mirror of
https://github.com/kyverno/policy-reporter.git
synced 2024-12-14 11:57:32 +00:00
134 lines
7.1 KiB
Markdown
134 lines
7.1 KiB
Markdown
# Installation Manifests for Policy Reporter
|
|
|
|
You can use this manifests to install Policy Reporter without additional tools like Helm or Kustomize. The manifests are structured into five installations.
|
|
|
|
The installation requires a `policy-reporter` namespace. Because the installation includes RBAC resources which requires a serviceAccountName and a namespace configuration. The default namespace is `policy-reporter`. This namespace will be created if it does not exist.
|
|
|
|
## Policy Reporter
|
|
|
|
The `policy-reporter` folder is the basic installation for Policy Reporter without the UI or other components. Includes a basic Configuration Secret `policy-reporter-targets`, empty by default and the `http://policy-reporter:8080/metrics` Endpoint.
|
|
|
|
### Installation
|
|
|
|
```bash
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/policy-reporter/namespace.yaml
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/policy-reporter/install.yaml
|
|
```
|
|
|
|
## Policy Reporter + UI
|
|
|
|
The `policy-reporter-ui` contains manifests for Policy Reporter and the Policy Reporter UI.
|
|
|
|
Enables:
|
|
* Policy Reporter REST API (`http://policy-reporter:8080`)
|
|
* Policy Reporter UI Endpoint (`http://policy-reporter-ui:8080`).
|
|
|
|
Configures Policy Reporter UI as Target for Policy Reporter.
|
|
|
|
### Installation
|
|
|
|
```bash
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/policy-reporter-ui/namespace.yaml
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/policy-reporter-ui/target-secret.yaml
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/policy-reporter-ui/install.yaml
|
|
```
|
|
|
|
## Policy Reporter + KyvernoPlugin + UI
|
|
|
|
The `policy-reporter-kyverno-ui` contains manifests for Policy Reporter, Policy Reporter Kyverno Plugin and Policy Reporter UI.
|
|
|
|
Enables:
|
|
* Policy Reporter REST API (`http://policy-reporter:8080`)
|
|
* Policy Reporter Metrics API (`http://policy-reporter:8080/metrics`)
|
|
* Kyverno Plugin Rest API (`http://policy-reporter-kyverno-plugin:8080/policies`)
|
|
* Kyverno Plugin Metrics API (`http://policy-reporter-kyverno-plugin:8080/metrics`)
|
|
* Policy Reporter UI Endpoint (`http://policy-reporter-ui:8080`).
|
|
|
|
Configures Policy Reporter UI as Target for Policy Reporter and enables the Kyverno Dashboard.
|
|
|
|
### Installation
|
|
|
|
```bash
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/policy-reporter-kyverno-ui/namespace.yaml
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/policy-reporter-kyverno-ui/target-secret.yaml
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/policy-reporter-kyverno-ui/install.yaml
|
|
```
|
|
|
|
## High Available Policy Reporter + KyvernoPlugin + UI
|
|
|
|
The `policy-reporter-kyverno-ui-ha` contains a high available setup for Policy Reporter, Policy Reporter Kyverno Plugin and Policy Reporter UI, it enabled leaderelection and uses redis as a external and central storage for shared caches and Logs (UI)
|
|
|
|
Enables:
|
|
* Policy Reporter REST API (`http://policy-reporter:8080`)
|
|
* Policy Reporter Metrics API (`http://policy-reporter:8080/metrics`)
|
|
* Kyverno Plugin Rest API (`http://policy-reporter-kyverno-plugin:8080/policies`)
|
|
* Kyverno Plugin Metrics API (`http://policy-reporter-kyverno-plugin:8080/metrics`)
|
|
* Kyverno Plugin PolicyReport creation for blocked resources (by __Kyverno__ enforce policies)
|
|
* Policy Reporter UI Endpoint (`http://policy-reporter-ui:8080`).
|
|
|
|
Additional resources:
|
|
* `PodDisruptionBudget` for each component
|
|
* `Role` and `RoleBinding` for Policy Reporter and the KyvernoPlugin to manage Lease resources for leaderelection
|
|
* Basic `Redis`, used as central and external cache for Policy Reporter and as central Log storage for Policy Reporter UI
|
|
|
|
### Installation
|
|
|
|
```bash
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/policy-reporter-kyverno-ui-ha/namespace.yaml
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/policy-reporter-kyverno-ui-ha/config-core.yaml
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/policy-reporter-kyverno-ui-ha/config-ui.yaml
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/policy-reporter-kyverno-ui-ha/config-kyverno-plugin.yaml
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/policy-reporter-kyverno-ui-ha/redis.yaml
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/policy-reporter-kyverno-ui-ha/install.yaml
|
|
```
|
|
|
|
See `complete-ha/README.md` for details about the used configuration values.
|
|
|
|
## Policy Reporter Configuration
|
|
|
|
To configure policy-reporter, for example your notification targets, create a secret called `policy-reporter-targets` in the `policy-reporter` namespace with an key `config.yaml` as key and and valid [Policy Reporter configuration](https://kyverno.github.io/policy-reporter/core/config-reference) as value.
|
|
|
|
The `kyverno-policy-reporter-ui` and `default-policy-reporter-ui` installation has an optional preconfigured `target-security.yaml` to apply. This secret configures the Policy Reporter UI as target for Policy Reporter.
|
|
|
|
When you change the secret while Policy Reporter is already running, you have to delete the current `policy-reporter` Pod.
|
|
|
|
## Policy Reporter Summary Email Report
|
|
|
|
The `violations-email-report` folder can be used to install Policy Reporter only for the matter of sending E-Mail Summary Reports. You can install the Email Summary Report without the requirement of the Policy Reporter core application. If you already have Policy Reporter installed, you can just apply `config-secret.yaml` and `cronjob.yaml` to add the email report feature. It will reuse the existing `ServiceAccount` and `Namespace`.
|
|
|
|
### Installation
|
|
|
|
```bash
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/violations-email-report/namespace.yaml
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/violations-email-report/config-secret.yaml
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/violations-email-report/serviceaccount.yaml
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/policy-reporter/main/manifest/violations-email-report/cronjob.yaml
|
|
```
|
|
|
|
### Configuration
|
|
|
|
To configure your SMTP server and receiver emails use the following configuration template and replace the `config.yaml` value of `config-secret.yaml` with your base64 encoded configuration.
|
|
|
|
```yaml
|
|
emailReports:
|
|
clusterName: '' # optional clustername shown in the Report
|
|
titlePrefix: 'Report' # title prefix in the email subject
|
|
smtp:
|
|
host: ''
|
|
port: 465
|
|
username: ''
|
|
password: ''
|
|
from: '' # from E-Mail address
|
|
encryption: '' # default is none, supports ssl/tls and starttls
|
|
violations:
|
|
to: []
|
|
filter:
|
|
disableClusterReports: false # remove ClusterPolicyResults from Reports
|
|
namespaces:
|
|
include: []
|
|
exclude: []
|
|
sources:
|
|
include: []
|
|
exclude: []
|
|
channels: []
|
|
```
|