diff --git a/.gitignore b/.gitignore index ee3b1e6..75d6be2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +.certs/ .tools/ website/site/ /kyverno-envoy-plugin diff --git a/Makefile b/Makefile index 91c399c..29ac0f5 100644 --- a/Makefile +++ b/Makefile @@ -188,6 +188,21 @@ kind-load-image: ko-build @echo Load image in kind... >&2 @$(KIND) load docker-image $(KO_REGISTRY)/$(PACKAGE):$(GIT_SHA) +################ +# CERTIFICATES # +################ + +.PHONY: generate-certs +generate-certs: ## Generate certificates +generate-certs: + @echo Generating certificates... >&2 + @rm -rf .certs + @mkdir -p .certs + @openssl req -new -x509 \ + -subj "/CN=kyverno-sidecar-injector.kyverno.svc" \ + -addext "subjectAltName = DNS:kyverno-sidecar-injector.kyverno.svc" \ + -nodes -newkey rsa:4096 -keyout .certs/tls.key -out .certs/tls.crt + ######### # ISTIO # ######### @@ -206,6 +221,7 @@ install-istio: $(HELM) .PHONY: install-kyverno-sidecar-injector install-kyverno-sidecar-injector: ## Install kyverno-sidecar-injector chart install-kyverno-sidecar-injector: kind-load-image +install-kyverno-sidecar-injector: generate-certs install-kyverno-sidecar-injector: $(HELM) @echo Build kyverno-sidecar-injector dependecy... >&2 @$(HELM) dependency build --skip-refresh ./charts/kyverno-sidecar-injector @@ -213,7 +229,9 @@ install-kyverno-sidecar-injector: $(HELM) @$(HELM) upgrade --install kyverno-sidecar-injector --namespace kyverno --create-namespace --wait ./charts/kyverno-sidecar-injector \ --set containers.injector.image.registry=$(KO_REGISTRY) \ --set containers.injector.image.repository=$(PACKAGE) \ - --set containers.injector.image.tag=$(GIT_SHA) + --set containers.injector.image.tag=$(GIT_SHA) \ + --set-file certificates.static.crt=.certs/tls.crt \ + --set-file certificates.static.key=.certs/tls.key .PHONY: install-kyverno-authz-server install-kyverno-authz-server: ## Install kyverno-authz-server chart diff --git a/charts/kyverno-sidecar-injector/templates/_helpers.tpl b/charts/kyverno-sidecar-injector/templates/_helpers.tpl index 46cb8f5..7377b8f 100644 --- a/charts/kyverno-sidecar-injector/templates/_helpers.tpl +++ b/charts/kyverno-sidecar-injector/templates/_helpers.tpl @@ -1,7 +1,7 @@ {{/* vim: set filetype=mustache: */}} {{- define "sidecar-injector.name" -}} -{{ template "kyverno.lib.names.name" . }}-sidecar-injector +{{ template "kyverno.lib.names.name" . }} {{- end -}} {{- define "sidecar-injector.labels" -}} @@ -18,10 +18,6 @@ ) -}} {{- end -}} -{{- define "sidecar-injector.role.name" -}} -{{- include "kyverno.lib.names.fullname" . -}}:sidecar-injector -{{- end -}} - {{- define "sidecar-injector.service-account.name" -}} {{- if .Values.rbac.create -}} {{- default (include "sidecar-injector.name" .) .Values.rbac.serviceAccount.name -}} @@ -30,10 +26,6 @@ {{- end -}} {{- end -}} -{{- define "sidecar-injector.serviceName" -}} -{{- printf "%s-svc" (include "kyverno.lib.names.fullname" .) | trunc 63 | trimSuffix "-" -}} -{{- end -}} - {{- define "sidecar-injector.image" -}} {{- printf "%s/%s:%s" .registry .repository (default "latest" .tag) -}} {{- end -}} diff --git a/charts/kyverno-sidecar-injector/templates/certificates/static.yaml b/charts/kyverno-sidecar-injector/templates/certificates/static.yaml new file mode 100644 index 0000000..819a869 --- /dev/null +++ b/charts/kyverno-sidecar-injector/templates/certificates/static.yaml @@ -0,0 +1,13 @@ +{{- if .Values.certificates.static -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "sidecar-injector.name" . }} + namespace: {{ template "kyverno.lib.namespace" . }} + labels: + {{- include "sidecar-injector.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.certificates.static.crt | b64enc }} + tls.key: {{ .Values.certificates.static.key | b64enc }} +{{- end }} diff --git a/charts/kyverno-sidecar-injector/templates/service.yaml b/charts/kyverno-sidecar-injector/templates/service.yaml index 84821cb..a090c31 100644 --- a/charts/kyverno-sidecar-injector/templates/service.yaml +++ b/charts/kyverno-sidecar-injector/templates/service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ template "sidecar-injector.service-account.name" . }} + name: {{ template "sidecar-injector.name" . }} namespace: {{ template "kyverno.lib.namespace" . }} labels: {{- include "sidecar-injector.labels" . | nindent 4 }} diff --git a/charts/kyverno-sidecar-injector/templates/certificates.yaml b/charts/kyverno-sidecar-injector/templates/webhook/static.yaml similarity index 59% rename from charts/kyverno-sidecar-injector/templates/certificates.yaml rename to charts/kyverno-sidecar-injector/templates/webhook/static.yaml index c2d3216..12358c4 100644 --- a/charts/kyverno-sidecar-injector/templates/certificates.yaml +++ b/charts/kyverno-sidecar-injector/templates/webhook/static.yaml @@ -1,23 +1,4 @@ -{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.lib.namespace" .)) 1024 -}} -{{- $svcName := (printf "%s.%s.svc" (include "sidecar-injector.name" .) (include "kyverno.lib.namespace" .)) -}} -{{- $tls := genSignedCert $svcName nil (list $svcName) 1024 $ca -}} -{{- if .Values.certificates.selfSigned -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "sidecar-injector.name" . }} - namespace: {{ template "kyverno.lib.namespace" . }} - labels: - {{- include "sidecar-injector.labels" . | nindent 4 }} - annotations: - self-signed-cert: "true" -type: kubernetes.io/tls -data: - tls.key: {{ $tls.Key | b64enc }} - tls.crt: {{ $tls.Cert | b64enc }} - ca.crt: {{ $ca.Cert | b64enc }} -{{- end }} ---- +{{- if .Values.certificates.static -}} apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: @@ -35,7 +16,7 @@ webhooks: name: {{ template "sidecar-injector.name" . }} namespace: {{ template "kyverno.lib.namespace" . }} path: "/mutate" - caBundle: {{ $ca.Cert | b64enc }} + caBundle: {{ index .Values.certificates.static.crt | b64enc }} failurePolicy: {{ .Values.webhook.failurePolicy }} sideEffects: None admissionReviewVersions: [ v1 ] @@ -53,3 +34,4 @@ webhooks: namespaceSelector: {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} +{{- end }} diff --git a/charts/kyverno-sidecar-injector/values.yaml b/charts/kyverno-sidecar-injector/values.yaml index 8c55ed9..60b31b4 100644 --- a/charts/kyverno-sidecar-injector/values.yaml +++ b/charts/kyverno-sidecar-injector/values.yaml @@ -27,9 +27,8 @@ rbac: certificates: - # -- Create self-signed certificates at deployment time. - # The certificates won't be automatically renewed if this is set to `true`. - selfSigned: true + # -- Static data to set in certificate secret + static: {} deployment: @@ -230,12 +229,12 @@ webhook: annotations: {} # example.com/annotation: value - # -- Webhook object selector - objectSelector: ~ - # -- Webhook failure policy failurePolicy: Fail + # -- Webhook object selector + objectSelector: ~ + # -- Webhook namespace selector namespaceSelector: matchExpressions: diff --git a/pkg/signals/context.go b/pkg/signals/context.go index e12727b..493542e 100644 --- a/pkg/signals/context.go +++ b/pkg/signals/context.go @@ -12,7 +12,7 @@ func Context(ctx context.Context) (context.Context, context.CancelFunc) { return signal.NotifyContext(ctx, syscall.SIGINT, syscall.SIGTERM) } -func Do(ctx context.Context, f func(context.Context) error) error { +func Do(ctx context.Context, callback func(context.Context) error) error { // create a wait group var group wait.Group // wait all tasks in the group are over @@ -28,5 +28,6 @@ func Do(ctx context.Context, f func(context.Context) error) error { // wait signals are triggered <-ctx.Done() }) - return f(ctx) + // invoke callback with signals aware context + return callback(ctx) } diff --git a/sidecar-injector/Dockerfile b/sidecar-injector/Dockerfile deleted file mode 100644 index 0518a55..0000000 --- a/sidecar-injector/Dockerfile +++ /dev/null @@ -1,11 +0,0 @@ -FROM golang:1.22 as build -RUN go install golang.org/x/lint/golint@latest -WORKDIR /build -COPY . ./ -RUN CGO_ENABLED=0 GOOS=linux go build -o sidecar-injector - -FROM scratch -WORKDIR / -COPY --from=build /build/sidecar-injector / - -ENTRYPOINT ["/sidecar-injector"] diff --git a/sidecar-injector/example-manifest/exampledeploy.yaml b/sidecar-injector/example-manifest/exampledeploy.yaml deleted file mode 100644 index d557dc2..0000000 --- a/sidecar-injector/example-manifest/exampledeploy.