diff --git a/manifest/README.md b/manifest/README.md index 8ac0ba1b..86d19700 100644 --- a/manifest/README.md +++ b/manifest/README.md @@ -86,97 +86,7 @@ See `complete-ha/README.md` for details about the used configuration values. ## Policy Reporter Configuration -To configure policy-reporter, for example your notification targets, create a secret called `policy-reporter-targets` in the `policy-reporter` namespace with an key `config.yaml` as key and the following structure as value: - -```yaml -priorityMap: {} - -loki: - host: "" - minimumPriority: "" - skipExistingOnStartup: true - customLabels: {} - sources: [] - channels: [] - -elasticsearch: - host: "" - index: "policy-reporter" - rotation: "daily" - minimumPriority: "" - skipExistingOnStartup: true - sources: [] - channels: [] - -slack: - webhook: "" - minimumPriority: "" - skipExistingOnStartup: true - sources: [] - channels: [] - -discord: - webhook: "" - minimumPriority: "" - skipExistingOnStartup: true - sources: [] - channels: [] - -teams: - webhook: "" - minimumPriority: "" - skipExistingOnStartup: true - sources: [] - channels: [] - -ui: - host: "" - minimumPriority: "" - skipExistingOnStartup: true - sources: [] - -webhook: - host: "" - headers: {} - minimumPriority: "" - skipExistingOnStartup: true - sources: [] - channels: [] - -s3: - endpoint: "" - region: "" - bucket: "" - secretAccessKey: "" - accessKeyID: "" - minimumPriority: "warning" - skipExistingOnStartup: true - sources: [] - channels: [] - -reportFilter: - namespaces: - include: [] - exclucde: [] - clusterReports: - disabled: false - -# optional external result caching -redis: - enabled: false - address: "" - database: 0 - prefix: "policy-reporter" - username: "" - password: "" - -leaderElection: - enabled: false - releaseOnCancel: true - leaseDuration: 15 - renewDeadline: 10 - retryPeriod: 2 -``` +To configure policy-reporter, for example your notification targets, create a secret called `policy-reporter-targets` in the `policy-reporter` namespace with an key `config.yaml` as key and and valid [Policy Reporter configuration](https://kyverno.github.io/policy-reporter/core/config-reference) as value. The `kyverno-policy-reporter-ui` and `default-policy-reporter-ui` installation has an optional preconfigured `target-security.yaml` to apply. This secret configures the Policy Reporter UI as target for Policy Reporter. diff --git a/manifest/policy-reporter-kyverno-ui-ha/install.yaml b/manifest/policy-reporter-kyverno-ui-ha/install.yaml index 874cbeba..1a4e3340 100644 --- a/manifest/policy-reporter-kyverno-ui-ha/install.yaml +++ b/manifest/policy-reporter-kyverno-ui-ha/install.yaml @@ -9,6 +9,37 @@ metadata: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-secret-reader + namespace: policy-reporter +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-secret-reader + namespace: policy-reporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: policy-reporter-secret-reader +subjects: +- kind: ServiceAccount + name: policy-reporter + namespace: policy-reporter +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: name: policy-reporter-leaderelection rules: @@ -79,6 +110,37 @@ metadata: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-kyverno-plugin-secret-reader + namespace: policy-reporter +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-kyverno-plugin-secret-reader + namespace: policy-reporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: policy-reporter-kyverno-plugin-secret-reader +subjects: +- kind: ServiceAccount + name: policy-reporter-kyverno-plugin + namespace: policy-reporter +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: name: policy-reporter-kyverno-plugin-leaderelection rules: @@ -159,6 +221,45 @@ subjects: namespace: policy-reporter --- apiVersion: v1 +kind: ServiceAccount +metadata: + name: policy-reporter-ui + namespace: policy-reporter + labels: + app.kubernetes.io/name: policy-reporter +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-ui-secret-reader + namespace: policy-reporter +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-ui-secret-reader + namespace: policy-reporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: policy-reporter-ui-secret-reader +subjects: +- kind: ServiceAccount + name: policy-reporter-ui + namespace: policy-reporter +--- +apiVersion: v1 kind: Service metadata: name: policy-reporter-kyverno-plugin @@ -238,7 +339,7 @@ spec: automountServiceAccountToken: true containers: - name: "kyverno-plugin" - image: "ghcr.io/kyverno/policy-reporter-kyverno-plugin:1.5.1" + image: "ghcr.io/kyverno/policy-reporter-kyverno-plugin:1.6.0" imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false @@ -306,9 +407,11 @@ spec: app.kubernetes.io/name: policy-reporter-ui app.kubernetes.io/instance: policy-reporter spec: + serviceAccountName: policy-reporter-ui + automountServiceAccountToken: true containers: - name: ui - image: "ghcr.io/kyverno/policy-reporter-ui:1.8.4" + image: "ghcr.io/kyverno/policy-reporter-ui:1.9.0" imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false @@ -337,6 +440,11 @@ spec: path: / port: http resources: {} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace volumeMounts: - name: config-file mountPath: /app/config.yaml @@ -372,7 +480,7 @@ spec: fsGroup: 1234 containers: - name: policy-reporter - image: "ghcr.io/kyverno/policy-reporter:2.15.2" + image: "ghcr.io/kyverno/policy-reporter:2.16.0" imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false diff --git a/manifest/policy-reporter-kyverno-ui/install.yaml b/manifest/policy-reporter-kyverno-ui/install.yaml index 76afda07..142aa803 100644 --- a/manifest/policy-reporter-kyverno-ui/install.yaml +++ b/manifest/policy-reporter-kyverno-ui/install.yaml @@ -8,6 +8,37 @@ metadata: app.kubernetes.io/name: policy-reporter --- apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-secret-reader + namespace: policy-reporter +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-secret-reader + namespace: policy-reporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: policy-reporter-secret-reader +subjects: +- kind: ServiceAccount + name: policy-reporter + namespace: policy-reporter +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: @@ -49,6 +80,37 @@ metadata: app.kubernetes.io/instance: policy-reporter --- apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-kyverno-plugin-secret-reader + namespace: policy-reporter +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-kyverno-plugin-secret-reader + namespace: policy-reporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: policy-reporter-kyverno-plugin-secret-reader +subjects: +- kind: ServiceAccount + name: policy-reporter-kyverno-plugin + namespace: policy-reporter +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: @@ -81,6 +143,45 @@ subjects: namespace: policy-reporter --- apiVersion: v1 +kind: ServiceAccount +metadata: + name: policy-reporter-ui + namespace: policy-reporter + labels: + app.kubernetes.io/name: policy-reporter +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-ui-secret-reader + namespace: policy-reporter +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-ui-secret-reader + namespace: policy-reporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: policy-reporter-ui-secret-reader +subjects: +- kind: ServiceAccount + name: policy-reporter-ui + namespace: policy-reporter +--- +apiVersion: v1 kind: Service metadata: name: policy-reporter-kyverno-plugin @@ -119,7 +220,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: policy-reporter + name: policy-reporter-ui namespace: policy-reporter labels: app.kubernetes.io/name: policy-reporter @@ -158,7 +259,7 @@ spec: automountServiceAccountToken: true containers: - name: "kyverno-plugin" - image: "ghcr.io/kyverno/policy-reporter-kyverno-plugin:1.5.1" + image: "ghcr.io/kyverno/policy-reporter-kyverno-plugin:1.6.0" imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false @@ -183,8 +284,7 @@ spec: httpGet: path: /policies port: http - resources: - {} + resources: {} --- apiVersion: apps/v1 kind: Deployment @@ -204,9 +304,11 @@ spec: labels: app.kubernetes.io/name: policy-reporter-ui spec: + serviceAccountName: policy-reporter-ui + automountServiceAccountToken: true containers: - name: ui - image: "ghcr.io/kyverno/policy-reporter-ui:1.8.4" + image: "ghcr.io/kyverno/policy-reporter-ui:1.9.0" imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false @@ -235,6 +337,11 @@ spec: port: http resources: {} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace --- apiVersion: apps/v1 kind: Deployment @@ -260,7 +367,7 @@ spec: fsGroup: 1234 containers: - name: policy-reporter - image: "ghcr.io/kyverno/policy-reporter:2.15.2" + image: "ghcr.io/kyverno/policy-reporter:2.16.0" imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false @@ -289,6 +396,11 @@ spec: port: http resources: {} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace volumeMounts: - name: sqlite mountPath: /sqlite diff --git a/manifest/policy-reporter-ui/install.yaml b/manifest/policy-reporter-ui/install.yaml index e6b7f1ce..750a32bc 100644 --- a/manifest/policy-reporter-ui/install.yaml +++ b/manifest/policy-reporter-ui/install.yaml @@ -8,6 +8,37 @@ metadata: app.kubernetes.io/name: policy-reporter --- apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-secret-reader + namespace: