docs: added documentation of kyverno-envoy-plugin for website

quick_start.yaml

@@ -0,0 +1,212 @@
+# Application Deployment with kyverno-envoy-plugin and Envoy sidecars.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: testapp
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: testapp
+  template:
+    metadata:
+      labels:
+        app: testapp
+    spec:
+      initContainers:
+        - name: proxy-init
+          image: sanskardevops/proxyinit:latest
+          # Configure the iptables bootstrap script to redirect traffic to the
+          # Envoy proxy on port 8000, specify that Envoy will be running as user
+          # 1111, and that we want to exclude port 8181 from the proxy for the Kyverno health checks.
+          # These values must match up with the configuration
+          # defined below for the "envoy" and "kyverno-envoy-plugin" containers.
+          args: ["-p", "7000", "-u", "1111", -w, "8181"]
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+            runAsNonRoot: false
+            runAsUser: 0
+      containers:
+        - name: test-application
+          image: sanskardevops/test-application:0.0.1
+          ports:
+            - containerPort: 8080
+        - name: envoy
+          image: envoyproxy/envoy:v1.30-latest
+          securityContext:
+            runAsUser: 1111
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - readOnly: true
+              mountPath: /config
+              name: proxy-config
+          args:
+            - "envoy"
+            - "--config-path"
+            - "/config/envoy.yaml"
+        - name: kyverno-envoy-plugin
+          image: sanskardevops/plugin:0.0.34
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8181
+            - containerPort: 9000
+          volumeMounts:
+            - readOnly: true
+              mountPath: /policies
+              name: policy-files
+          args:
+            - "serve"
+            - "--policy=/policies/policy.yaml"
+            - "--address=:9000"
+            - "--healthaddress=:8181"
+          livenessProbe:
+            httpGet:
+              path: /health
+              scheme: HTTP
+              port: 8181
+            initialDelaySeconds: 5
+            periodSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /health
+              scheme: HTTP
+              port: 8181
+            initialDelaySeconds: 5
+            periodSeconds: 5  
+      volumes:
+        - name: proxy-config
+          configMap:
+            name: proxy-config
+        - name: policy-files
+          configMap:
+            name: policy-files
+--- 
+# Envoy Config with External Authorization filter that will query kyverno-envoy-plugin.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: proxy-config
+data:
+  envoy.yaml: |
+    static_resources:
+      listeners:
+      - address:
+          socket_address:
+            address: 0.0.0.0
+            port_value: 7000
+        filter_chains:
+        - filters:
+          - name: envoy.filters.network.http_connection_manager
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+              codec_type: auto
+              stat_prefix: ingress_http
+              route_config:
+                name: local_route
+                virtual_hosts:
+                - name: backend
+                  domains:
+                  - "*"
+                  routes:
+                  - match:
+                      prefix: "/"
+                    route:
+                      cluster: service
+              http_filters:
+              - name: envoy.ext_authz
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
+                  transport_api_version: V3
+                  with_request_body:
+                    max_request_bytes: 8192
+                    allow_partial_message: true
+                  failure_mode_allow: false
+                  grpc_service:
+                    google_grpc:
+                      target_uri: 127.0.0.1:9000
+                      stat_prefix: ext_authz
+                    timeout: 0.5s
+              - name: envoy.filters.http.router
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+      clusters:
+      - name: service
+        connect_timeout: 0.25s
+        type: strict_dns
+        lb_policy: round_robin
+        load_assignment:
+          cluster_name: service
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 8080
+    admin:
+      access_log_path: "/dev/null"
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 8001
+    layered_runtime:
+      layers:
+        - name: static_layer_0
+          static_layer:
+            envoy:
+              resource_limits:
+                listener:
+                  example_listener_name:
+                    connection_limit: 10000
+            overload:
+              global_downstream_max_connections: 50000
+---
+# Example policy to enforce into kyverno-envoy-plugin sidecars.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: policy-files
+data:
+  policy.yaml: |
+    apiVersion: json.kyverno.io/v1alpha1
+    kind: ValidatingPolicy
+    metadata:
+      name: checkrequest
+    spec:
+      rules:
+        - name: deny-guest-request-at-post
+          assert:
+            any:
+            - message: "POST method calls at path /book are not allowed to guests users"
+              check:
+                request:
+                    http:
+                        method: POST
+                        headers:
+                            authorization:
+                                (split(@, ' ')[1]):
+                                    (jwt_decode(@ , 'secret').payload.role): admin
+                        path: /book                             
+            - message: "GET method call is allowed to both guest and admin users"
+              check:
+                request:
+                    http:
+                        method: GET
+                        headers:
+                            authorization:
+                                (split(@, ' ')[1]):
+                                    (jwt_decode(@ , 'secret').payload.role): admin
+                        path: /book 
+            - message: "GET method call is allowed to both guest and admin users"
+              check:
+                request:
+                    http:
+                        method: GET
+                        headers:
+                            authorization:
+                                (split(@, ' ')[1]):
+                                    (jwt_decode(@ , 'secret').payload.role): guest
+                        path: /book               
+

