cronjob added

charts/kyverno/crds/crds.yaml

@@ -275,7 +275,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.2.5
+    controller-gen.kubebuilder.io/version: v0.2.4
   creationTimestamp: null
   name: clusterpolicyreports.policy.kubernetes.io
 spec:
@@ -960,7 +960,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.2.5
+    controller-gen.kubebuilder.io/version: v0.2.4
   creationTimestamp: null
   name: policyreports.policy.kubernetes.io
 spec:
@@ -1171,6 +1171,47 @@ spec:
               description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
               type: string
           type: object
+        scopeSelector:
+          description: ScopeSelector is an optional selector for multiple scopes (e.g.
+            Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
+            should be specified.
+          properties:
+            matchExpressions:
+              description: matchExpressions is a list of label selector requirements.
+                The requirements are ANDed.
+              items:
+                description: A label selector requirement is a selector that contains
+                  values, a key, and an operator that relates the key and values.
+                properties:
+                  key:
+                    description: key is the label key that the selector applies to.
+                    type: string
+                  operator:
+                    description: operator represents a key's relationship to a set
+                      of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                    type: string
+                  values:
+                    description: values is an array of string values. If the operator
+                      is In or NotIn, the values array must be non-empty. If the operator
+                      is Exists or DoesNotExist, the values array must be empty. This
+                      array is replaced during a strategic merge patch.
+                    items:
+                      type: string
+                    type: array
+                required:
+                - key
+                - operator
+                type: object
+              type: array
+            matchLabels:
+              additionalProperties:
+                type: string
+              description: matchLabels is a map of {key,value} pairs. A single {key,value}
+                in the matchLabels map is equivalent to an element of matchExpressions,
+                whose key field is "key", the operator is "In", and the values array
+                contains only "value". The requirements are ANDed.
+              type: object
+          type: object
         summary:
           description: PolicyReportSummary provides a summary of results
           properties:

charts/kyverno/templates/cronjob.yaml

@@ -0,0 +1,25 @@
+{{- if (not .Values.job.enableBackgroundScan) }}
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: {{ .Values.job.name | quote }}
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  schedule: {{ .Values.job.schedule | quote }}
+  concurrencyPolicy : Forbid
+  suspend : true
+  successfulJobsHistoryLimit : 4
+  failedJobsHistoryLimit : 4
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: {{ .Values.job.name | quote }}
+              image: {{ .Values.job.image | quote }}
+              args:
+                - report
+                - all
+          restartPolicy: OnFailure
+  {{- end -}}

charts/kyverno/values.yaml

@@ -126,4 +126,11 @@ service:
 #    kyverno-svc.kyverno.svc.kyverno-tls-key-pair (with data entries named tls.key and tls.crt)
 # 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true
 # If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
-createSelfSignedCert: false
+createSelfSignedCert: false
+
+
+job:
+  name: policyreport-background-scan
+  enableBackgroundScan : true
+  schedule : "*/6 * * * *"
+  image : "nirmata/kyverno-cli:latest"

definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml

@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.2.5
+    controller-gen.kubebuilder.io/version: v0.2.4
   creationTimestamp: null
   name: clusterpolicyreports.policy.kubernetes.io
 spec:

definitions/crds/policy.kubernetes.io_policyreports.yaml

@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.2.5
+    controller-gen.kubebuilder.io/version: v0.2.4
   creationTimestamp: null
   name: policyreports.policy.kubernetes.io
 spec:
@@ -215,6 +215,47 @@ spec:
               description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
               type: string
           type: object
+        scopeSelector:
+          description: ScopeSelector is an optional selector for multiple scopes (e.g.
+            Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
+            should be specified.
+          properties:
+            matchExpressions:
+              description: matchExpressions is a list of label selector requirements.
+                The requirements are ANDed.
+              items:
+                description: A label selector requirement is a selector that contains
+                  values, a key, and an operator that relates the key and values.
+                properties:
+                  key:
+                    description: key is the label key that the selector applies to.
+                    type: string
+                  operator:
+                    description: operator represents a key's relationship to a set
+                      of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                    type: string
+                  values:
+                    description: values is an array of string values. If the operator
+                      is In or NotIn, the values array must be non-empty. If the operator
+                      is Exists or DoesNotExist, the values array must be empty. This
+                      array is replaced during a strategic merge patch.
+                    items:
+                      type: string
+                    type: array
+                required:
+                - key
+                - operator
+                type: object
+              type: array
+            matchLabels:
+              additionalProperties:
+                type: string
+              description: matchLabels is a map of {key,value} pairs. A single {key,value}
+                in the matchLabels map is equivalent to an element of matchExpressions,
+                whose key field is "key", the operator is "In", and the values array
+                contains only "value". The requirements are ANDed.
+              type: object
+          type: object
         summary:
           description: PolicyReportSummary provides a summary of results
           properties:

definitions/install.yaml

@@ -280,7 +280,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.2.5
+    controller-gen.kubebuilder.io/version: v0.2.4
   creationTimestamp: null
   name: clusterpolicyreports.policy.kubernetes.io
 spec:
@@ -965,7 +965,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.2.5
+    controller-gen.kubebuilder.io/version: v0.2.4
   creationTimestamp: null
   name: policyreports.policy.kubernetes.io
 spec:
@@ -1176,6 +1176,47 @@ spec:
               description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
               type: string
           type: object
+        scopeSelector:
+          description: ScopeSelector is an optional selector for multiple scopes (e.g.
+            Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
+            should be specified.
+          properties:
+            matchExpressions:
+              description: matchExpressions is a list of label selector requirements.
+                The requirements are ANDed.
+              items:
+                description: A label selector requirement is a selector that contains
+                  values, a key, and an operator that relates the key and values.
+                properties:
+                  key:
+                    description: key is the label key that the selector applies to.
+                    type: string
+                  operator:
+                    description: operator represents a key's relationship to a set
+                      of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                    type: string
+                  values:
+                    description: values is an array of string values. If the operator
+                      is In or NotIn, the values array must be non-empty. If the operator
+                      is Exists or DoesNotExist, the values array must be empty. This
+                      array is replaced during a strategic merge patch.
+                    items:
+                      type: string
+                    type: array
+                required:
+                - key
+                - operator
+                type: object
+              type: array
+            matchLabels:
+              additionalProperties:
+                type: string
+              description: matchLabels is a map of {key,value} pairs. A single {key,value}
+                in the matchLabels map is equivalent to an element of matchExpressions,
+                whose key field is "key", the operator is "In", and the values array
+                contains only "value". The requirements are ANDed.
+              type: object
+          type: object
         summary:
           description: PolicyReportSummary provides a summary of results
           properties:
@@ -1744,3 +1785,25 @@ spec:
         imagePullPolicy: Always
         name: kyverno-pre
       serviceAccountName: kyverno-service-account
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: policyreport-background-scan
+spec:
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 4
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - args:
+            - report
+            - all
+            image: evalsocket/kyverno-cli:latest
+            name: policyreport-background-scan
+          restartPolicy: OnFailure
+  schedule: '*/6 * * * *'
+  successfulJobsHistoryLimit: 4
+  suspend: true

definitions/install_debug.yaml

@@ -280,7 +280,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.2.5
+    controller-gen.kubebuilder.io/version: v0.2.4
   creationTimestamp: null
   name: clusterpolicyreports.policy.kubernetes.io
 spec:
@@ -965,7 +965,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.2.5
+    controller-gen.kubebuilder.io/version: v0.2.4
   creationTimestamp: null
   name: policyreports.policy.kubernetes.io
 spec:
@@ -1176,6 +1176,47 @@ spec:
               description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
               type: string
           type: object
+        scopeSelector:
+          description: ScopeSelector is an optional selector for multiple scopes (e.g.
+            Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
+            should be specified.
+          properties:
+            matchExpressions:
+              description: matchExpressions is a list of label selector requirements.
+                The requirements are ANDed.
+              items:
+                description: A label selector requirement is a selector that contains
+                  values, a key, and an operator that relates the key and values.
+                properties:
+                  key:
+                    description: key is the label key that the selector applies to.
+                    type: string
+                  operator:
+                    description: operator represents a key's relationship to a set
+                      of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                    type: string
+                  values:
+                    description: values is an array of string values. If the operator
+                      is In or NotIn, the values array must be non-empty. If the operator
+                      is Exists or DoesNotExist, the values array must be empty. This
+                      array is replaced during a strategic merge patch.
+                    items:
+                      type: string
+                    type: array
+                required:
+                - key
+                - operator
+                type: object
+              type: array
+            matchLabels:
+              additionalProperties:
+                type: string
+              description: matchLabels is a map of {key,value} pairs. A single {key,value}
+                in the matchLabels map is equivalent to an element of matchExpressions,
+                whose key field is "key", the operator is "In", and the values array
+                contains only "value". The requirements are ANDed.
+              type: object
+          type: object
         summary:
           description: PolicyReportSummary provides a summary of results
           properties:
@@ -1677,3 +1718,25 @@ spec:
     targetPort: 443
   selector:
     app: kyverno
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: policyreport-background-scan
+spec:
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 4
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - args:
+            - report
+            - all
+            image: evalsocket/kyverno-cli:latest
+            name: policyreport-background-scan
+          restartPolicy: OnFailure
+  schedule: '*/6 * * * *'
+  successfulJobsHistoryLimit: 4
+  suspend: true

definitions/k8s-resource/cronjob.yaml

@@ -0,0 +1,21 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: policyreport-background-scan
+spec:
+  schedule: "*/6 * * * *"
+  concurrencyPolicy : Forbid
+  suspend : true
+  successfulJobsHistoryLimit : 4
+  failedJobsHistoryLimit : 4
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: policyreport-background-scan
+              image: evalsocket/kyverno-cli:latest
+              args:
+                - report
+                - all
+          restartPolicy: OnFailure

definitions/k8s-resource/kustomization.yaml

@@ -3,4 +3,5 @@ kind: Kustomization
 
 resources:
 - ./rbac.yaml
-- ./configmap.yaml
+- ./configmap.yaml
+- ./cronjob.yaml