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx - namespace: default - labels: - app.kubernetes.io/name: nginx -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: nginx - template: - metadata: - labels: - kyverno-envoy-sidecar/injection: enabled - app.kubernetes.io/name: nginx - spec: - containers: - - name: nginx - image: nginx:1.20.2 - ports: - - containerPort: 80 - \ No newline at end of file diff --git a/sidecar-injector/example-manifest/policyfile-configmap.yaml b/sidecar-injector/example-manifest/policyfile-configmap.yaml deleted file mode 100644 index d56557a..0000000 --- a/sidecar-injector/example-manifest/policyfile-configmap.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: policy-files - namespace: default -data: - policy.yaml: | - apiVersion: json.kyverno.io/v1alpha1 - kind: ValidatingPolicy - metadata: - name: check-dockerfile - spec: - rules: - - name: deny-external-calls - assert: - all: - - message: "HTTP calls are not allowed" - check: - request: - http: - method: GET - headers: - authorization: - (base64_decode(split(@, ' ')[1])): - (split(@, ':')[0]): alice - path: /foo - \ No newline at end of file diff --git a/sidecar-injector/manifests/certs/tls.crt b/sidecar-injector/manifests/certs/tls.crt deleted file mode 100644 index c27d9c5..0000000 --- a/sidecar-injector/manifests/certs/tls.crt +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFljCCA36gAwIBAgIUTSFKi449sacfQqxQ5gXXAju9J04wDQYJKoZIhvcNAQEL -BQAwOzE5MDcGA1UEAwwwa3ViZXJuZXRlcy1zaWRlY2FyLWluamVjdG9yLnNpZGVj -YXItaW5qZWN0b3Iuc3ZjMB4XDTI0MDQxNjExMTYwNVoXDTI1MDQxNjExMTYwNVow -OzE5MDcGA1UEAwwwa3ViZXJuZXRlcy1zaWRlY2FyLWluamVjdG9yLnNpZGVjYXIt -aW5qZWN0b3Iuc3ZjMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtSRx -W1jFmbkMmF9fs+NrDF75AAC66h87Pdg8jJh10Z4FD9UjYCUHj/TnUX8wuwqUhY5f -52MMlWP12/EZCPsiJ/uF205idlky5Qi/70mW6TPJLNAapzqkjRd0FnIWRYJ9ruq/ -d7D8v0hrmiBYPxZGEDTHVX0F1apE0gpFmDMoSm4f4XdGSk3nsswajmI0IbMZiDiG -JreP9qR020SEqPJMBx4eGPIQDVkb2X0juweyclXGQgnYaaDXYwG3YCjrdWYKXpAy -Bf5JK6VZ6CUYYnZjRwU9slRKLFD8b6ZbQr3BdtRjQD0axnZgL0kLJjk/IPlBNyxL -rVpDo7UjBcQkUX/gY7R0kxTHpoFQVs9yGcs6Z/MxN05B+HiDc5Fr0aPE4VoWGq9O -mhARbfn44jrovoKUM8W8dx61rxTwrIKz7JUmA8gJDQH/hUN1I2Q2CFW5zGaCGuPA -0nHrs31vCCxu0rm367pgwtHl8KXA5ioa7VbkSifFw05Bj+k8qOJCCHWxdnHUSaIJ -SdVinKipT9/H6gMDx8uLMFxS3kqVoNkXq2US91c7pvFOPv/GC0kMcfJCwIWh+rIt -vT8csPNiuVXgD9x6B8JIA+J/W9Eu/enYO1w8hVw9quaQWD2/LbGMwMKAirQIAJDZ -98cZEiQTrzSLgqL8sAdvy4l4nLQGP7iDYEfdlKkCAwEAAaOBkTCBjjAdBgNVHQ4E -FgQUCw5GP9YU0/qgzDz1fp8tjXEuxAowHwYDVR0jBBgwFoAUCw5GP9YU0/qgzDz1 -fp8tjXEuxAowDwYDVR0TAQH/BAUwAwEB/zA7BgNVHREENDAygjBrdWJlcm5ldGVz -LXNpZGVjYXItaW5qZWN0b3Iuc2lkZWNhci1pbmplY3Rvci5zdmMwDQYJKoZIhvcN -AQELBQADggIBAJ0L1fskFTtVzpWeiAisqYQsNlLYHds3r4edG8bKL7mfmbnifYf9 -cnZaalUidkk57TZU0V+vW93dN4fwqvwkR3/n4WgilFQGtfzB6YDhftA6TeeB7cyQ -fgJeBjDObwH33GT9fX9UdSZI2uuRQDfyEmfXGwhuRj2iu/WCs1Og/oMVS/W3UBoa -J+8auPYEbI4krkARBo8BvHlJxlcudgN85maL1g89e9SK5YS6bk0kyJkRudSMgfon -hFBGr4uzbkJjVbfsULbXfD90wezHzD84nNMXVLLkIOX2oRHVZ+28WB9O5JylNQie -94QbUY1g2JOc6huCXKHu+7jBTQO7GafSlPGq0kyIxx8zmwyOXv3s69VIBCjmW0Jt -NVja3CW5bKQfmOt84h8RnVbmVczotYqeI8cAVRB/Eu736RFsxcR/rExGrgpHdoHx -P5Axm0INUABukf9Im+KIqN9LJG1y3xhplV702JlJXIEp1Nxj20iVh6egql6K/LNi -78VGqtPp3QjUKH2DbpLlFynLgh6o33SGZ4e5kWmpxv7rRw+nRadJ4zDhkHdZ6uf2 -0Z2LoYVjLtLQLIcrTqpCU84RP89Z3xpQu7yGBZmUW69DHPUfroKgnTQ6r82XcmHQ -JNEvM/wUyiuHlcQ+ojBgfRwc3F3dnVzTvx7Wk+5Z2GEmY84JzHOSBb/t ------END CERTIFICATE----- diff --git a/sidecar-injector/manifests/certs/tls.key b/sidecar-injector/manifests/certs/tls.key deleted file mode 100644 index 3788b30..0000000 --- a/sidecar-injector/manifests/certs/tls.key +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC1JHFbWMWZuQyY -X1+z42sMXvkAALrqHzs92DyMmHXRngUP1SNgJQeP9OdRfzC7CpSFjl/nYwyVY/Xb -8RkI+yIn+4XbTmJ2WTLlCL/vSZbpM8ks0BqnOqSNF3QWchZFgn2u6r93sPy/SGua -IFg/FkYQNMdVfQXVqkTSCkWYMyhKbh/hd0ZKTeeyzBqOYjQhsxmIOIYmt4/2pHTb -RISo8kwHHh4Y8hANWRvZfSO7B7JyVcZCCdhpoNdjAbdgKOt1ZgpekDIF/kkrpVno -JRhidmNHBT2yVEosUPxvpltCvcF21GNAPRrGdmAvSQsmOT8g+UE3LEutWkOjtSMF -xCRRf+BjtHSTFMemgVBWz3IZyzpn8zE3TkH4eINzkWvRo8ThWhYar06aEBFt+fji -Oui+gpQzxbx3HrWvFPCsgrPslSYDyAkNAf+FQ3UjZDYIVbnMZoIa48DSceuzfW8I -LG7SubfrumDC0eXwpcDmKhrtVuRKJ8XDTkGP6Tyo4kIIdbF2cdRJoglJ1WKcqKlP -38fqAwPHy4swXFLeSpWg2RerZRL3Vzum8U4+/8YLSQxx8kLAhaH6si29Pxyw82K5 -VeAP3HoHwkgD4n9b0S796dg7XDyFXD2q5pBYPb8tsYzAwoCKtAgAkNn3xxkSJBOv -NIuCovywB2/LiXictAY/uINgR92UqQIDAQABAoICAAhacqilYWyKI/3o2JmeAT6v -cajYlqF236rcg0gEPLas/+bmpxfClokwcqs+X2BrB7NYttFWnKG6tyQjUMpzcuHa -tCXmzhzhMgQkkRTAecvkkImgbkteE0xk7vx4kWLJpDn4+X4dT/TJYaxYgxJtIb2S -3hPNg8y5IQhVLDe2goM3CCYNGEMTXjS9O4bZPlqgWD1utCYqNiu1pMkNNnwM39I+ -xxgcHZE+3vHWIAB6oQgZLqgkiIP5VsVqIFju8QDFTl73kcON/X6KRLtXygO6GcKi -vryv4/gMNXbKDKLnEIyGOdLpeeNnx14pJV76PGuIWehWgqqcx8oq73Yqrr+A0zeh -3qwDPFkaJda0gk1Zitq90sUkJrap1F8UhfSMer2FyZmiazs/Yv+1D6qZ/l972etY -KHJbaNdDoQRUKaJMI4CyveaTBeIi/StfRgePXF2qtSHn4rc/Y3vI+TPoaEXxkA3+ -KBWYL8gXsmLAv92rVOI7PkUr/ZYeVK4M9FiKYQ+vXZhxyDspzuknB5itFyBn9nxa -3iN8GHV/w7ma0LRA/ZuPP0rTfD3HMXIHPmrHX/s0RfglzdzOqW6Fa7ZZtUKVljR5 -tq427wGM5QzCcgSrLj/+VsH0nC+I7mI88jCQIoJlRzoDkSMd3/i1WzazqoDcukbj -2Uwf0Usy9Jqih4YuRHKDAoIBAQDA5z2kSz5O6hGGX67YlGv8H9tkP7TSEWc/4A2w -MeTFH73ZrAgKCDDQtS2Cd1d6FGRNw2g2YqHdrEIxtN00dO7HWylOkguqZ6WEO4G0 -x86kbyEgtQt7+lhqoSobdx9gQgtBl/FG3SwXcRcB7U5h0KDujAw5Mf3hfcqBgFHl -3ps0Yqvx+/nQBmQL7H85pjlAE55Yx85eEGz+QM/Evh0y96AjYUnw/05pe8fQZNKo -Kv9fjP5/AyCSVWigETCQjCmT8oijaesLB10jcEEZFQHtMagIbgZBhEcigz525Xei -6gS+imiYNeJ2QcLaT+hbR4ePkwDBNWv6utHdSnE/DODJ1A6LAoIBAQDwZGaA3she -cIhUxE52pUIilm3liB8k7UqB/q5q3UFtbKlMXjkBb15M5m/REHn1R3hojlCuj/JX -p9by6L5PG6HGjOZgJyxt58LGrALp990m8iLozXJINYqjuzY/hDLC5swnmvJyVbMb -t+Sf4c9Oy1Kecvi5vnFoQtUp8tGi+IC5wzdUq2QRmZy4xbjUqgBEy7MC5bH45Dqx -NA8CItRXD/90CVUpGD1cTUtSIuLGhCEWTMI7TznSIboico8LujAJ/FG09B1W7sdC -US/5TRqoEAXesI+yfDxVOOtMdDN3MTGtHGk2e1SC9iEvsaglmT9GYcwKIBF5GAPZ -XsFaE/FcbaQbAoIBAHEOlhgWaVxC3yaMKaORyYApA6JLnCSKQqMzI5Kii1vk8JYE -t2l5x3Jq3VNbso9AKFFTN164i/mpndoYEJVP+yooCZudCO1EdcN8RNa5TCkfYKEU -urhczzkfX9hdBqyZyJMXBDfuJItQopVkic3WQpvMxNU4sX1ZBjjEBjvdLcWUFwZq -Ec2UEUrTvvUAsQkW9nU+FXsX0WlqftrmOaLHcrmJqZZva3tzKna+wKADI0zTC81Q -/eQF3p4BtR7ipvOo7+AmkbUTCcldXyneIBTuR3c5VL1NU4ustA1nC6kV0tYBtK+Q -1TtN62+b6ail0ZOaKpUSREjc+Wbi3GCBobVobWUCggEBAI4WuiO4CvUPTPXVpo8o -dSPeiIygXdBE1cJqmAugRfj4vkTeeJFpk3Kezj7jn0KkgP5ECFp1yQeYtEuV2E8I -BSJHzC/PV8qKr60gpQRINpa7jnjOXpth0lWe5Zy7dgmPw+IxCtcb4qcilecO4Ksx -MN9pE60ubPf0cOy/krviaKvkQIMyXw6sHl90tyA0b746LNAslnqH5E0zeR+JGLtx -QEwE7CpDIpm5MikVZ7dxB+GXc0L9PC8BMnUEA5sp7RUp592uYN0ue+at+E5CDdyC -xAVxlS4pkrvIzgO9t2HfWP56iZHjafuSoeEAAGRg5W6jhagCdnF+CWBlSqIEoahB -QjsCggEAXNk8zAUyu5Xg5QencUyBV5sx/cPDIgZtafWMgmvb5RONrfzNPF/S27UV -NmZe5nlS1xBsDnGFEkcg9iCNugaXZtUp1w9xQaja0ZjXR2Ng0OH6Q+QqZzjvsL4u -uTHdx0Pn92mvdeRRig85IELwD5gSDH6mK2RyQJRgILqUHspm+7rkXg6j8oba5YNA -EGb+JVnutmPh2sW0S3XAokskpzafk8I1bUcy8sWkMbYJ1yELKQhyD23Nh0c4C/+W -53ieYOfgcdFTBoJUDty6sspIh9oPAGuN5tNBQA+eeDqPlKTBgZ9548Jo1+yqQZ0W -oYXxm+PBNm6q+qfW2sCerB4ZcJqZAg== ------END PRIVATE KEY----- diff --git a/sidecar-injector/manifests/create-mutating-webhook.sh b/sidecar-injector/manifests/create-mutating-webhook.sh deleted file mode 100755 index e8497dd..0000000 --- a/sidecar-injector/manifests/create-mutating-webhook.