Add README.md and some changes in manifests

Signed-off-by: Sanskarzz <[email protected]>
kyverno · Apr 22, 2024 · da53d26 · da53d26
1 parent 6c5437b
commit da53d26
Show file tree

Hide file tree

Showing 10 changed files with 272 additions and 28 deletions.
diff --git a/sidecar-injector/README.md b/sidecar-injector/README.md
@@ -0,0 +1,202 @@
+# Kyverno Envoy Sidecar Injector 
+
+Uses [MutatingAdmissionWebhook Controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook) in Kubernetes to inject kyverno-envoy-plugin sidecar into newly created pods. This injection occurs at pod creation time, targeting pods that have the label `kyverno-envoy-sidecar/injection=enabled`. By introducing this sidecar, we can enforce policies on all incoming HTTP requests and make external authorization decisions to the targeted pod without modifying the primary application code/containers.
+
+
+## Prerequisites
+
+Kubernetes 1.16.0 or above with the `admissionregistration.k8s.io/v1` API enabled.
+Verify that by the following command:
+```bash
+ ~$ kubectl api-versions | grep admissionregistration.k8s.io/v1
+```
+The result should be:
+```bash
+admissionregistration.k8s.io/v1
+```
+## Installation  
+
+#### Dedicated Namespace
+
+Create a namespace `kyverno-envoy-sidecar-injector`, where you will deploy the Kyverno Envoy Sidecar Injector Webhook components.
+
+```bash
+ ~$ kubectl create namespace kyverno-envoy-sidecar-injector
+```
+
+#### Deploy Sidecar Injector
+
+1. Create a signed cert/key pair and store it in a Kubernetes `secret` that will be consumed by sidecar injector deployment 
+
+    Generate cert/key pair with openssl 
+    ```bash
+     ~$ openssl req -new -x509  \
+        -subj "/CN=kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc" \
+        -addext "subjectAltName = DNS:kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc" \
+        -nodes -newkey rsa:4096 -keyout tls.key -out tls.crt 
+    ```
+    Now apply below command to create `secret`  
+    ```bash
+     ~$ kubectl create secret generic kyverno-envoy-sidecar-certs \
+        --from-file tls.crt=tls.crt \
+        --from-file tls.key=tls.key \
+        --dry-run=client -n kyverno-envoy-sidecar-injector -oyaml > secret.yaml 
+    ```  
+    Apply the secret
+    ```bash
+    ~$ kubectl apply -f secret.yaml
+    ```
+
+2. Run the script to Patch the `Mutating Webhook Configuration` with the CA bundle extracted from the `secret` created in the previous step and apply the MutatingWebhookConfiguration changes: 
+
+```bash
+ ~$ ./manifests/create-mutating-webhook.sh
+```
+3. To Inject the Kyverno Envoy Sidecar, Create this configmap of name `kyverno-envoy-sidecar` in `kyverno-envoy--sidecar-injector` namespace. If their is requirement of multiple policy files, you can add more `--policy` flags and then add them in the `policy-files` configmap.
+
+```bash
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kyverno-envoy-sidecar
+  namespace: kyverno-envoy-sidecar-injector
+data:
+  sidecars.yaml: |
+    - name: kyverno-envoy-sidecar
+      containers:
+      - image: sanskardevops/plugin:0.0.25
+        imagePullPolicy: IfNotPresent
+        name: ext-authz
+        ports:
+        - containerPort: 8000
+        - containerPort: 9000
+        args:
+        - "serve"
+        - "--policy=/policies/policy.yaml"
+        volumeMounts:
+        - name: policy-files
+          mountPath: /policies
+      volumes:
+      - name: policy-files
+        configMap:
+          name: policy-files      
+EOF          
+```
+
+4. Deploy resources
+```bash
+ ~$ kubectl apply -f ./manifests/rbac.yaml
+ ~$ kubectl apply -f ./manifests/deployment.yaml
+ ~$ kubectl apply -f ./manifests/service.yaml
+```
+
+#### Verify Sidecar Injector Installation
+
+1. The sidecar injector should be deployed in the `kyverno-envoy-sidecar-injector` namespace:
+
+```bash
+ ~$ kubectl -n kyverno-envoy-sidecar-injector get all
+```
+```bash
+~$ kubectl -n  kyverno-envoy-sidecar-injector get all 
+NAME                                        READY   STATUS    RESTARTS   AGE
+pod/kyverno-envoy-sidecar-976c94445-2l66q   1/1     Running   0          46s
+
+NAME                            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
+service/kyverno-envoy-sidecar   ClusterIP   10.96.137.93   <none>        443/TCP   3m11s
+
+NAME                                    READY   UP-TO-DATE   AVAILABLE   AGE
+deployment.apps/kyverno-envoy-sidecar   1/1     1            1           46s
+
+NAME                                              DESIRED   CURRENT   READY   AGE
+replicaset.apps/kyverno-envoy-sidecar-976c94445   1         1         1       46s
+
+```
+2. Now create a pod with the label `kyverno-envoy-sidecar/injection=enabled` in any namespace other than `kyverno-envoy-sidecar-injector`. But before we have to apply configmap `policy-files` in the same namespace where we will create the pod.
+```bash
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: policy-files
+  namespace: default
+data:
+  policy.yaml: |
+    apiVersion: json.kyverno.io/v1alpha1
+    kind: ValidatingPolicy
+    metadata:
+      name: check-dockerfile
+    spec:
+      rules:
+        - name: deny-external-calls
+          assert:
+            all:
+            - message: "HTTP calls are not allowed"
+              check:
+                request:
+                    http:
+                        method: GET
+                        headers:
+                            authorization:
+                                (base64_decode(split(@, ' ')[1])): 
+                                    (split(@, ':')[0]): alice
+                        path: /foo    
+EOF          
+```
+
+Now create a pod with the label `kyverno-envoy-sidecar/injection=enabled` in the default namespace:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  namespace: default
+  labels:
+    app.kubernetes.io/name: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: nginx
+  template:
+    metadata:
+      labels:
+        kyverno-envoy-sidecar/injection: enabled
+        app.kubernetes.io/name: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.20.2
+          ports:
+            - containerPort: 80
+```
+
+Apply the following command to creat above example deployment:
+```bash
+kubectl apply -f ./example-manifest/exampledeploy.yaml
+```
+
+Now check the pods, you should see the Kyverno Envoy Sidecar injected:
+
+```bash
+ ~$ kubectl get pods 
+```
+
+Two pods are runing
+```console 
+~$ kubectl get pods 
+NAME                     READY   STATUS    RESTARTS   AGE
+nginx-77b746455b-xntjn   2/2     Running   0          3m46s
+```
+
+3. Check the logs of the Kyverno-envoy-sidecar container to verify the sidecar is running:
+
+```bash
+sanskar@sanskar-HP-Laptop-15s-du1xxx:~$ kubectl logs -n kyverno-envoy-sidecar-injector kyverno-envoy-sidecar-976c94445-nf777 -f 
+time="2024-04-20T13:59:10Z" level=info msg="SimpleServer starting to listen in port 8443"
+time="2024-04-20T14:03:32Z" level=info msg="AdmissionReview for Kind=/v1, Kind=Pod, Namespace=default Name= UID=a57c5c0b-96c0-4c9c-b903-6aa75f635c17 patchOperation=CREATE UserInfo={system:serviceaccount:kube-system:replicaset-controller 9e6576d2-f5c3-4b44-9b9d-952a20b70da7 [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]}"
+time="2024-04-20T14:03:32Z" level=info msg="sideCar injection for kyverno-envoy-sidecar-injector/nginx-77b746455b-: sidecars: kyverno-envoy-sidecar"
+
+```
diff --git a/sidecar-injector/manifests/create-mutating-webhook.sh b/sidecar-injector/manifests/create-mutating-webhook.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Get the base64 encoded tls.crt data
+CA_BUNDLE=$(kubectl get secret kyverno-envoy-sidecar-certs -n kyverno-envoy-sidecar-injector -o jsonpath='{.data.tls\.crt}')
+
+# Create the mutatingwebhook.yaml file
+cat <<EOF > mutatingwebhook.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: kyverno-envoy-sidecar
+  labels:
+    app.kubernetes.io/name: sidecar-injector
+    app.kubernetes.io/instance: sidecar-injector
+webhooks:
+  - name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc
+    clientConfig:
+      service:
+        name: kyverno-envoy-sidecar
+        namespace: kyverno-envoy-sidecar-injector
+        path: "/mutate"
+      caBundle: $CA_BUNDLE
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - pods
+        apiVersions:
+          - "v1"
+        operations:
+          - CREATE
+        scope: '*'  
+    objectSelector:
+      matchExpressions:
+        - key: kyverno-envoy-sidecar/injection
+          operator: In
+          values:
+          - enabled
+EOF
+
+# Apply the mutatingwebhook.yaml file
+kubectl apply -f mutatingwebhook.yaml
diff --git a/sidecar-injector/manifests/deployment.yaml b/sidecar-injector/manifests/deployment.yaml
@@ -1,8 +1,8 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: kubernetes-sidecar-injector
-  namespace: sidecar-injector
+  name: kyverno-envoy-sidecar
+  namespace: kyverno-envoy-sidecar-injector
   labels:
     app.kubernetes.io/name: sidecar-injector
     app.kubernetes.io/instance: sidecar-injector
@@ -18,20 +18,18 @@ spec:
         app.kubernetes.io/name: sidecar-injector
         app.kubernetes.io/instance: sidecar-injector
     spec:
-      serviceAccountName: kubernetes-sidecar-injector
+      serviceAccountName: kyverno-envoy-sidecar
       containers:
-        - name: sidecar-injector
-          image: "sanskardevops/sidecar-injector:0.0.4"
+        - name: kyverno-envoy-sidecar
+          image: "sanskardevops/sidecar-injector:0.0.6"
           imagePullPolicy: IfNotPresent
           args:
             - --port=8443
             - --certFile=/opt/kubernetes-sidecar-injector/certs/tls.crt
             - --keyFile=/opt/kubernetes-sidecar-injector/certs/tls.key
-            - --injectPrefix=kyverno-envoy-sidecar
-            - --injectName=inject
             - --sidecarDataKey=sidecars.yaml
           volumeMounts:
-            - name: kubernetes-sidecar-injector-certs
+            - name: kyverno-envoy-sidecar-certs
               mountPath: /opt/kubernetes-sidecar-injector/certs
               readOnly: true
           ports:
@@ -59,7 +57,7 @@ spec:
             failureThreshold: 5
             timeoutSeconds: 4
       volumes:
-        - name: kubernetes-sidecar-injector-certs
+        - name: kyverno-envoy-sidecar-certs
           secret:
-            secretName: kubernetes-sidecar-injector-certs
+            secretName: kyverno-envoy-sidecar-certs
 
diff --git a/sidecar-injector/manifests/mutatingwebhook.yaml b/sidecar-injector/manifests/mutatingwebhook.yaml
