kyverno/config/manifest/deployment.yaml

---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: kyverno
    # do not remove
    app.kubernetes.io/name: kyverno
  name: kyverno
spec:
  selector:
    matchLabels:
      app: kyverno
      # do not remove
      app.kubernetes.io/name: kyverno
  replicas: 1
  template:
    metadata:
      labels:
        app: kyverno
        # do not remove
        app.kubernetes.io/name: kyverno
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 1
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                  - kyverno
              topologyKey: "kubernetes.io/hostname"
      serviceAccountName: kyverno-service-account
      securityContext:
        runAsNonRoot: true
      initContainers:
        - name: kyverno-pre
          image: ghcr.io/kyverno/kyvernopre:latest
          imagePullPolicy: IfNotPresent
          resources:
            limits:
              cpu: 100m
              memory: 256Mi
            requests:
              cpu: 10m
              memory: 64Mi
          securityContext:
            runAsNonRoot: true
            privileged: false
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - all
          env:
            - name: METRICS_CONFIG
              value: kyverno-metrics
            - name: KYVERNO_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
      containers:
        - name: kyverno
          image: ghcr.io/kyverno/kyverno:latest
          imagePullPolicy: IfNotPresent
          args:
          - "--filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]"
          # customize webhook timeout
          #- "--webhookTimeout=4"
          # enable profiling
          # - "--profile"
          # configure the workers for generate controller
          # - --genWorkers=20
          - "-v=2"
          ports:
            - containerPort: 9443
              name: https
              protocol: TCP
            - containerPort: 8000
              name: metrics-port
              protocol: TCP
          env:
            - name: INIT_CONFIG
              value: kyverno
            - name: METRICS_CONFIG
              value: kyverno-metrics
            - name: KYVERNO_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: KYVERNO_SVC
              value: kyverno-svc
          securityContext:
            runAsNonRoot: true
            privileged: false
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - all
          resources:
            requests:
              memory: 128Mi
              cpu: 100m
            limits:
              memory: 384Mi
          livenessProbe:
            httpGet:
              path: /health/liveness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 15
            periodSeconds: 30
            timeoutSeconds: 5
            failureThreshold: 2
            successThreshold: 1
          readinessProbe:
            httpGet:
              path: /health/readiness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 4
            successThreshold: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 40%
      maxSurge: 1
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`---`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`labels:`
			`app: kyverno`
- update version to v1.3.6; - split Kustomization manifests; - revert release/install.yaml (#1945) Signed-off-by: Shuting Zhao <shutting06@gmail.com> 2021-06-01 21:58:37 -07:00			`# do not remove`
			`app.kubernetes.io/name: kyverno`
Recommanded Kubernetes labels and custom labels (#1873) * Add: Recommanded Kubernetes labels Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Add: feature to add custom labels to resources metadata Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Add: manage labels with Kustomize Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Add: app label Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Add: app label for chart Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Update: make kustomize-crds Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Update: refactoring labels Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Fix: clean kustomize code Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Fix: typo Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Update: application version v1.3.6 Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Update: version v1.3.6 Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> 2021-06-01 20:54:33 +02:00			`name: kyverno`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`spec:`
			`selector:`
			`matchLabels:`
			`app: kyverno`
- update version to v1.3.6; - split Kustomization manifests; - revert release/install.yaml (#1945) Signed-off-by: Shuting Zhao <shutting06@gmail.com> 2021-06-01 21:58:37 -07:00			`# do not remove`
			`app.kubernetes.io/name: kyverno`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`replicas: 1`
			`template:`
			`metadata:`
			`labels:`
			`app: kyverno`
- update version to v1.3.6; - split Kustomization manifests; - revert release/install.yaml (#1945) Signed-off-by: Shuting Zhao <shutting06@gmail.com> 2021-06-01 21:58:37 -07:00			`# do not remove`
			`app.kubernetes.io/name: kyverno`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`spec:`