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash - -# Get the base64 encoded tls.crt data -CA_BUNDLE=$(kubectl get secret kyverno-envoy-sidecar-certs -n kyverno-envoy-sidecar-injector -o jsonpath='{.data.tls\.crt}') - -# Create the mutatingwebhook.yaml file -cat < mutatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: kyverno-envoy-sidecar - labels: - app.kubernetes.io/name: sidecar-injector - app.kubernetes.io/instance: sidecar-injector -webhooks: - - name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc - clientConfig: - service: - name: kyverno-envoy-sidecar - namespace: kyverno-envoy-sidecar-injector - path: "/mutate" - caBundle: $CA_BUNDLE - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: ["v1"] - rules: - - apiGroups: - - "" - resources: - - pods - apiVersions: - - "v1" - operations: - - CREATE - scope: '*' - objectSelector: - matchExpressions: - - key: kyverno-envoy-sidecar/injection - operator: In - values: - - enabled -EOF - -# Apply the mutatingwebhook.yaml file -kubectl apply -f mutatingwebhook.yaml \ No newline at end of file diff --git a/sidecar-injector/manifests/deployment.yaml b/sidecar-injector/manifests/deployment.yaml deleted file mode 100644 index 5536c0f..0000000 --- a/sidecar-injector/manifests/deployment.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kyverno-envoy-sidecar - namespace: kyverno-envoy-sidecar-injector - labels: - app.kubernetes.io/name: sidecar-injector - app.kubernetes.io/instance: sidecar-injector -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: sidecar-injector - app.kubernetes.io/instance: sidecar-injector - template: - metadata: - labels: - app.kubernetes.io/name: sidecar-injector - app.kubernetes.io/instance: sidecar-injector - spec: - serviceAccountName: kyverno-envoy-sidecar - containers: - - name: kyverno-envoy-sidecar - image: "sanskardevops/sidecar-injector:0.0.6" - imagePullPolicy: IfNotPresent - args: - - --port=8443 - - --certFile=/opt/kubernetes-sidecar-injector/certs/tls.crt - - --keyFile=/opt/kubernetes-sidecar-injector/certs/tls.key - - --sidecarDataKey=sidecars.yaml - volumeMounts: - - name: kyverno-envoy-sidecar-certs - mountPath: /opt/kubernetes-sidecar-injector/certs - readOnly: true - ports: - - name: https - containerPort: 8443 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: https - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 5 - timeoutSeconds: 4 - readinessProbe: - httpGet: - path: /healthz - port: https - scheme: HTTPS - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 5 - timeoutSeconds: 4 - volumes: - - name: kyverno-envoy-sidecar-certs - secret: - secretName: kyverno-envoy-sidecar-certs - \ No newline at end of file diff --git a/sidecar-injector/manifests/mutatingwebhook.yaml b/sidecar-injector/manifests/mutatingwebhook.yaml deleted file mode 100644 index 13db095..0000000 --- a/sidecar-injector/manifests/mutatingwebhook.yaml +++ /dev/null @@ -1,37 +0,0 @@ - -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: kyverno-envoy-sidecar - labels: - app.kubernetes.io/name: sidecar-injector - app.kubernetes.io/instance: sidecar-injector -webhooks: - - name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc - clientConfig: - service: - name: kyverno-envoy-sidecar - namespace: kyverno-envoy-sidecar-injector - path: "/mutate" - caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZsakNDQTM2Z0F3SUJBZ0lVVFNGS2k0NDlzYWNmUXF4UTVnWFhBanU5SjA0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd096RTVNRGNHQTFVRUF3d3dhM1ZpWlhKdVpYUmxjeTF6YVdSbFkyRnlMV2x1YW1WamRHOXlMbk5wWkdWagpZWEl0YVc1cVpXTjBiM0l1YzNaak1CNFhEVEkwTURReE5qRXhNVFl3TlZvWERUSTFNRFF4TmpFeE1UWXdOVm93Ck96RTVNRGNHQTFVRUF3d3dhM1ZpWlhKdVpYUmxjeTF6YVdSbFkyRnlMV2x1YW1WamRHOXlMbk5wWkdWallYSXQKYVc1cVpXTjBiM0l1YzNaak1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBdFNSeApXMWpGbWJrTW1GOWZzK05yREY3NUFBQzY2aDg3UGRnOGpKaDEwWjRGRDlVallDVUhqL1RuVVg4d3V3cVVoWTVmCjUyTU1sV1AxMi9FWkNQc2lKL3VGMjA1aWRsa3k1UWkvNzBtVzZUUEpMTkFhcHpxa2pSZDBGbklXUllKOXJ1cS8KZDdEOHYwaHJtaUJZUHhaR0VEVEhWWDBGMWFwRTBncEZtRE1vU200ZjRYZEdTazNuc3N3YWptSTBJYk1aaURpRwpKcmVQOXFSMDIwU0VxUEpNQng0ZUdQSVFEVmtiMlgwanV3ZXljbFhHUWduWWFhRFhZd0czWUNqcmRXWUtYcEF5CkJmNUpLNlZaNkNVWVluWmpSd1U5c2xSS0xGRDhiNlpiUXIzQmR0UmpRRDBheG5aZ0wwa0xKamsvSVBsQk