@@ -2,16 +2,16 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
-  name: kubernetes-sidecar-injector
+  name: kyverno-envoy-sidecar
   labels:
     app.kubernetes.io/name: sidecar-injector
     app.kubernetes.io/instance: sidecar-injector
 webhooks:
-  - name: kyverno-envoy-sidecar.sidecar-injector.svc
+  - name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc
     clientConfig:
       service:
-        name: kubernetes-sidecar-injector
-        namespace: sidecar-injector
+        name: kyverno-envoy-sidecar
+        namespace: kyverno-envoy-sidecar-injector
         path: "/mutate"
       caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZsakNDQTM2Z0F3SUJBZ0lVVFNGS2k0NDlzYWNmUXF4UTVnWFhBanU5SjA0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd096RTVNRGNHQTFVRUF3d3dhM1ZpWlhKdVpYUmxjeTF6YVdSbFkyRnlMV2x1YW1WamRHOXlMbk5wWkdWagpZWEl0YVc1cVpXTjBiM0l1YzNaak1CNFhEVEkwTURReE5qRXhNVFl3TlZvWERUSTFNRFF4TmpFeE1UWXdOVm93Ck96RTVNRGNHQTFVRUF3d3dhM1ZpWlhKdVpYUmxjeTF6YVdSbFkyRnlMV2x1YW1WamRHOXlMbk5wWkdWallYSXQKYVc1cVpXTjBiM0l1YzNaak1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBdFNSeApXMWpGbWJrTW1GOWZzK05yREY3NUFBQzY2aDg3UGRnOGpKaDEwWjRGRDlVallDVUhqL1RuVVg4d3V3cVVoWTVmCjUyTU1sV1AxMi9FWkNQc2lKL3VGMjA1aWRsa3k1UWkvNzBtVzZUUEpMTkFhcHpxa2pSZDBGbklXUllKOXJ1cS8KZDdEOHYwaHJtaUJZUHhaR0VEVEhWWDBGMWFwRTBncEZtRE1vU200ZjRYZEdTazNuc3N3YWptSTBJYk1aaURpRwpKcmVQOXFSMDIwU0VxUEpNQng0ZUdQSVFEVmtiMlgwanV3ZXljbFhHUWduWWFhRFhZd0czWUNqcmRXWUtYcEF5CkJmNUpLNlZaNkNVWVluWmpSd1U5c2xSS0xGRDhiNlpiUXIzQmR0UmpRRDBheG5aZ0wwa0xKamsvSVBsQk55eEwKclZwRG83VWpCY1FrVVgvZ1k3UjBreFRIcG9GUVZzOXlHY3M2Wi9NeE4wNUIrSGlEYzVGcjBhUEU0Vm9XR3E5TwptaEFSYmZuNDRqcm92b0tVTThXOGR4NjFyeFR3cklLejdKVW1BOGdKRFFIL2hVTjFJMlEyQ0ZXNXpHYUNHdVBBCjBuSHJzMzF2Q0N4dTBybTM2N3Bnd3RIbDhLWEE1aW9hN1Zia1NpZkZ3MDVCaitrOHFPSkNDSFd4ZG5IVVNhSUoKU2RWaW5LaXBUOS9INmdNRHg4dUxNRnhTM2txVm9Oa1hxMlVTOTFjN3B2Rk9Qdi9HQzBrTWNmSkN3SVdoK3JJdAp2VDhjc1BOaXVWWGdEOXg2QjhKSUErSi9XOUV1L2VuWU8xdzhoVnc5cXVhUVdEMi9MYkdNd01LQWlyUUlBSkRaCjk4Y1pFaVFUcnpTTGdxTDhzQWR2eTRsNG5MUUdQN2lEWUVmZGxLa0NBd0VBQWFPQmtUQ0JqakFkQmdOVkhRNEUKRmdRVUN3NUdQOVlVMC9xZ3pEejFmcDh0alhFdXhBb3dId1lEVlIwakJCZ3dGb0FVQ3c1R1A5WVUwL3FnekR6MQpmcDh0alhFdXhBb3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QTdCZ05WSFJFRU5EQXlnakJyZFdKbGNtNWxkR1Z6CkxYTnBaR1ZqWVhJdGFXNXFaV04wYjNJdWMybGtaV05oY2kxcGJtcGxZM1J2Y2k1emRtTXdEUVlKS29aSWh2Y04KQVFFTEJRQURnZ0lCQUowTDFmc2tGVHRWenBXZWlBaXNxWVFzTmxMWUhkczNyNGVkRzhiS0w3bWZtYm5pZllmOQpjblphYWxVaWRrazU3VFpVMFYrdlc5M2RONGZ3cXZ3a1IzL240V2dpbEZRR3RmekI2WURoZnRBNlRlZUI3Y3lRCmZnSmVCakRPYndIMzNHVDlmWDlVZFNaSTJ1dVJRRGZ5RW1mWEd3aHVSajJpdS9XQ3MxT2cvb01WUy9XM1VCb2EKSis4YXVQWUViSTRrcmtBUkJvOEJ2SGxKeGxjdWRnTjg1bWFMMWc4OWU5U0s1WVM2Ymswa3lKa1J1ZFNNZ2ZvbgpoRkJHcjR1emJrSmpWYmZzVUxiWGZEOTB3ZXpIekQ4NG5OTVhWTExrSU9YMm9SSFZaKzI4V0I5TzVKeWxOUWllCjk0UWJVWTFnMkpPYzZodUNYS0h1KzdqQlRRTzdHYWZTbFBHcTBreUl4eDh6bXd5T1h2M3M2OVZJQkNqbVcwSnQKTlZqYTNDVzViS1FmbU90ODRoOFJuVmJtVmN6b3RZcWVJOGNBVlJCL0V1NzM2UkZzeGNSL3JFeEdyZ3BIZG9IeApQNUF4bTBJTlVBQnVrZjlJbStLSXFOOUxKRzF5M3hocGxWNzAySmxKWElFcDFOeGoyMGlWaDZlZ3FsNksvTE5pCjc4VkdxdFBwM1FqVUtIMkRicExsRnluTGdoNm8zM1NHWjRlNWtXbXB4djdyUncrblJhZEo0ekRoa0hkWjZ1ZjIKMFoyTG9ZVmpMdExRTEljclRxcENVODRSUDg5WjN4cFF1N3lHQlptVVc2OURIUFVmcm9LZ25UUTZyODJYY21IUQpKTkV2TS93VXlpdUhsY1Erb2pCZ2ZSd2MzRjNkblZ6VHZ4N1drKzVaMkdFbVk4NEp6SE9TQmIvdAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
     failurePolicy: Fail

diff --git a/sidecar-injector/manifests/rbac.yaml b/sidecar-injector/manifests/rbac.yaml
@@ -2,8 +2,8 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: kubernetes-sidecar-injector
-  namespace: sidecar-injector
+  name: kyverno-envoy-sidecar
+  namespace: kyverno-envoy-sidecar-injector
   labels:
     app.kubernetes.io/name: sidecar-injector
     app.kubernetes.io/instance: sidecar-injector
@@ -12,7 +12,7 @@ metadata:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: kubernetes-sidecar-injector
+  name: kyverno-envoy-sidecar
   labels:
     app.kubernetes.io/name: sidecar-injector
     app.kubernetes.io/instance: sidecar-injector
@@ -28,16 +28,16 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: kubernetes-sidecar-injector
+  name: kyverno-envoy-sidecar
   labels:
     app.kubernetes.io/name: sidecar-injector
     app.kubernetes.io/instance: sidecar-injector
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: sidecar-injector
+  name: kyverno-envoy-sidecar
 subjects:
   - kind: ServiceAccount
-    name: kubernetes-sidecar-injector
-    namespace: sidecar-injector
+    name: kyverno-envoy-sidecar
+    namespace: kyverno-envoy-sidecar-injector
 ---
diff --git a/sidecar-injector/manifests/secret.yaml b/sidecar-injector/manifests/secret.yaml
@@ -4,8 +4,8 @@ data:
   tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRQzFKSEZiV01XWnVReVkKWDErejQyc01YdmtBQUxycUh6czkyRHlNbUhYUm5nVVAxU05nSlFlUDlPZFJmekM3Q3BTRmpsL25Zd3lWWS9YYgo4UmtJK3lJbis0WGJUbUoyV1RMbENML3ZTWmJwTThrczBCcW5PcVNORjNRV2NoWkZnbjJ1NnI5M3NQeS9TR3VhCklGZy9Ga1lRTk1kVmZRWFZxa1RTQ2tXWU15aEtiaC9oZDBaS1RlZXl6QnFPWWpRaHN4bUlPSVltdDQvMnBIVGIKUklTbzhrd0hIaDRZOGhBTldSdlpmU083QjdKeVZjWkNDZGhwb05kakFiZGdLT3QxWmdwZWtESUYva2tycFZubwpKUmhpZG1OSEJUMnlWRW9zVVB4dnBsdEN2Y0YyMUdOQVBSckdkbUF2U1FzbU9UOGcrVUUzTEV1dFdrT2p0U01GCnhDUlJmK0JqdEhTVEZNZW1nVkJXejNJWnl6cG44ekUzVGtINGVJTnprV3ZSbzhUaFdoWWFyMDZhRUJGdCtmamkKT3VpK2dwUXp4YngzSHJXdkZQQ3NnclBzbFNZRHlBa05BZitGUTNValpEWUlWYm5NWm9JYTQ4RFNjZXV6Zlc4SQpMRzdTdWJmcnVtREMwZVh3cGNEbUtocnRWdVJLSjhYRFRrR1A2VHlvNGtJSWRiRjJjZFJKb2dsSjFXS2NxS2xQCjM4ZnFBd1BIeTRzd1hGTGVTcFdnMlJlclpSTDNWenVtOFU0Ky84WUxTUXh4OGtMQWhhSDZzaTI5UHh5dzgySzUKVmVBUDNIb0h3a2dENG45YjBTNzk2ZGc3WER5RlhEMnE1cEJZUGI4dHNZekF3b0NLdEFnQWtObjN4eGtTSkJPdgpOSXVDb3Z5d0IyL0xpWGljdEFZL3VJTmdSOTJVcVFJREFRQUJBb0lDQUFoYWNxaWxZV3lLSS8zbzJKbWVBVDZ2CmNhallscUYyMzZyY2cwZ0VQTGFzLytibXB4ZkNsb2t3Y3FzK1gyQnJCN05ZdHRGV25LRzZ0eVFqVU1wemN1SGEKdENYbXpoemhNZ1Fra1JUQWVjdmtrSW1nYmt0ZUUweGs3dng0a1dMSnBEbjQrWDRkVC9USllheFlneEp0SWIyUwozaFBOZzh5NUlRaFZMRGUyZ29NM0NDWU5HRU1UWGpTOU80YlpQbHFnV0QxdXRDWXFOaXUxcE1rTk5ud00zOUkrCnh4Z2NIWkUrM3ZIV0lBQjZvUWdaTHFna2lJUDVWc1ZxSUZqdThRREZUbDcza2NPTi9YNktSTHRYeWdPNkdjS2kKdnJ5djQvZ01OWGJLREtMbkVJeUdPZExwZWVObngxNHBKVjc2UEd1SVdlaFdncXFjeDhvcTczWXFycitBMHplaAozcXdEUEZrYUpkYTBnazFaaXRxOTBzVWtKcmFwMUY4VWhmU01lcjJGeVptaWF6cy9ZdisxRDZxWi9sOTcyZXRZCktISmJhTmREb1FSVUthSk1JNEN5dmVhVEJlSWkvU3RmUmdlUFhGMnF0U0huNHJjL1kzdkkrVFBvYUVYeGtBMysKS0JXWUw4Z1hzbUxBdjkyclZPSTdQa1VyL1pZZVZLNE05RmlLWVErdlhaaHh5RHNwenVrbkI1aXRGeUJuOW54YQozaU44R0hWL3c3bWEwTFJBL1p1UFAwclRmRDNITVhJSFBtckhYL3MwUmZnbHpkek9xVzZGYTdaWnRVS1ZsalI1CnRxNDI3d0dNNVF6Q2NnU3JMai8rVnNIMG5DK0k3bUk4OGpDUUlvSmxSem9Ea1NNZDMvaTFXemF6cW9EY3VrYmoKMlV3ZjBVc3k5SnFpaDRZdVJIS0RBb0lCQVFEQTV6MmtTejVPNmhHR1g2N1lsR3Y4SDl0a1A3VFNFV2MvNEEydwpNZVRGSDczWnJBZ0tDRERRdFMyQ2QxZDZGR1JOdzJnMllxSGRyRUl4dE4wMGRPN0hXeWxPa2d1cVo2V0VPNEcwCng4NmtieUVndFF0NytsaHFvU29iZHg5Z1FndEJsL0ZHM1N3WGNSY0I3VTVoMEtEdWpBdzVNZjNoZmNxQmdGSGwKM3BzMFlxdngrL25RQm1RTDdIODVwamxBRTU1WXg4NWVFR3orUU0vRXZoMHk5NkFqWVVudy8wNXBlOGZRWk5LbwpLdjlmalA1L0F5Q1NWV2lnRVRDUWpDbVQ4b2lqYWVzTEIxMGpjRUVaRlFIdE1hZ0liZ1pCaEVjaWd6NTI1WGVpCjZnUytpbWlZTmVKMlFjTGFUK2hiUjRlUGt3REJOV3Y2dXRIZFNuRS9ET0RKMUE2TEFvSUJBUUR3WkdhQTNzaGUKY0loVXhFNTJwVUlpbG0zbGlCOGs3VXFCL3E1cTNVRnRiS2xNWGprQmIxNU01bS9SRUhuMVIzaG9qbEN1ai9KWApwOWJ5Nkw1UEc2SEdqT1pnSnl4dDU4TEdyQUxwOTkwbThpTG96WEpJTllxanV6WS9oRExDNXN3bm12SnlWYk1iCnQrU2Y0YzlPeTFLZWN2aTV2bkZvUXRVcDh0R2krSUM1d3pkVXEyUVJtWnk0eGJqVXFnQkV5N01DNWJINDVEcXgKTkE4Q0l0UlhELzkwQ1ZVcEdEMWNUVXRTSXVMR2hDRVdUTUk3VHpuU0lib2ljbzhMdWpBSi9GRzA5QjFXN3NkQwpVUy81VFJxb0VBWGVzSSt5ZkR4Vk9PdE1kRE4zTVRHdEhHazJlMVNDOWlFdnNhZ2xtVDlHWWN3S0lCRjVHQVBaClhzRmFFL0ZjYmFRYkFvSUJBSEVPbGhnV2FWeEMzeWFNS2FPUnlZQXBBNkpMbkNTS1FxTXpJNUtpaTF2azhKWUUKdDJsNXgzSnEzVk5ic285QUtGRlROMTY0aS9tcG5kb1lFSlZQK3lvb0NadWRDTzFFZGNOOFJOYTVUQ2tmWUtFVQp1cmhjenprZlg5aGRCcXlaeUpNWEJEZnVKSXRRb3BWa2ljM1dRcHZNeE5VNHNYMVpCampFQmp2ZExjV1VGd1pxCkVjMlVFVXJUdnZVQXNRa1c5blUrRlhzWDBXbHFmdHJtT2FMSGNybUpxWlp2YTN0ektuYSt3S0FESTB6VEM4MVEKL2VRRjNwNEJ0UjdpcHZPbzcrQW1rYlVUQ2NsZFh5bmVJQlR1UjNjNVZMMU5VNHVzdEExbkM2a1YwdFlCdEsrUQoxVHRONjIrYjZhaWwwWk9hS3BVU1JFamMrV2JpM0dDQm9iVm9iV1VDZ2dFQkFJNFd1aU80Q3ZVUFRQWFZwbzhvCmRTUGVpSXlnWGRCRTFjSnFtQXVnUmZqNHZrVGVlSkZwazNLZXpqN2puMEtrZ1A1RUNGcDF5UWVZdEV1VjJFOEkKQlNKSHpDL1BWOHFLcjYwZ3BRUklOcGE3am5qT1hwdGgwbFdlNVp5N2RnbVB3K0l4Q3RjYjRxY2lsZWNPNEtzeApNTjlwRTYwdWJQZjBjT3kva3J2aWFLdmtRSU15WHc2c0hsOTB0eUEwYjc0NkxOQXNsbnFINUUwemVSK0pHTHR4ClFFd0U3Q3BESXBtNU1pa1ZaN2R4QitHWGMwTDlQQzhCTW5VRUE1c3A3UlVwNTkydVlOMHVlK2F0K0U1Q0RkeUMKeEFWeGxTNHBrcnZJemdPOXQySGZXUDU2aVpIamFmdVNvZUVBQUdSZzVXNmpoYWdDZG5GK0NXQmxTcUlFb2FoQgpRanNDZ2dFQVhOazh6QVV5dTVYZzVRZW5jVXlCVjVzeC9jUERJZ1p0YWZXTWdtdmI1Uk9OcmZ6TlBGL1MyN1VWCk5tWmU1bmxTMXhCc0RuR0ZFa2NnOWlDTnVnYVhadFVwMXc5eFFhamEwWmpYUjJOZzBPSDZRK1FxWnpqdnNMNHUKdVRIZHgwUG45Mm12ZGVSUmlnODVJRUx3RDVnU0RINm1LMlJ5UUpSZ0lMcVVIc3BtKzdya1hnNmo4b2JhNVlOQQpFR2IrSlZudXRtUGgyc1cwUzNYQW9rc2twemFmazhJMWJVY3k4c1drTWJZSjF5RUxLUWh5RDIzTmgwYzRDLytXCjUzaWVZT2ZnY2RGVEJvSlVEdHk2c3NwSWg5b1BBR3VONXROQlFBK2VlRHFQbEtUQmdaOTU0OEpvMSt5cVFaMFcKb1lYeG0rUEJObTZxK3FmVzJzQ2VyQjRaY0pxWkFnPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
 kind: Secret
 metadata:
-  name: kubernetes-sidecar-injector-certs
-  namespace: sidecar-injector
+  name: kyverno-envoy-sidecar-certs
+  namespace: kyverno-envoy-sidecar-injector
   labels:
     app.kubernetes.io/name: sidecar-injector
     app.kubernetes.io/instance: sidecar-injector
diff --git a/sidecar-injector/manifests/service.yaml b/sidecar-injector/manifests/service.yaml
@@ -1,8 +1,8 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: kubernetes-sidecar-injector
-  namespace: sidecar-injector
+  name: kyverno-envoy-sidecar
+  namespace: kyverno-envoy-sidecar-injector
   labels:
     app.kubernetes.io/name: sidecar-injector
     app.kubernetes.io/instance: sidecar-injector

diff --git a/sidecar-injector/manifests/sidecar-configmap.yaml b/sidecar-injector/manifests/sidecar-configmap.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: kyverno-envoy-sidecar
-  namespace: sidecar-injector
+  namespace: kyverno-envoy-sidecar-injector
 data:
   sidecars.yaml: |
     - name: kyverno-envoy-sidecar

diff --git a/sidecar-injector/pkg/httpd/simpleserver.go b/sidecar-injector/pkg/httpd/simpleserver.go
@@ -51,7 +51,6 @@ func (simpleServer *SimpleServer) Start() error {
 	if simpleServer.Local {
 		return server.ListenAndServe()
 	}
-	log.Infof("Starting tls server on port %d", simpleServer.Port)
 	return server.ListenAndServeTLS(simpleServer.CertFile, simpleServer.KeyFile)
 }