Skip to content

Commit

Permalink
Merge pull request #137 from nirmata/NDEV-19725-1.10
Browse files Browse the repository at this point in the history
NDEV-19725 (fix): default wildcard cluserrole assignment for n4k-1.10
  • Loading branch information
VedRatan authored Jul 24, 2024
2 parents 3d4e643 + ec2098a commit 4dd9ea7
Show file tree
Hide file tree
Showing 27 changed files with 28,289 additions and 36,226 deletions.
6 changes: 3 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ TOOLS_DIR := $(PWD)/.tools
KIND := $(TOOLS_DIR)/kind
KIND_VERSION := v0.17.0
CONTROLLER_GEN := $(TOOLS_DIR)/controller-gen
CONTROLLER_GEN_VERSION := v0.11.3
CONTROLLER_GEN_VERSION ?= v0.14.0
CLIENT_GEN := $(TOOLS_DIR)/client-gen
LISTER_GEN := $(TOOLS_DIR)/lister-gen
INFORMER_GEN := $(TOOLS_DIR)/informer-gen
Expand Down Expand Up @@ -426,12 +426,12 @@ codegen-client-all: codegen-client-clientset codegen-client-listers codegen-clie
.PHONY: codegen-crds-kyverno
codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs
@echo Generate kyverno crds... >&2
@$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
@$(CONTROLLER_GEN) paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)

.PHONY: codegen-crds-report
codegen-crds-report: $(CONTROLLER_GEN) ## Generate policy reports CRDs
@echo Generate policy reports crds... >&2
@$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
@$(CONTROLLER_GEN) paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)

.PHONY: codegen-crds-all
codegen-crds-all: codegen-crds-kyverno codegen-crds-report ## Generate all CRDs
Expand Down
7 changes: 4 additions & 3 deletions api/kyverno/v1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion api/kyverno/v1alpha2/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion api/kyverno/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion api/kyverno/v2alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions api/kyverno/v2beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion api/policyreport/v1alpha2/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions charts/kyverno/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -319,6 +319,7 @@ The chart values are organised per component.
| admissionController.rbac.create | bool | `true` | Create RBAC resources |
| admissionController.rbac.serviceAccount.name | string | `nil` | The ServiceAccount name |
| admissionController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
| admissionController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. |
| admissionController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
| admissionController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. |
| admissionController.replicas | int | `nil` | Desired number of pods |
Expand Down Expand Up @@ -403,6 +404,7 @@ The chart values are organised per component.
| backgroundController.rbac.create | bool | `true` | Create RBAC resources |
| backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name |
| backgroundController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
| backgroundController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. |
| backgroundController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
| backgroundController.image.registry | string | `"ghcr.io"` | Image registry |
| backgroundController.image.repository | string | `"kyverno/background-controller"` | Image repository |
Expand Down Expand Up @@ -466,6 +468,7 @@ The chart values are organised per component.
| cleanupController.rbac.create | bool | `true` | Create RBAC resources |
| cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name |
| cleanupController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
| cleanupController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. |
| cleanupController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
| cleanupController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. |
| cleanupController.image.registry | string | `"ghcr.io"` | Image registry |
Expand Down Expand Up @@ -537,6 +540,7 @@ The chart values are organised per component.
| reportsController.rbac.create | bool | `true` | Create RBAC resources |
| reportsController.rbac.serviceAccount.name | string | `nil` | Service account name |
| reportsController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
| reportsController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. |
| reportsController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
| reportsController.image.registry | string | `"ghcr.io"` | Image registry |
| reportsController.image.repository | string | `"kyverno/reports-controller"` | Image repository |
Expand Down
11 changes: 3 additions & 8 deletions charts/kyverno/templates/admission-controller/clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -94,14 +94,9 @@ rules:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
{{- with .Values.admissionController.rbac.coreClusterRole.extraResources }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.admissionController.rbac.clusterRole.extraResources }}
---
apiVersion: rbac.authorization.k8s.io/v1
Expand Down
11 changes: 3 additions & 8 deletions charts/kyverno/templates/background-controller/clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,6 @@ metadata:
labels:
{{- include "kyverno.background-controller.labels" . | nindent 4 }}
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- kyverno.io
resources:
Expand Down Expand Up @@ -82,6 +74,9 @@ rules:
- update
- patch
- delete
{{- with .Values.backgroundController.rbac.coreClusterRole.extraResources }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.backgroundController.rbac.clusterRole.extraResources }}
---
apiVersion: rbac.authorization.k8s.io/v1
Expand Down
11 changes: 3 additions & 8 deletions charts/kyverno/templates/cleanup-controller/clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,6 @@ metadata:
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
Expand Down Expand Up @@ -87,6 +79,9 @@ rules:
- subjectaccessreviews
verbs:
- create
{{- with .Values.cleanupController.rbac.coreClusterRole.extraResources }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.cleanupController.rbac.clusterRole.extraResources }}
---
apiVersion: rbac.authorization.k8s.io/v1
Expand Down
Loading

0 comments on commit 4dd9ea7

Please sign in to comment.