55eEwKclZwRG83VWpCY1FrVVgvZ1k3UjBreFRIcG9GUVZzOXlHY3M2Wi9NeE4wNUIrSGlEYzVGcjBhUEU0Vm9XR3E5TwptaEFSYmZuNDRqcm92b0tVTThXOGR4NjFyeFR3cklLejdKVW1BOGdKRFFIL2hVTjFJMlEyQ0ZXNXpHYUNHdVBBCjBuSHJzMzF2Q0N4dTBybTM2N3Bnd3RIbDhLWEE1aW9hN1Zia1NpZkZ3MDVCaitrOHFPSkNDSFd4ZG5IVVNhSUoKU2RWaW5LaXBUOS9INmdNRHg4dUxNRnhTM2txVm9Oa1hxMlVTOTFjN3B2Rk9Qdi9HQzBrTWNmSkN3SVdoK3JJdAp2VDhjc1BOaXVWWGdEOXg2QjhKSUErSi9XOUV1L2VuWU8xdzhoVnc5cXVhUVdEMi9MYkdNd01LQWlyUUlBSkRaCjk4Y1pFaVFUcnpTTGdxTDhzQWR2eTRsNG5MUUdQN2lEWUVmZGxLa0NBd0VBQWFPQmtUQ0JqakFkQmdOVkhRNEUKRmdRVUN3NUdQOVlVMC9xZ3pEejFmcDh0alhFdXhBb3dId1lEVlIwakJCZ3dGb0FVQ3c1R1A5WVUwL3FnekR6MQpmcDh0alhFdXhBb3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QTdCZ05WSFJFRU5EQXlnakJyZFdKbGNtNWxkR1Z6CkxYTnBaR1ZqWVhJdGFXNXFaV04wYjNJdWMybGtaV05oY2kxcGJtcGxZM1J2Y2k1emRtTXdEUVlKS29aSWh2Y04KQVFFTEJRQURnZ0lCQUowTDFmc2tGVHRWenBXZWlBaXNxWVFzTmxMWUhkczNyNGVkRzhiS0w3bWZtYm5pZllmOQpjblphYWxVaWRrazU3VFpVMFYrdlc5M2RONGZ3cXZ3a1IzL240V2dpbEZRR3RmekI2WURoZnRBNlRlZUI3Y3lRCmZnSmVCakRPYndIMzNHVDlmWDlVZFNaSTJ1dVJRRGZ5RW1mWEd3aHVSajJpdS9XQ3MxT2cvb01WUy9XM1VCb2EKSis4YXVQWUViSTRrcmtBUkJvOEJ2SGxKeGxjdWRnTjg1bWFMMWc4OWU5U0s1WVM2Ymswa3lKa1J1ZFNNZ2ZvbgpoRkJHcjR1emJrSmpWYmZzVUxiWGZEOTB3ZXpIekQ4NG5OTVhWTExrSU9YMm9SSFZaKzI4V0I5TzVKeWxOUWllCjk0UWJVWTFnMkpPYzZodUNYS0h1KzdqQlRRTzdHYWZTbFBHcTBreUl4eDh6bXd5T1h2M3M2OVZJQkNqbVcwSnQKTlZqYTNDVzViS1FmbU90ODRoOFJuVmJtVmN6b3RZcWVJOGNBVlJCL0V1NzM2UkZzeGNSL3JFeEdyZ3BIZG9IeApQNUF4bTBJTlVBQnVrZjlJbStLSXFOOUxKRzF5M3hocGxWNzAySmxKWElFcDFOeGoyMGlWaDZlZ3FsNksvTE5pCjc4VkdxdFBwM1FqVUtIMkRicExsRnluTGdoNm8zM1NHWjRlNWtXbXB4djdyUncrblJhZEo0ekRoa0hkWjZ1ZjIKMFoyTG9ZVmpMdExRTEljclRxcENVODRSUDg5WjN4cFF1N3lHQlptVVc2OURIUFVmcm9LZ25UUTZyODJYY21IUQpKTkV2TS93VXlpdUhsY1Erb2pCZ2ZSd2MzRjNkblZ6VHZ4N1drKzVaMkdFbVk4NEp6SE9TQmIvdAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: ["v1"] - rules: - - apiGroups: - - "" - resources: - - pods - apiVersions: - - "v1" - operations: - - CREATE - scope: '*' - objectSelector: - matchExpressions: - - key: kyverno-envoy-sidecar/injection - operator: In - values: - - enabled - ---- \ No newline at end of file diff --git a/sidecar-injector/manifests/rbac.yaml b/sidecar-injector/manifests/rbac.yaml deleted file mode 100644 index d5a3e6b..0000000 --- a/sidecar-injector/manifests/rbac.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kyverno-envoy-sidecar - namespace: kyverno-envoy-sidecar-injector - labels: - app.kubernetes.io/name: sidecar-injector - app.kubernetes.io/instance: sidecar-injector - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno-envoy-sidecar - labels: - app.kubernetes.io/name: sidecar-injector - app.kubernetes.io/instance: sidecar-injector -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kyverno-envoy-sidecar - labels: - app.kubernetes.io/name: sidecar-injector - app.kubernetes.io/instance: sidecar-injector -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno-envoy-sidecar -subjects: - - kind: ServiceAccount - name: kyverno-envoy-sidecar - namespace: kyverno-envoy-sidecar-injector ---- diff --git a/sidecar-injector/manifests/secret.yaml b/sidecar-injector/manifests/secret.yaml deleted file mode 100644 index 5b46123..0000000 --- a/sidecar-injector/manifests/secret.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZsakNDQTM2Z0F3SUJBZ0lVVFNGS2k0NDlzYWNmUXF4UTVnWFhBanU5SjA0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd096RTVNRGNHQTFVRUF3d3dhM1ZpWlhKdVpYUmxjeTF6YVdSbFkyRnlMV2x1YW1WamRHOXlMbk5wWkdWagpZWEl0YVc1cVpXTjBiM0l1YzNaak1CNFhEVEkwTURReE5qRXhNVFl3TlZvWERUSTFNRFF4TmpFeE1UWXdOVm93Ck96RTVNRGNHQTFVRUF3d3dhM1ZpWlhKdVpYUmxjeTF6YVdSbFkyRnlMV2x1YW1WamRHOXlMbk5wWkdWallYSXQKYVc1cVpXTjBiM0l1YzNaak1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBdFNSeApXMWpGbWJrTW1GOWZzK05yREY3NUFBQzY2aDg3UGRnOGpKaDEwWjRGRDlVallDVUhqL1RuVVg4d3V3cVVoWTVmCjUyTU1sV1AxMi9FWkNQc2lKL3VGMjA1aWRsa3k1UWkvNzBtVzZUUEpMTkFhcHpxa2pSZDBGbklXUllKOXJ1cS8KZDdEOHYwaHJtaUJZUHhaR0VEVEhWWDBGMWFwRTBncEZtRE1vU200ZjRYZEdTazNuc3N3YWptSTBJYk1aaURpRwpKcmVQOXFSMDIwU0VxUEpNQng0ZUdQSVFEVmtiMlgwanV3ZXljbFhHUWduWWFhRFhZd0czWUNqcmRXWUtYcEF5CkJmNUpLNlZaNkNVWVluWmpSd1U5c2xSS0xGRDhiNlpiUXIzQmR0UmpRRDBheG5aZ0wwa0xKamsvSVBsQk55eEwKclZwRG83VWpCY1FrVVgvZ1k3UjBreFRIcG9GUVZzOXlHY3M2Wi9NeE4wNUIrSGlEYzVGcjBhUEU0Vm9XR3E5TwptaEFSYmZuNDRqcm92b0tVTThXOGR4NjFyeFR3cklLejdKVW1BOGdKRFFIL2hVTjFJMlEyQ0ZXNXpHYUNHdVBBCjBuSHJzMzF2Q0N4dTBybTM2N3Bnd3RIbDhLWEE1aW9hN1Zia1NpZkZ3MDVCaitrOHFPSkNDSFd4ZG5IVVNhSUoKU2RWaW5LaXBUOS9INmdNRHg4dUxNRnhTM2txVm9Oa1hxMlVTOTFjN3B2Rk9Qdi9HQzBrTWNmSkN3SVdoK3JJdAp2VDhjc1BOaXVWWGdEOXg2QjhKSUErSi9XOUV1L2VuWU8xdzhoVnc5cXVhUVdEMi9MYkdNd01LQWlyUUlBSkRaCjk4Y1pFaVFUcnpTTGdxTDhzQWR2eTRsNG5MUUdQN2lEWUVmZGxLa0NBd0VBQWFPQmtUQ0JqakFkQmdOVkhRNEUKRmdRVUN3NUdQOVlVMC9xZ3pEejFmcDh0alhFdXhBb3dId1lEVlIwakJCZ3dGb0FVQ3c1R1A5WVUwL3FnekR6MQpmcDh0alhFdXhBb3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QTdCZ05WSFJFRU5EQXlnakJyZFdKbGNtNWxkR1Z6CkxYTnBaR1ZqWVhJdGFXNXFaV04wYjNJdWMybGtaV05oY2kxcGJtcGxZM1J2Y2k1emRtTXdEUVlKS29aSWh2Y04KQVFFTEJRQURnZ0lCQUowTDFmc2tGVHRWenBXZWlBaXNxWVFzTmxMWUhkczNyNGVkRzhiS0w3bWZtYm5pZllmOQpjblphYWxVaWRrazU3VFpVMFYrdlc5M2RONGZ3cXZ3a1IzL240V2dpbEZRR3RmekI2WURoZnRBNlRlZUI3Y3lRCmZnSmVCakRPYndIMzNHVDlmWDlVZFNaSTJ1dVJRRGZ5RW1mWEd3aHVSajJpdS9XQ3MxT2cvb01WUy9XM1VCb2EKSis4YXVQWUViSTRrcmtBUkJvOEJ2SGxKeGxjdWRnTjg1bWFMMWc4OWU5U0s1WVM2Ymswa3lKa1J1ZFNNZ2ZvbgpoRkJHcjR1emJrSmpWYmZzVUxiWGZEOTB3ZXpIekQ4NG5OTVhWTExrSU9YMm9SSFZaKzI4V0I5TzVKeWxOUWllCjk0UWJVWTFnMkpPYzZodUNYS0h1KzdqQlRRTzdHYWZTbFBHcTBreUl4eDh6bXd5T1h2M3M2OVZJQkNqbVcwSnQKTlZqYTNDVzViS1FmbU90ODRoOFJuVmJtVmN6b3RZcWVJOGNBVlJCL0V1NzM2UkZzeGNSL3JFeEdyZ3BIZG9IeApQNUF4bTBJTlVBQnVrZjlJbStLSXFOOUxKRzF5M3hocGxWNzAySmxKWElFcDFOeGoyMGlWaDZlZ3FsNksvTE5pCjc4VkdxdFBwM1FqVUtIMkRicExsRnluTGdoNm8zM1NHWjRlNWtXbXB4djdyUncrblJhZEo0ekRoa0hkWjZ1ZjIKMFoyTG9ZVmpMdExRTEljclRxcENVODRSUDg5WjN4cFF1N3lHQlptVVc2OURIUFVmcm9LZ25UUTZyODJYY21IUQpKTkV2TS93VXlpdUhsY1Erb2pCZ2ZSd2MzRjNkblZ6VHZ4N1drKzVaMkdFbVk4NEp6SE9TQmIvdAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRQzFKSEZiV01XWnVReVkKWDErejQyc01YdmtBQUxycUh6czkyRHlNbUhYUm5nVVAxU05nSlFlUDlPZFJmekM3Q3BTRmpsL25Zd3lWWS9YYgo4UmtJK3lJbis0WGJUbUoyV1RMbENML3ZTWmJwTThrczBCcW5PcVNORjNRV2NoWkZnbjJ1NnI5M3NQeS9TR3VhCklGZy9Ga1lRTk1kVmZRWFZxa1RTQ2tXWU15aEtiaC9oZDBaS1RlZXl6QnFPWWpRaHN4bUlPSVltdDQvMnBIVGIKUklTbzhrd0hIaDRZOGhBTldSdlpmU083QjdKeVZjWkNDZGhwb05kakFiZGdLT3QxWmdwZWtESUYva2tycFZubwpKUmhpZG1OSEJUMnlWRW9zVVB4dnBsdEN2Y0YyMUdOQVBSckdkbUF2U1FzbU9UOGcrVUUzTEV1dFdrT2p0U01GCnhDUlJmK0JqdEhTVEZNZW1nVkJXejNJWnl6cG44ekUzVGtINGVJTnprV3ZSbzhUaFdoWWFyMDZhRUJGdCtmamkKT3VpK2dwUXp4YngzSHJXdkZQQ3NnclBzbFNZRHlBa05BZitGUTNValpEWUlWYm5NWm9JYTQ4RFNjZXV6Zlc4SQpMRzdTdWJmcnVtREMwZVh3cGNEbUtocnRWdVJLSjhYRFRrR1A2VHlvNGtJSWRiRjJjZFJKb2dsSjFXS2NxS2xQCjM4ZnFBd1BIeTRzd1hGTGVTcFdnMlJlclpSTDNWenVtOFU0Ky84WUxTUXh4OGtMQWhhSDZzaTI5UHh5dzgySzUKVmVBUDNIb0h3a2dENG45YjBTNzk2ZGc3WER5RlhEMnE1cEJZUGI4dHNZekF3b0NLdEFnQWtObjN4eGtTSkJPdgpOSXVDb3Z5d0IyL0xpWGljdEFZL3VJTmdSOTJVcVFJREFRQUJBb0lDQUFoYWNxaWxZV3lLSS8zbzJKbWVBVDZ2CmNhallscUYyMzZyY2cwZ0VQTGFzLytibXB4ZkNsb2t3Y3FzK1gyQnJCN05ZdHRGV25LRzZ0eVFqVU1wemN1SGEKdENYbXpoemhNZ1Fra1JUQWVjdmtrSW1nYmt0ZUUweGs3dng0a1dMSnBEbjQrWDRkVC9USllheFlneEp0SWIyUwozaFBOZzh5NUlRaFZMRGUyZ29NM0NDWU5HRU1UWGpTOU80YlpQbHFnV0QxdXRDWXFOaXUxcE1rTk5ud00zOUkrCnh4Z2NIWkUrM3ZIV0lBQjZvUWdaTHFna2lJUDVWc1ZxSUZqdThRREZUbDcza2NPTi9YNktSTHRYeWdPNkdjS2kKdnJ5djQvZ01OWGJLREtMbkVJeUdPZExwZWVObngxNHBKVjc2UEd1SVdlaFdncXFjeDhvcTczWXFycitBMHplaAozcXdEUEZrYUpkYTBnazFaaXRxOTBzVWtKcmFwMUY4VWhmU01lcjJGeVptaWF6cy9ZdisxRDZxWi9sOTcyZXRZCktISmJhTmREb1FSVUthSk1JNEN5dmVhVEJlSWkvU3RmUmdlUFhGMnF0U0huNHJjL1kzdkkrVFBvYUVYeGtBMysKS0JXWUw4Z1hzbUxBdjkyclZPSTdQa1VyL1pZZVZLNE05RmlLWVErdlhaaHh5RHNwenVrbkI1aXRGeUJuOW54YQozaU44R0hWL3c3bWEwTFJBL1p1UFAwclRmRDNITVhJSFBtckhYL3MwUmZnbHpkek9xVzZGYTdaWnRVS1ZsalI1CnRxNDI3d0dNNVF6Q2NnU3JMai8rVnNIMG5DK0k3bUk4OGpDUUlvSmxSem9Ea1NNZDMvaTFXemF6cW9EY3VrYmoKMlV3ZjBVc3k5SnFpaDRZdVJIS0RBb0lCQVFEQTV6MmtTejVPNmhHR1g2N1lsR3Y4SDl0a1A3VFNFV2MvNEEydwpNZVRGSDczWnJBZ0tDRERRdFMyQ2QxZDZGR1JOdzJnMllxSGRyRUl4dE4wMGRPN0hXeWxPa2d1cVo2V0VPNEcwCng4NmtieUVndFF0NytsaHFvU29iZHg5Z1FndEJsL0ZHM1N3WGNSY0I3VTVoMEtEdWpBdzVNZjNoZmNxQmdGSGwKM3BzMFlxdngrL25RQm1RTDdIODVwamxBRTU1WXg4NWVFR3orUU0vRXZoMHk5NkFqWVVudy8wNXBlOGZRWk5LbwpLdjlmalA1L0F5Q1NWV2lnRVRDUWpDbVQ4b2lqYWVzTEIxMGpjRUVaRlFIdE1hZ0liZ1pCaEVjaWd6NTI1WGVpCjZnUytpbWlZTmVKMlFjTGFUK2hiUjRlUGt3REJOV3Y2dXRIZFNuRS9ET0RKMUE2TEFvSUJBUUR3WkdhQTNzaGUKY0loVXhFNTJwVUlpbG0zbGlCOGs3VXFCL3E1cTNVRnRiS2xNWGprQmIxNU01bS9SRUhuMVIzaG9qbEN1ai9KWApwOWJ5Nkw1UEc2SEdqT1pnSnl4dDU4TEdyQUxwOTkwbThpTG96WEpJTllxanV6WS9oRExDNXN3bm12SnlWYk1iCnQrU2Y0YzlPeTFLZWN2aTV2bkZvUXRVcDh0R2krSUM1d3pkVXEyUVJtWnk0eGJqVXFnQkV5N01DNWJINDVEcXgKTkE4Q0l0UlhELzkwQ1ZVcEdEMWNUVXRTSXVMR2hDRVdUTUk3VHpuU0lib2ljbzhMdWpBSi9GRzA5QjFXN3NkQwpVUy81VFJxb0VBWGVzSSt5ZkR4Vk9PdE1kRE4zTVRHdEhHazJlMVNDOWlFdnNhZ2xtVDlHWWN3S0lCRjVHQVBaClhzRmFFL0ZjYmFRYkFvSUJBSEVPbGhnV2FWeEMzeWFNS2FPUnlZQXBBNkpMbkNTS1FxTXpJNUtpaTF2azhKWUUKdDJsNXgzSnEzVk5ic285QUtGRlROMTY0aS9tcG5kb1lFSlZQK3lvb0NadWRDTzFFZGNOOFJOYTVUQ2tmWUtFVQp1cmhjenprZlg5aGRCcXlaeUpNWEJEZnVKSXRRb3BWa2ljM1dRcHZNeE5VNHNYMVpCampFQmp2ZExjV1VGd1pxCkVjMlVFVXJUdnZVQXNRa1c5blUrRlhzWDBXbHFmdHJtT2FMSGNybUpxWlp2YTN0ektuYSt3S0FESTB6VEM4MVEKL2VRRjNwNEJ0UjdpcHZPbzcrQW1rYlVUQ2NsZFh5bmVJQlR1UjNjNVZMMU5VNHVzdEExbkM2a1YwdFlCdEsrUQoxVHRONjIrYjZhaWwwWk9hS3BVU1JFamMrV2JpM0dDQm9iVm9iV1VDZ2dFQkFJNFd1aU80Q3ZVUFRQWFZwbzhvCmRTUGVpSXlnWGRCRTFjSnFtQXVnUmZqNHZrVGVlSkZwazNLZXpqN2puMEtrZ1A1RUNGcDF5UWVZdEV1VjJFOEkKQlNKSHpDL1BWOHFLcjYwZ3BRUklOcGE3am5qT1hwdGgwbFdlNVp5N2RnbVB3K0l4Q3RjYjRxY2lsZWNPNEtzeApNTjlwRTYwdWJQZjBjT3kva3J2aWFLdmtRSU15WHc2c0hsOTB0eUEwYjc0NkxOQXNsbnFINUUwemVSK0pHTHR4ClFFd0U3Q3BESXBtNU1pa1ZaN2R4QitHWGMwTDlQQzhCTW5VRUE1c3A3UlVwNTkydVlOMHVlK2F0K0U1Q0RkeUMKeEFWeGxTNHBrcnZJemdPOXQySGZXUDU2aVpIamFmdVNvZUVBQUdSZzVXNmpoYWdDZG5GK0NXQmxTcUlFb2FoQgpRanNDZ2dFQVhOazh6QVV5dTVYZzVRZW5jVXlCVjVzeC9jUERJZ1p0YWZXTWdtdmI1Uk9OcmZ6TlBGL1MyN1VWCk5tWmU1bmxTMXhCc0RuR0ZFa2NnOWlDTnVnYVhadFVwMXc5eFFhamEwWmpYUjJOZzBPSDZRK1FxWnpqdnNMNHUKdVRIZHgwUG45Mm12ZGVSUmlnODVJRUx3RDVnU0RINm1LMlJ5UUpSZ0lMcVVIc3BtKzdya1hnNmo4b2JhNVlOQQpFR2IrSlZudXRtUGgyc1cwUzNYQW9rc2twemFmazhJMWJVY3k4c1drTWJZSjF5RUxLUWh5RDIzTmgwYzRDLytXCjUzaWVZT2ZnY2RGVEJvSlVEdHk2c3NwSWg5b1BBR3VONXROQlFBK2VlRHFQbEtUQmdaOTU0OEpvMSt5cVFaMFcKb1lYeG0rUEJObTZxK3FmVzJzQ2VyQjRaY0pxWkFnPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= -kind: Secret -metadata: - name: kyverno-envoy-sidecar-certs - namespace: kyverno-envoy-sidecar-injector - labels: - app.kubernetes.io/name: sidecar-injector - app.kubernetes.io/instance: sidecar-injector diff --git a/sidecar-injector/manifests/service.yaml b/sidecar-injector/manifests/service.yaml deleted file mode 100644 index d867da4..0000000 --- a/sidecar-injector/manifests/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: kyverno-envoy-sidecar - namespace: kyverno-envoy-sidecar-injector - labels: - app.kubernetes.io/name: sidecar-injector - app.kubernetes.io/instance: sidecar-injector -spec: - type: ClusterIP - ports: - - name: https - protocol: TCP - port: 443 - targetPort: 8443 - selector: - app.kubernetes.io/name: sidecar-injector - app.kubernetes.io/instance: sidecar-injector \ No newline at end of file diff --git a/sidecar-injector/manifests/sidecar-configmap.yaml b/sidecar-injector/manifests/sidecar-configmap.yaml deleted file mode 100644 index 4b4f767..0000000 --- a/sidecar-injector/manifests/sidecar-configmap.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: kyverno-envoy-sidecar - namespace: kyverno-envoy-sidecar-injector -data: - sidecars.yaml: | - - name: kyverno-envoy-sidecar - containers: - - image: sanskardevops/plugin:0.0.25 - imagePullPolicy: IfNotPresent - name: ext-authz - ports: - - containerPort: 8000 - - containerPort: 9000 - args: - - "serve" - - "--policy=/policies/policy.yaml" - volumeMounts: - - name: policy-files - mountPath: /policies - volumes: - - name: policy-files - configMap: - name: policy-files - \ No newline at end of file