diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 8307b49..0000000 --- a/Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Update the base image in Makefile when updating golang version. This has to -# be pre-pulled in order to work on GCB. -ARG ARCH -FROM golang:1.21.5 as build - -WORKDIR / -COPY . ./ -# RUN go mod download - -# COPY pkg pkg -# COPY cmd cmd -# COPY Makefile Makefile - -# ARG ARCH -# ARG GIT_COMMIT -# ARG GIT_TAG -RUN GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="-w -s" -o policy-reports ./main.go - -FROM gcr.io/distroless/static:nonroot -WORKDIR / -COPY --from=build policy-reports policy-reports -USER 65534 -ENTRYPOINT ["/policy-reports"] diff --git a/manifests/base/database.yaml b/manifests/base/database.yaml deleted file mode 100644 index c302640..0000000 --- a/manifests/base/database.yaml +++ /dev/null @@ -1,89 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: reportsdb-pv -spec: - capacity: - storage: 10Gi - accessModes: - - ReadWriteOnce - persistentVolumeReclaimPolicy: Retain - gcePersistentDisk: - pdName: reportsdb-disk - fsType: ext4 ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: reportsdb-pvc - namespace: kyverno -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi - storageClassName: "" - volumeName: reportsdb-pv ---- -apiVersion: v1 -kind: Service -metadata: - name: reportsdb - namespace: kyverno - labels: - app: reportsdb -spec: - selector: - app: reportsdb - ports: - - port: 5432 - # clusterIP: None ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: reportsdb - namespace: kyverno -spec: - serviceName: reportsdb - replicas: 1 - selector: - matchLabels: - app: reportsdb - template: - metadata: - labels: - app: reportsdb - spec: - containers: - - name: reportsdb - image: postgres:13 - env: - - name: POSTGRES_USER - value: postgres - - name: POSTGRES_PASSWORD - value: password - - name: POSTGRES_DB - value: reportsdb - # valueFrom: - # secretKeyRef: - # name: postgres-secret - # key: password - - name: PGDATA - value: /var/lib/postgresql/data/pgdata - ports: - - containerPort: 5432 - name: reportsdb - volumeMounts: - - name: reportsdb-pv-claim - mountPath: /var/lib/postgresql/data - volumeClaimTemplates: - - metadata: - name: reportsdb-pv-claim - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi diff --git a/manifests/base/server.yaml b/manifests/base/server.yaml deleted file mode 100644 index 48b1a55..0000000 --- a/manifests/base/server.yaml +++ /dev/null @@ -1,158 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - k8s-app: policy-reports - name: policy-reports - namespace: kyverno ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - k8s-app: policy-reports - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: system:aggregated-policy-reader -rules: -- apiGroups: - - wgpolicyk8s.io - resources: - - policyreports - - clusterpolicyreports - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - k8s-app: policy-reports - name: policy-reports-auth-reader - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: policy-reports - namespace: kyverno ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - k8s-app: policy-reports - name: policy-reports:system:auth-delegator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: policy-reports - namespace: kyverno ---- -apiVersion: v1 -kind: Service -metadata: - labels: - k8s-app: policy-reports - name: policy-reports - namespace: kyverno -spec: - ports: - - name: https - port: 443 - protocol: TCP - targetPort: https - selector: - k8s-app: policy-reports ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - k8s-app: policy-reports - name: policy-reports - namespace: kyverno -spec: - selector: - matchLabels: - k8s-app: policy-reports - strategy: - rollingUpdate: - maxUnavailable: 0 - template: - metadata: - labels: - k8s-app: policy-reports - spec: - containers: - - args: - # - --debug # to use inmemorydatabase - - --dbhost=reportsdb.kyverno - - --cert-dir=/tmp - - --secure-port=4443 - image: ghcr.io/vishal-chdhry/policy-server:demo - imagePullPolicy: Always - livenessProbe: - failureThreshold: 3 - httpGet: - path: /livez - port: https - scheme: HTTPS - periodSeconds: 10 - name: policy-reports - ports: - - containerPort: 4443 - name: https - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /readyz - port: https - scheme: HTTPS - initialDelaySeconds: 20 - periodSeconds: 10 - resources: - requests: - cpu: 100m - memory: 200Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - volumeMounts: - - mountPath: /tmp - name: tmp-dir - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - serviceAccountName: policy-reports - volumes: - - emptyDir: {} - name: tmp-dir ---- -apiVersion: apiregistration.k8s.io/v1 -kind: APIService -metadata: - labels: - k8s-app: policy-reports - kube-aggregator.kubernetes.io/automanaged: "false" - name: v1alpha2.wgpolicyk8s.io -spec: - group: wgpolicyk8s.io - groupPriorityMinimum: 100 - insecureSkipTLSVerify: true - service: - name: policy-reports - namespace: kyverno - version: v1alpha2 - versionPriority: 100