New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify naming patterns for Kyverno ClusterRoles/ClusterRoleBindings #2904
Comments
@andriktr can you please check if your cluster role has label of |
@vyankyGH I have added a
here is how my cluster role looks like: # Cluster role for Kyverno service account required for standard kyverno operations (should be updated accordingly if kyverno releases update for cluster-role.yaml)
- name: if-baltic-kyverno-standard
enabled: true
labels:
app.kubernetes.io/ownerreference: "true"
app.kubernetes.io/name: "kyverno"
app: kyverno
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- '*'
resources:
- events
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
- certificatesigningrequests
- certificatesigningrequests/approval
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
- certificatesigningrequests/approval
- certificatesigningrequests/status
resourceNames:
- kubernetes.io/legacy-unknown
verbs:
- create
- delete
- get
- update
- watch
- apiGroups:
- certificates.k8s.io
resources:
- signers
resourceNames:
- kubernetes.io/legacy-unknown
verbs:
- approve
- apiGroups:
- "*"
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
- configmaps
- namespaces
verbs:
- watch
- list
- apiGroups:
- '*'
resources:
- policies
- policies/status
- clusterpolicies
- clusterpolicies/status
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
- generaterequests
- generaterequests/status
- reportchangerequests
- reportchangerequests/status
- clusterreportchangerequests
- clusterreportchangerequests/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- 'apiextensions.k8s.io'
resources:
- customresourcedefinitions
verbs:
- delete
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- update
- watch
- apiGroups:
- "*"
resources:
- namespaces
- networkpolicies
- secrets
- configmaps
- resourcequotas
- limitranges
verbs:
- create
- update
- delete
- list
- get
- apiGroups:
- '*'
resources:
- namespaces
verbs:
- watch
- apiGroups:
- kyverno.io
resources:
- policies
- clusterpolicies
verbs:
- "*"
- apiGroups:
- wgpolicyk8s.io/v1alpha1
resources:
- policyreport
- clusterpolicyreport
verbs:
- '*'
- apiGroups:
- kyverno.io
resources:
- reportchangerequests
- clusterreportchangerequests
verbs:
- "*" |
@andriktr looks like kyverno not able to find clusterrole with suffix webhook. |
@vyankyGH are there any specific reasons to tie kyverno with a clusterrole having such suffix? |
@vyankyGH FYI. Once I changed the name of clusterrole to contain |
Hi @andriktr - Is there any particular reason you need to custom role's name? |
Hi @realshuting. Personally for me it doesn't meter which name for kyverno clusterrole to set. Kyverno helm chart allows to skip creation of cluster roles that means what cluster roles should be created outside the kyverno deployment and if role name or it's suffix is hardcoded then it should be at least pointed out somewhere which naming pattern to use if I'm creating a role outside of kyverno helm chart. |
Good point! Yes we should document the naming convention for ClusterRoles'/ClusterRoleBindings' name. However I don't think we want to make kyverno/charts/kyverno/values.yaml Lines 8 to 9 in cda6310
|
But it is configurable already if you set |
That makes sense! @vyankyGH - let's clarify naming patterns in the Helm charts and update https://github.com/kyverno/kyverno/blob/main/charts/kyverno/README.md. |
Hello,
I'm trying to upgrade kyverno 1.5.0 to kyverno 1.5.2.
My kyverno pods are not running after upgrade:
It's seems that kyverno is looking for a cluster role with suffix "webhook", but as I'm creating cluster roles and rolebindings for kyverno service account outside of kyverno helm chart and setting rbac config in kyvern chart to:
Clusterroles which I'm creating for kyverno separately named bit different.
Very similar problem is described here. And I have tried to add
app.kubernetes.io/ownerreference: "true"
label to my clusteroles for kyverno, but it doesn't help.@vyankyGH I see that you worked on this, any thoughts?
Thanks in advance.
The text was updated successfully, but these errors were encountered: