Nirmata Kube Controller
Nirmata Kube Controller is used to register the cluster with the Nirmata platform.
The following resources will be deployed to the target cluster.
Deployment
nirmata-kube-controller
apiVersion: apps/v1
kind: Deployment
metadata:
name: nirmata-kube-controller
namespace: nirmata
spec:
replicas: 1
selector:
matchLabels:
app: nirmata-kube-controller
nirmata.io/container.type: system
app.kubernetes.io/name: nirmata
app.kubernetes.io/instance: nirmata
template:
metadata:
labels:
app: nirmata-kube-controller
nirmata.io/container.type: system
app.kubernetes.io/name: nirmata
app.kubernetes.io/instance: nirmata
spec:
containers:
- args:
- -token
- $(TOKEN)
- -url
- $(URL)
- -event-aggregation
command:
- /nirmata-kube-controller
env:
- name: TOKEN
value: 6fcee39e-44dc-43a6-9792-468b82fd5a24
- name: URL
value: wss://www.nirmata.io/tunnels
image: ghcr.io/nirmata/nirmata-kube-controller:v3.9.8
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /nirmata-kube-controller
name: nirmata-kube-controller
readinessProbe:
exec:
command:
- /nirmata-kube-controller
resources:
limits:
memory: 512Mi
requests:
memory: 200Mi
cpu: 250m
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
hostNetwork: false
imagePullSecrets:
- name: nirmata-controller-registry-secret
securityContext:
seccompProfile:
type: RuntimeDefault
serviceAccountName: nirmata
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
otel-agent
apiVersion: apps/v1
kind: Deployment
metadata:
name: otel-agent
namespace: nirmata
labels:
app: opentelemetry
component: otel-agent
app.kubernetes.io/instance: nirmata
app.kubernetes.io/name: nirmata
spec:
selector:
matchLabels:
app: opentelemetry
component: otel-agent
app.kubernetes.io/instance: nirmata
app.kubernetes.io/name: nirmata
template:
metadata:
labels:
app: opentelemetry
component: otel-agent
app.kubernetes.io/instance: nirmata
app.kubernetes.io/name: nirmata
spec:
containers:
- name: otel-agent
image: ghcr.io/nirmata/metrics-agent:0.38.3
resources:
limits:
memory: 512Mi
requests:
cpu: 100m
memory: 200Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
livenessProbe:
httpGet:
path: /metrics
port: 8888
scheme: HTTP
readinessProbe:
httpGet:
path: /metrics
port: 8888
scheme: HTTP
volumeMounts:
- mountPath: /etc/otel/config.yaml
name: data
subPath: config.yaml
readOnly: true
terminationGracePeriodSeconds: 30
volumes:
- name: data
configMap:
name: otel-agent-config
ServiceAccount
nirmata
apiVersion: v1
kind: ServiceAccount
metadata:
name: nirmata
namespace: nirmata
secrets:
- name: nirmata-sa-secret
nirmata-controller
apiVersion: v1
kind: ServiceAccount
metadata:
name: nirmata-controller
namespace: nirmata
ConfigMap
nirmata-kube-controller-config
apiVersion: v1
kind: ConfigMap
metadata:
name: nirmata-kube-controller-config
namespace: nirmata
data:
IgnoreFields: metadata.managedFields
FilterPatches: |-
/metadata/resourceVersion
/metadata/generation
/results/*/timestamp/*
IgnoreEvents: Normal.PolicyApplied.*
WatchedResources: |-
events.v1.
