Nirmata Kube Controller

Nirmata Kube Controller is used to register the cluster with the Nirmata platform.

The following resources will be deployed to the target cluster.

Deployment

nirmata-kube-controller
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nirmata-kube-controller
  namespace: nirmata
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nirmata-kube-controller
      nirmata.io/container.type: system
      app.kubernetes.io/name: nirmata
      app.kubernetes.io/instance: nirmata
  template:
    metadata:
      labels:
        app: nirmata-kube-controller
        nirmata.io/container.type: system
        app.kubernetes.io/name: nirmata
        app.kubernetes.io/instance: nirmata
    spec:
      containers:
        - args:
            - -token
            - $(TOKEN)
            - -url
            - $(URL)
            - -event-aggregation
          command:
            - /nirmata-kube-controller
          env:
            - name: TOKEN
              value: 6fcee39e-44dc-43a6-9792-468b82fd5a24
            - name: URL
              value: wss://www.nirmata.io/tunnels
          image: ghcr.io/nirmata/nirmata-kube-controller:v3.9.8
          imagePullPolicy: IfNotPresent
          livenessProbe:
            exec:
              command:
                - /nirmata-kube-controller
          name: nirmata-kube-controller
          readinessProbe:
            exec:
              command:
                - /nirmata-kube-controller
          resources:
            limits:
              memory: 512Mi
            requests:
              memory: 200Mi
              cpu: 250m
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
      hostNetwork: false
      imagePullSecrets:
        - name: nirmata-controller-registry-secret
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      serviceAccountName: nirmata
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
          operator: Exists
otel-agent
apiVersion: apps/v1
kind: Deployment
metadata:
  name: otel-agent
  namespace: nirmata
  labels:
    app: opentelemetry
    component: otel-agent
    app.kubernetes.io/instance: nirmata
    app.kubernetes.io/name: nirmata
spec:
  selector:
    matchLabels:
      app: opentelemetry
      component: otel-agent
      app.kubernetes.io/instance: nirmata
      app.kubernetes.io/name: nirmata
  template:
    metadata:
      labels:
        app: opentelemetry
        component: otel-agent
        app.kubernetes.io/instance: nirmata
        app.kubernetes.io/name: nirmata
    spec:
      containers:
        - name: otel-agent
          image: ghcr.io/nirmata/metrics-agent:0.38.3
          resources:
            limits:
              memory: 512Mi
            requests:
              cpu: 100m
              memory: 200Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
          livenessProbe:
            httpGet:
              path: /metrics
              port: 8888
              scheme: HTTP
          readinessProbe:
            httpGet:
              path: /metrics
              port: 8888
              scheme: HTTP
          volumeMounts:
            - mountPath: /etc/otel/config.yaml
              name: data
              subPath: config.yaml
              readOnly: true
      terminationGracePeriodSeconds: 30
      volumes:
        - name: data
          configMap:
            name: otel-agent-config

ServiceAccount

nirmata
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nirmata
  namespace: nirmata
secrets:
  - name: nirmata-sa-secret
nirmata-controller
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nirmata-controller
  namespace: nirmata

ConfigMap

nirmata-kube-controller-config
apiVersion: v1
kind: ConfigMap
metadata:
  name: nirmata-kube-controller-config
  namespace: nirmata
data:
  IgnoreFields: metadata.managedFields
  FilterPatches: |-
    /metadata/resourceVersion
    /metadata/generation
    /results/*/timestamp/*
  IgnoreEvents: Normal.PolicyApplied.*
  WatchedResources: |-
    events.v1.
    policyreports.v1alpha2.wgpolicyk8s.io
    clusterpolicyreports.v1alpha2.wgpolicyk8s.io
    policies.v1.kyverno.io
    clusterpolicies.v1.kyverno.io
    policyexceptions.v2alpha1.kyverno.io
  FilterEvents: Warning.PolicyViolation.*,Normal.PolicySkipped.*
otel-agent-config
apiVersion: v1
kind: ConfigMap
metadata:
  name: otel-agent-config
  namespace: nirmata
data:
  config.yaml: >-
    receivers:
      prometheus:
        config:
          scrape_configs:
          - job_name: "kyverno"
            scrape_interval: 1m
            static_configs:
            - targets: ["kyverno-svc-metrics.kyverno.svc.cluster.local:8000"]
            metric_relabel_configs:
            - source_labels: [__name__]
              regex: "(kyverno_admission_review_duration_seconds.*|kyverno_policy_execution_duration_seconds.*|kyverno_policy_results_total|kyverno_policy_rule_info_total|kyverno_admission_requests_total|kyverno_controller_reconcile_total|kyverno_controller_requeue_total|kyverno_controller_drop_total)"
              action: keep
    exporters:
      prometheusremotewrite:
        endpoint: https://www.nirmata.io/host-gateway/metrics-receiver
        external_labels:
          clusterId: 6fcee39e-44dc-43a6-9792-468b82fd5a24
        remote_write_queue:
          queue_size: 2000
          num_consumers: 1
        timeout: 300s
    service:
      pipelines:
        metrics:
          receivers: [prometheus]
          exporters: [prometheusremotewrite]