policy-reporter +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-secret-reader + namespace: policy-reporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: policy-reporter-secret-reader +subjects: +- kind: ServiceAccount + name: policy-reporter + namespace: policy-reporter +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: @@ -40,6 +71,45 @@ subjects: namespace: policy-reporter --- apiVersion: v1 +kind: ServiceAccount +metadata: + name: policy-reporter-ui + namespace: policy-reporter + labels: + app.kubernetes.io/name: policy-reporter +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-ui-secret-reader + namespace: policy-reporter +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-ui-secret-reader + namespace: policy-reporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: policy-reporter-ui-secret-reader +subjects: +- kind: ServiceAccount + name: policy-reporter-ui + namespace: policy-reporter +--- +apiVersion: v1 kind: Service metadata: name: policy-reporter-ui @@ -91,10 +161,11 @@ spec: labels: app.kubernetes.io/name: policy-reporter-ui spec: - automountServiceAccountToken: false + serviceAccountName: policy-reporter-ui + automountServiceAccountToken: true containers: - name: ui - image: "ghcr.io/kyverno/policy-reporter-ui:1.8.4" + image: "ghcr.io/kyverno/policy-reporter-ui:1.9.0" imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false @@ -120,8 +191,12 @@ spec: httpGet: path: / port: http - resources: - {} + resources: {} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace --- apiVersion: apps/v1 kind: Deployment @@ -148,7 +223,7 @@ spec: fsGroup: 1234 containers: - name: policy-reporter - image: "ghcr.io/kyverno/policy-reporter:2.15.2" + image: "ghcr.io/kyverno/policy-reporter:2.16.0" imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false @@ -175,8 +250,12 @@ spec: httpGet: path: /ready port: http - resources: - {} + resources: {} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace volumeMounts: - name: sqlite mountPath: /sqlite diff --git a/manifest/policy-reporter/install.yaml b/manifest/policy-reporter/install.yaml index 94e4f461..b3d2697f 100644 --- a/manifest/policy-reporter/install.yaml +++ b/manifest/policy-reporter/install.yaml @@ -8,6 +8,37 @@ metadata: app.kubernetes.io/name: policy-reporter --- apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-secret-reader + namespace: policy-reporter +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-secret-reader + namespace: policy-reporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: policy-reporter-secret-reader +subjects: +- kind: ServiceAccount + name: policy-reporter + namespace: policy-reporter +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: @@ -82,7 +113,7 @@ spec: automountServiceAccountToken: true containers: - name: policy-reporter - image: "ghcr.io/kyverno/policy-reporter:2.15.2" + image: "ghcr.io/kyverno/policy-reporter:2.16.0" imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false @@ -108,8 +139,12 @@ spec: httpGet: path: /ready port: http - resources: - {} + resources: {} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace volumeMounts: - name: config-file mountPath: /app/config.yaml diff --git a/manifest/violations-email-report/cronjob.yaml b/manifest/violations-email-report/cronjob.yaml index 34bf9de7..46b5bdab 100644 --- a/manifest/violations-email-report/cronjob.yaml +++ b/manifest/violations-email-report/cronjob.yaml @@ -26,7 +26,7 @@ spec: restartPolicy: Never containers: - name: policy-reporter - image: "ghcr.io/kyverno/policy-reporter:2.15.2" + image: "ghcr.io/kyverno/policy-reporter:2.16.0" imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false @@ -46,6 +46,11 @@ spec: args: - --config=/app/config.yaml - --template-dir=/app/templates + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace volumeMounts: - name: config-file mountPath: /app/config.yaml diff --git a/manifest/violations-email-report/serviceaccount.yaml b/manifest/violations-email-report/serviceaccount.yaml index 061caa6f..fce638ab 100644 --- a/manifest/violations-email-report/serviceaccount.yaml +++ b/manifest/violations-email-report/serviceaccount.yaml @@ -38,3 +38,34 @@ subjects: - kind: "ServiceAccount" name: policy-reporter namespace: policy-reporter +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-secret-reader + namespace: policy-reporter +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: policy-reporter + name: policy-reporter-secret-reader + namespace: policy-reporter +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: policy-reporter-secret-reader +subjects: +- kind: ServiceAccount + name: policy-reporter + namespace: policy-reporter