website/docs/index.md

@@ -1,4 +1,4 @@
 ---
 template: home.html
-title: chainsaw
+title: kyverno-envoy-plugin
 ---

website/docs/intro.md

@@ -0,0 +1,38 @@
+# Introduction
+
+The Kyverno Envoy Plugin is a powerful tool that integrates the Kyverno-json policy engine with the Envoy proxy. It allows you to enforce Kyverno policies on incoming and outgoing traffic in a service mesh environment, providing an additional layer of security and control over your applications.
+
+## Overview 
+
+[Envoy](https://www.envoyproxy.io/docs/envoy/latest/intro/what_is_envoy) is a Layer 7 proxy and communication bus tailored for large-scale, modern service-oriented architectures. Starting from version 1.7.0, Envoy includes an [External Authorization filter](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ext_authz_filter.html) that interfaces with an authorization service to determine the legitimacy of incoming requests.
+
+This functionality allows authorization decisions to be offloaded to an external service, which can access the request context. The request context includes details such as the origin and destination of the network activity, as well as specifics of the network request (e.g., HTTP request). This information enables the external service to make a well-informed decision regarding the authorization of the incoming request processed by Envoy.
+
+## What is Kyverno-Envoy-Plugin?
+
+[Kyverno-envoy](https://github.com/kyverno/kyverno-envoy-plugin) plugin extends [Kyverno-json](https://kyverno.github.io/kyverno-json/latest/) with a gRPC server that implements [Envoy External Authorization API](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ext_authz_filter.html). This allows you to enforce Kyverno policies on incoming and outgoing traffic in a service mesh environment, providing an additional layer of security and control over your applications. You can use this version of Kyverno to enforce fine-grained, context-aware access control policies with Envoy without modifying your microservice.
+
+## How does this work?
+
+In addition to the Envoy sidecar, your application pods will include a kyverno-envoy component, either as a sidecar or as a separate pod. This kyverno-envoy will be configured to communicate with the Kyverno-envoy-plugin gRPC server. When Envoy receives an API request intended for your microservice, it consults the Kyverno-envoy-plugin server to determine whether the request should be permitted.
+
+Performing policy evaluations locally with Envoy is advantageous, as it eliminates the need for an additional network hop for authorization checks, thus enhancing both performance and availability.
+
+
+
+!!! info 
+
+    The Kyverno-Envoy-Plugin is frequently deployed in Kubernetes environments as a sidecar container or as a separate pod. Additionally, it can be used in other environments as a standalone process running alongside Envoy.
+
+## Additional Resources 
+
+See the following pages on [envoyproxy.io](https://www.envoyproxy.io/) for more information on external authorization:
+
+- [External Authorization](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ext_authz_filter.html) to learn about the External Authorization filter.
+- [Network](https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/ext_authz_filter#config-network-filters-ext-authz) and [HTTP](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter#config-http-filters-ext-authz) for details on configuring the External Authorization filter.
+
+
+
+
+
+

website/docs/jp/main.go

@@ -0,0 +1,51 @@
+package main
+
+import (
+	"fmt"
+	"strings"
+
+	jpfunctions "github.com/jmespath-community/go-jmespath/pkg/functions"
+	"github.com/kyverno/kyverno-json/pkg/engine/template/functions"
+	kyvernofunctions "github.com/kyverno/kyverno-json/pkg/engine/template/kyverno"
+)
+
+func main() {
+	fmt.Println("# Functions")
+	fmt.Println()
+	fmt.Println("## built-in functions")
+	fmt.Println()
+	printFunctions(jpfunctions.GetDefaultFunctions()...)
+	fmt.Println()
+	fmt.Println("## custom functions")
+	fmt.Println()
+	printFunctions(functions.GetFunctions()...)
+	fmt.Println()
+	fmt.Println("## kyverno functions")
+	fmt.Println()
+	printFunctions(kyvernofunctions.GetBareFunctions()...)
+	fmt.Println()
+}
+
+func printFunctions(funcs ...jpfunctions.FunctionEntry) {
+	fmt.Println("| Name | Signature |")
+	fmt.Println("|---|---|")
+	for _, function := range funcs {
+		fmt.Println("|", function.Name, "|", "`"+strings.ReplaceAll(functionString(function), "|", `\|`)+"`", "|")
+	}
+}
+
+func functionString(f jpfunctions.FunctionEntry) string {
+	if f.Name == "" {
+		return ""
+	}
+	var args []string
+	for _, a := range f.Arguments {
+		var aTypes []string
+		for _, t := range a.Types {
+			aTypes = append(aTypes, string(t))
+		}
+		args = append(args, strings.Join(aTypes, "|"))
+	}
+	output := fmt.Sprintf("%s(%s)", f.Name, strings.Join(args, ", "))
+	return output
+}