Update manifests

Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
kyverno · Sep 10, 2023 · b5926d7 · b5926d7
1 parent 8fc593e
commit b5926d7
Show file tree

Hide file tree

Showing 7 changed files with 391 additions and 111 deletions.
diff --git a/manifest/README.md b/manifest/README.md
@@ -86,97 +86,7 @@ See `complete-ha/README.md` for details about the used configuration values.
 
 ## Policy Reporter Configuration
 
-To configure policy-reporter, for example your notification targets, create a secret called `policy-reporter-targets` in the `policy-reporter` namespace with an key `config.yaml` as key and the following structure as value:
-
-```yaml
-priorityMap: {}
-
-loki:
-  host: ""
-  minimumPriority: ""
-  skipExistingOnStartup: true
-  customLabels: {}
-  sources: []
-  channels: []
-
-elasticsearch:
-  host: ""
-  index: "policy-reporter"
-  rotation: "daily"
-  minimumPriority: ""
-  skipExistingOnStartup: true
-  sources: []
-  channels: []
-
-slack:
-  webhook: ""
-  minimumPriority: ""
-  skipExistingOnStartup: true
-  sources: []
-  channels: []
-
-discord:
-  webhook: ""
-  minimumPriority: ""
-  skipExistingOnStartup: true
-  sources: []
-  channels: []
-
-teams:
-  webhook: ""
-  minimumPriority: ""
-  skipExistingOnStartup: true
-  sources: []
-  channels: []
-
-ui:
-  host: ""
-  minimumPriority: ""
-  skipExistingOnStartup: true
-  sources: []
-
-webhook:
-  host: ""
-  headers: {}
-  minimumPriority: ""
-  skipExistingOnStartup: true
-  sources: []
-  channels: []
-
-s3:
-  endpoint: ""
-  region: ""
-  bucket: ""
-  secretAccessKey: ""
-  accessKeyID: ""
-  minimumPriority: "warning"
-  skipExistingOnStartup: true
-  sources: []
-  channels: []
-
-reportFilter:
-  namespaces:
-    include: []
-    exclucde: []
-  clusterReports:
-    disabled: false
-
-# optional external result caching
-redis:
-  enabled: false
-  address: ""
-  database: 0
-  prefix: "policy-reporter"
-  username: ""
-  password: ""
-
-leaderElection:
-  enabled: false
-  releaseOnCancel: true
-  leaseDuration: 15
-  renewDeadline: 10
-  retryPeriod: 2
-```
+To configure policy-reporter, for example your notification targets, create a secret called `policy-reporter-targets` in the `policy-reporter` namespace with an key `config.yaml` as key and and valid [Policy Reporter configuration](https://kyverno.github.io/policy-reporter/core/config-reference) as value.
 
 The `kyverno-policy-reporter-ui` and `default-policy-reporter-ui` installation has an optional preconfigured `target-security.yaml` to apply. This secret configures the Policy Reporter UI as target for Policy Reporter.
 

diff --git a/manifest/policy-reporter-kyverno-ui-ha/install.yaml b/manifest/policy-reporter-kyverno-ui-ha/install.yaml
@@ -9,6 +9,37 @@ metadata:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/name: policy-reporter
+  name: policy-reporter-secret-reader
+  namespace: policy-reporter
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: policy-reporter
+  name: policy-reporter-secret-reader
+  namespace: policy-reporter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: policy-reporter-secret-reader
+subjects:
+- kind: ServiceAccount
+  name: policy-reporter
+  namespace: policy-reporter
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
   name: policy-reporter-leaderelection
 rules:
@@ -79,6 +110,37 @@ metadata:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/name: policy-reporter
+  name: policy-reporter-kyverno-plugin-secret-reader
+  namespace: policy-reporter
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: policy-reporter
+  name: policy-reporter-kyverno-plugin-secret-reader
+  namespace: policy-reporter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: policy-reporter-kyverno-plugin-secret-reader
+subjects:
+- kind: ServiceAccount
+  name: policy-reporter-kyverno-plugin
+  namespace: policy-reporter
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
   name: policy-reporter-kyverno-plugin-leaderelection
 rules:
@@ -159,6 +221,45 @@ subjects:
   namespace: policy-reporter
 ---
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: policy-reporter-ui
+  namespace: policy-reporter
+  labels:
+    app.kubernetes.io/name: policy-reporter
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/name: policy-reporter
+  name: policy-reporter-ui-secret-reader
+  namespace: policy-reporter
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: policy-reporter
+  name: policy-reporter-ui-secret-reader
+  namespace: policy-reporter
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: policy-reporter-ui-secret-reader
+subjects:
+- kind: ServiceAccount
+  name: policy-reporter-ui
+  namespace: policy-reporter
+---
+apiVersion: v1
 kind: Service
 metadata:
   name: policy-reporter-kyverno-plugin
@@ -238,7 +339,7 @@ spec:
       automountServiceAccountToken: true
       containers:
         - name: "kyverno-plugin"
-          image: "ghcr.io/kyverno/policy-reporter-kyverno-plugin:1.5.1"
+          image: "ghcr.io/kyverno/policy-reporter-kyverno-plugin:1.6.0"
           imagePullPolicy: IfNotPresent
           securityContext:
             allowPrivilegeEscalation: false
@@ -306,9 +407,11 @@ spec:
         app.kubernetes.io/name: policy-reporter-ui
         app.kubernetes.io/instance: policy-reporter
     spec:
+      serviceAccountName: policy-reporter-ui
+      automountServiceAccountToken: true
       containers:
         - name: ui
-          image: "ghcr.io/kyverno/policy-reporter-ui:1.8.4"
+          image: "ghcr.io/kyverno/policy-reporter-ui:1.9.0"
           imagePullPolicy: IfNotPresent
           securityContext:
             allowPrivilegeEscalation: false
@@ -337,6 +440,11 @@ spec:
               path: /
               port: http
           resources: {}
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
           volumeMounts:
           - name: config-file
             mountPath: /app/config.yaml
@@ -372,7 +480,7 @@ spec:
         fsGroup: 1234
       containers:
         - name: policy-reporter
-          image: "ghcr.io/kyverno/policy-reporter:2.15.2"
+          image: "ghcr.io/kyverno/policy-reporter:2.16.0"
           imagePullPolicy: IfNotPresent
           securityContext:
             allowPrivilegeEscalation: false