
+roleRef:
+  kind: ClusterRole
+  name: policy-reporter
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: "ServiceAccount"
+  name: policy-reporter
+  namespace: policy-reporter
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: policy-reporter
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter
+spec:
+  type: ClusterIP
+  ports:
+    - port: 2112
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: policy-reporter
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: policy-reporter
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: policy-reporter
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: policy-reporter
+    spec:
+      serviceAccountName: policy-reporter
+      automountServiceAccountToken: true
+      containers:
+        - name: policy-reporter
+          image: "fjogeleit/policy-reporter:1.6.0"
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - all
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1234
+          args:
+            - --config=/app/config.yaml
+          ports:
+            - name: http
+              containerPort: 2112
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /metrics
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /metrics
+              port: http
+          resources:
+            {}
+          volumeMounts:
+          - name: config-file
+            mountPath: /app/config.yaml
+            subPath: config.yaml
+          env:
+          - name: NAMESPACE
+            value: policy-reporter
+      volumes:
+      - name: config-file
+        secret:
+          secretName: policy-reporter-targets
+          optional: true