policyreports.v1alpha2.wgpolicyk8s.io
clusterpolicyreports.v1alpha2.wgpolicyk8s.io
policies.v1.kyverno.io
clusterpolicies.v1.kyverno.io
policyexceptions.v2alpha1.kyverno.io
FilterEvents: Warning.PolicyViolation.*,Normal.PolicySkipped.*
otel-agent-config
apiVersion: v1
kind: ConfigMap
metadata:
name: otel-agent-config
namespace: nirmata
data:
config.yaml: >-
receivers:
prometheus:
config:
scrape_configs:
- job_name: "kyverno"
scrape_interval: 1m
static_configs:
- targets: ["kyverno-svc-metrics.kyverno.svc.cluster.local:8000"]
metric_relabel_configs:
- source_labels: [__name__]
regex: "(kyverno_admission_review_duration_seconds.*|kyverno_policy_execution_duration_seconds.*|kyverno_policy_results_total|kyverno_policy_rule_info_total|kyverno_admission_requests_total|kyverno_controller_reconcile_total|kyverno_controller_requeue_total|kyverno_controller_drop_total)"
action: keep
exporters:
prometheusremotewrite:
endpoint: https://www.nirmata.io/host-gateway/metrics-receiver
external_labels:
clusterId: 6fcee39e-44dc-43a6-9792-468b82fd5a24
remote_write_queue:
queue_size: 2000
num_consumers: 1
timeout: 300s
service:
pipelines:
metrics:
receivers: [prometheus]
exporters: [prometheusremotewrite]
ClusterRole
nirmata:nirmata-privileged
Note: This ClusterRole is only needed for NDPapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations: {}
name: nirmata:nirmata-privileged
rules:
- apiGroups:
- kyverno.io
- operator.kyverno.io
- security.nirmata.io
nonResourceURLs: []
resourceNames: []
resources:
- policies
- clusterpolicies
- reportchangerequests
- clusterreportchangerequests
- kyvernooperators/status
- kyvernooperators
- imagekeys
- imagekeys/finalizers
- imagekeys/status
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
- policyexceptions
- cleanuppolicies
- clustercleanuppolicies
- kyvernoes
- kyvernoes/status
verbs:
- "*"
- apiGroups: []
nonResourceURLs:
- /metrics
resourceNames: []
resources: []
verbs:
- get
- apiGroups:
- "*"
nonResourceURLs: []
resourceNames: []
resources:
- tokenreviews
- subjectaccessreviews
verbs:
- get
- create
- apiGroups:
- wgpolicyk8s.io/v1alpha1
- wgpolicyk8s.io/v1alpha2
nonResourceURLs: []
resourceNames: []
resources:
- policyreports
- clusterpolicyreports
verbs:
- "*"
- apiGroups:
- "*"
nonResourceURLs: []
resourceNames: []
resources:
- policies
- policies/status
- clusterpolicies
- clusterpolicies/status
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
- generaterequests
- generaterequests/status
- reportchangerequests
- reportchangerequests/status
- clusterreportchangerequests
- clusterreportchangerequests/status
- updaterequests
- updaterequests/status
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- apiextensions.k8s.io
nonResourceURLs: []
resourceNames: []
resources:
- customresourcedefinitions
verbs:
- delete
- create
- get
- list
- patch
- update
- watch
- apiGroups:
- "*"
nonResourceURLs: []
resourceNames: []
resources:
- namespaces
- networkpolicies
- secrets
- configmaps
- resourcequotas
- limitranges
- deployments
- services
- serviceaccounts
- roles
- rolebindings
- clusterroles
- clusterrolebindings
- events
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
- certificatesigningrequests
- certificatesigningrequests/approval
- poddisruptionbudgets
- ingresses
- ingressclasses
verbs:
- create
- update
- delete
- list
- get
- patch
- watch
- apiGroups:
- "*"
nonResourceURLs: []
resourceNames: []
resources:
- "*"
verbs:
- get
- list
- watch
- update
- apiGroups:
- certificates.k8s.io
nonResourceURLs: []
resourceNames:
- kubernetes.io/legacy-unknown
resources:
- certificatesigningrequests
- certificatesigningrequests/approval
- certificatesigningrequests/status
verbs:
- create
- delete
- get
- update
- watch
- apiGroups:
- certificates.k8s.io
nonResourceURLs: []
resourceNames:
- kubernetes.io/legacy-unknown
resources:
- signers
verbs:
- approve
- apiGroups:
- coordination.k8s.io
nonResourceURLs: []
resourceNames: []
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
nirmata:policyexception-manager
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nirmata:policyexception-manager
rules:
- apiGroups:
- kyverno.io
resources:
- policies
- clusterpolicies
- policyexceptions
verbs:
- '*'
ClusterRoleBindings
nirmata-cluster-admin-binding
Note: This ClusterRoleBinding is only needed for NDPapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nirmata-cluster-admin-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nirmata:nirmata-privileged
subjects:
- kind: ServiceAccount
name: nirmata
namespace: nirmata
nirmata-controller-binding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nirmata-controller-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: nirmata-controller
namespace: nirmata
nirmata:policyexception-manager
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nirmata:policyexception-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nirmata:policyexception-manager
subjects:
- kind: ServiceAccount
name: nirmata
namespace: nirmata
- kind: ServiceAccount
name: kyverno-cleanup-controller
namespace: kyverno
RoleBinding
nirmata-admin-binding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: nirmata-admin-binding
namespace: nirmata
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: ServiceAccount
name: nirmata
namespace: nirmata
Secret
nirmata-sa-secret
apiVersion: v1
kind: Secret
metadata:
name: nirmata-sa-secret
namespace: nirmata
annotations:
kubernetes.io/service-account.name: nirmata
type: kubernetes.io/service-account-token