mirror of
https://github.com/kyverno/policy-reporter.git
synced 2024-12-14 11:57:32 +00:00
78f24497fa
Policy Reporter v3 Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
144 lines
2.7 KiB
Markdown
144 lines
2.7 KiB
Markdown
# Demo Instructions
|
|
|
|
## Kind Cluster
|
|
|
|
```bash
|
|
make kind-create-cluster
|
|
```
|
|
|
|
## Kyverno
|
|
|
|
### Add Repository
|
|
|
|
```bash
|
|
helm repo add kyverno https://kyverno.github.io/kyverno
|
|
```
|
|
|
|
### Install
|
|
|
|
```bash
|
|
helm upgrade --install kyverno kyverno/kyverno -n kyverno --create-namespace
|
|
helm upgrade --install kyverno-policies kyverno/kyverno-policies --set podSecurityStandard=restricted
|
|
```
|
|
|
|
## Falco
|
|
|
|
### Add Repository
|
|
|
|
```bash
|
|
helm repo add falcosecurity https://falcosecurity.github.io/charts
|
|
```
|
|
|
|
### Install
|
|
|
|
```bash
|
|
helm upgrade --install falco falcosecurity/falco --set falcosidekick.enabled=true --set falcosidekick.config.policyreport.enabled=true --set falcosidekick.image.tag=latest --namespace falco --create-namespace
|
|
```
|
|
|
|
## Trivy Operator
|
|
|
|
### Add Repository
|
|
|
|
```bash
|
|
helm repo add aqua https://aquasecurity.github.io/helm-charts/
|
|
helm repo add trivy-operator-polr-adapter https://fjogeleit.github.io/trivy-operator-polr-adapter
|
|
```
|
|
|
|
### Install
|
|
|
|
```bash
|
|
helm upgrade --install trivy-operator aqua/trivy-operator -n trivy-system --create-namespace --set="trivy.ignoreUnfixed=true"
|
|
helm upgrade --install trivy-operator-polr-adapter trivy-operator-polr-adapter/trivy-operator-polr-adapter -n trivy-system
|
|
```
|
|
|
|
## Policy Reporter
|
|
|
|
### Add Repository
|
|
|
|
```bash
|
|
helm repo add policy-reporter https://kyverno.github.io/policy-reporter
|
|
```
|
|
|
|
### Install
|
|
|
|
#### Slack Secret
|
|
|
|
```yaml
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: webhook-secret
|
|
namespace: policy-reporter
|
|
type: Opaque
|
|
data:
|
|
webhook: aHR0cHM6Ly9ob29rcy5z...
|
|
```
|
|
|
|
#### Values
|
|
|
|
```yaml
|
|
plugin:
|
|
kyverno:
|
|
enabled: true
|
|
|
|
trivy:
|
|
enabled: true
|
|
|
|
ui:
|
|
enabled: true
|
|
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /$1
|
|
className: nginx
|
|
hosts:
|
|
- host: localhost
|
|
paths:
|
|
- path: "/ui/(.*)"
|
|
pathType: ImplementationSpecific
|
|
|
|
sources:
|
|
- name: Trivy ConfigAudit
|
|
type: severity
|
|
excludes:
|
|
results:
|
|
- pass
|
|
- error
|
|
|
|
- name: Trivy Vulnerability
|
|
type: severity
|
|
excludes:
|
|
results:
|
|
- pass
|
|
- error
|
|
|
|
- name: Falco
|
|
excludes:
|
|
results:
|
|
- pass
|
|
- skip
|
|
|
|
target:
|
|
slack:
|
|
name: Kyverno Channel
|
|
channel: kyverno
|
|
secretRef: webhook-secret
|
|
minimumSeverity: warning
|
|
skipExistingOnStartup: true
|
|
sources: [kyverno]
|
|
filter:
|
|
namespaces:
|
|
exclude: ['trivy-system']
|
|
channels:
|
|
- name: Trivy Operator
|
|
channel: trivy-operator
|
|
sources: [Trivy Vulnerability]
|
|
filter:
|
|
namespaces:
|
|
exclude: ['trivy-system']
|
|
```
|
|
|
|
```bash
|
|
helm upgrade --install policy-reporter policy-reporter/policy-reporter --create-namespace -n policy-reporter -f values.yaml --devel
|
|
```
|