ClusterRole

nirmata:nirmata-privileged Note: This ClusterRole is only needed for NDP
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations: {}
  name: nirmata:nirmata-privileged
rules:
  - apiGroups:
      - kyverno.io
      - operator.kyverno.io
      - security.nirmata.io
    nonResourceURLs: []
    resourceNames: []
    resources:
      - policies
      - clusterpolicies
      - reportchangerequests
      - clusterreportchangerequests
      - kyvernooperators/status
      - kyvernooperators
      - imagekeys
      - imagekeys/finalizers
      - imagekeys/status
      - admissionreports
      - clusteradmissionreports
      - backgroundscanreports
      - clusterbackgroundscanreports
      - policyexceptions
      - cleanuppolicies
      - clustercleanuppolicies
      - kyvernoes
      - kyvernoes/status
    verbs:
      - "*"
  - apiGroups: []
    nonResourceURLs:
      - /metrics
    resourceNames: []
    resources: []
    verbs:
      - get
  - apiGroups:
      - "*"
    nonResourceURLs: []
    resourceNames: []
    resources:
      - tokenreviews
      - subjectaccessreviews
    verbs:
      - get
      - create
  - apiGroups:
      - wgpolicyk8s.io/v1alpha1
      - wgpolicyk8s.io/v1alpha2
    nonResourceURLs: []
    resourceNames: []
    resources:
      - policyreports
      - clusterpolicyreports
    verbs:
      - "*"
  - apiGroups:
      - "*"
    nonResourceURLs: []
    resourceNames: []
    resources:
      - policies
      - policies/status
      - clusterpolicies
      - clusterpolicies/status
      - policyreports
      - policyreports/status
      - clusterpolicyreports
      - clusterpolicyreports/status
      - generaterequests
      - generaterequests/status
      - reportchangerequests
      - reportchangerequests/status
      - clusterreportchangerequests
      - clusterreportchangerequests/status
      - updaterequests
      - updaterequests/status
      - admissionreports
      - clusteradmissionreports
      - backgroundscanreports
      - clusterbackgroundscanreports
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
      - deletecollection
  - apiGroups:
      - apiextensions.k8s.io
    nonResourceURLs: []
    resourceNames: []
    resources:
      - customresourcedefinitions
    verbs:
      - delete
      - create
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - "*"
    nonResourceURLs: []
    resourceNames: []
    resources:
      - namespaces
      - networkpolicies
      - secrets
      - configmaps
      - resourcequotas
      - limitranges
      - deployments
      - services
      - serviceaccounts
      - roles
      - rolebindings
      - clusterroles
      - clusterrolebindings
      - events
      - mutatingwebhookconfigurations
      - validatingwebhookconfigurations
      - certificatesigningrequests
      - certificatesigningrequests/approval
      - poddisruptionbudgets
      - ingresses
      - ingressclasses
    verbs:
      - create
      - update
      - delete
      - list
      - get
      - patch
      - watch
  - apiGroups:
      - "*"
    nonResourceURLs: []
    resourceNames: []
    resources:
      - "*"
    verbs:
      - get
      - list
      - watch
      - update
  - apiGroups:
      - certificates.k8s.io
    nonResourceURLs: []
    resourceNames:
      - kubernetes.io/legacy-unknown
    resources:
      - certificatesigningrequests
      - certificatesigningrequests/approval
      - certificatesigningrequests/status
    verbs:
      - create
      - delete
      - get
      - update
      - watch
  - apiGroups:
      - certificates.k8s.io
    nonResourceURLs: []
    resourceNames:
      - kubernetes.io/legacy-unknown
    resources:
      - signers
    verbs:
      - approve
  - apiGroups:
      - coordination.k8s.io
    nonResourceURLs: []
    resourceNames: []
    resources:
      - leases
    verbs:
      - create
      - delete
      - get
      - patch
      - update
nirmata:policyexception-manager
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: nirmata:policyexception-manager
rules:
- apiGroups:
  - kyverno.io
  resources:
  - policies
  - clusterpolicies
  - policyexceptions
  verbs:
  - '*'

ClusterRoleBindings

nirmata-cluster-admin-binding Note: This ClusterRoleBinding is only needed for NDP
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: nirmata-cluster-admin-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nirmata:nirmata-privileged
subjects:
  - kind: ServiceAccount
    name: nirmata
    namespace: nirmata
nirmata-controller-binding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: nirmata-controller-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
  - kind: ServiceAccount
    name: nirmata-controller
    namespace: nirmata
nirmata:policyexception-manager
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: nirmata:policyexception-manager
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nirmata:policyexception-manager
subjects:
  - kind: ServiceAccount
    name: nirmata
    namespace: nirmata
  - kind: ServiceAccount
    name: kyverno-cleanup-controller
    namespace: kyverno  

RoleBinding

nirmata-admin-binding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: nirmata-admin-binding
  namespace: nirmata
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
  - kind: ServiceAccount
    name: nirmata
    namespace: nirmata

Secret

nirmata-sa-secret
apiVersion: v1
kind: Secret
metadata:
  name: nirmata-sa-secret
  namespace: nirmata
  annotations:
    kubernetes.io/service-account.name: nirmata
type: kubernetes.io/service-account-token