adding pod anti-affinity to Kyverno (#1985) * added for deployment.yaml Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * added for helm Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * to be tested Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * removed not needed ends Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * made changes to pass the test Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * removed hard from values.yaml Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * added condition to disable pod-affinity Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * changed with to if condition Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * small fix for trailing spaces Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * small fix Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> Co-authored-by: NoSkillGirl <singhpooja240393@gmail.com> 2021-09-20 15:52:46 +05:30			`affinity:`
			`podAntiAffinity:`
Update anti-affinity to the soft limit (#2441) 2021-09-29 02:30:49 +05:30			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 1`
			`podAffinityTerm:`
			`labelSelector:`
			`matchExpressions:`
			`- key: app.kubernetes.io/name`
			`operator: In`
			`values:`
			`- kyverno`
			`topologyKey: "kubernetes.io/hostname"`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`serviceAccountName: kyverno-service-account`
update pod security context and ports 2020-10-22 11:26:22 -07:00			`securityContext:`
			`runAsNonRoot: true`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`initContainers:`
			`- name: kyverno-pre`
Migrate image to GitHub registry (#1299) * migrate image to GitHub registry * remove registry login 2020-11-24 11:49:08 -08:00			`image: ghcr.io/kyverno/kyvernopre:latest`
release v1.3.2-rc3 2021-02-08 18:15:28 -08:00			`imagePullPolicy: IfNotPresent`
Resources for initContainers (#1871) * Add: resources for initContainers Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Update: increase memory limit for init container Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Add: init container resources Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Fix: kustomize CRD Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> 2021-05-07 18:53:00 +02:00			`resources:`
			`limits:`
			`cpu: 100m`
			`memory: 256Mi`
			`requests:`
			`cpu: 10m`
			`memory: 64Mi`
update pod security context and ports 2020-10-22 11:26:22 -07:00			`securityContext:`
			`runAsNonRoot: true`
			`privileged: false`
			`allowPrivilegeEscalation: false`
			`readOnlyRootFilesystem: true`
			`capabilities:`
			`drop:`
			`- all`
added: support for metrics configuration, periodic metrics cleanup and selective namespace whitelisting and blacklisting for metrics (#2288) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com> 2021-09-11 03:09:12 +05:30			`env:`
			`- name: METRICS_CONFIG`
			`value: kyverno-metrics`
Bugfixes - handle verifyImage rules for webhooks configurations (#2501) * dynamic webhooks for verifyImages rule Signed-off-by: ShutingZhao <shutting06@gmail.com> * add namespace env to the initContainer Signed-off-by: ShutingZhao <shutting06@gmail.com> * add debug log Signed-off-by: ShutingZhao <shutting06@gmail.com> * update operator schema validation tag Signed-off-by: ShutingZhao <shutting06@gmail.com> * set policy to ready if auto-update-webhook disabled Signed-off-by: ShutingZhao <shutting06@gmail.com> 2021-10-07 13:50:30 -07:00			`- name: KYVERNO_NAMESPACE`
			`valueFrom:`
			`fieldRef:`
			`fieldPath: metadata.namespace`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`containers:`
			`- name: kyverno`
Migrate image to GitHub registry (#1299) * migrate image to GitHub registry * remove registry login 2020-11-24 11:49:08 -08:00			`image: ghcr.io/kyverno/kyverno:latest`
release v1.3.2-rc3 2021-02-08 18:15:28 -08:00			`imagePullPolicy: IfNotPresent`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`args:`
Rename filterK8Resources to filterK8sResources (#1452) * Remove lock embedded in CRD controller, use concurrent map to store shcemas * delete rcr info from data store * skip policy validation on status update * - remove status check in policy mutation; - fix test * Remove fqdncn flag * add flag profiling port * skip policy mutation & validation on status update * sync policy status every minute * update log messages * rename filterK8Resources to filterK8sResources 2021-01-07 11:27:50 -08:00			`- "--filterK8sResources=[Event,,][,kube-system,][,kube-public,][,kube-node-lease,][Node,,][APIService,,][TokenReview,,][SubjectAccessReview,,][,kyverno,][Binding,,][ReplicaSet,,][ReportChangeRequest,,][ClusterReportChangeRequest,,][PolicyReport,,][ClusterPolicyReport,,]"`
configrable rules added (#1017) * configrable rules added * fix exclude group logic from code * flag added in yaml * exclude username added * exclude username added * config interface implimented * configure exclude username * get role ref * test case fixed * panic fix * move from interface to slice * exclude added in mutate * trim strings * configmap changes added * kustomize changes for configmap * k8s resources added 2020-08-07 17:09:24 -07:00			`# customize webhook timeout`
Changing flag names for consistency (#2467) * changing flag names for consistency Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * changes for backward compatibility Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * updated the CHANGELOG.md Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> 2021-10-06 23:02:48 +05:30			`#- "--webhookTimeout=4"`
configrable rules added (#1017) * configrable rules added * fix exclude group logic from code * flag added in yaml * exclude username added * exclude username added * config interface implimented * configure exclude username * get role ref * test case fixed * panic fix * move from interface to slice * exclude added in mutate * trim strings * configmap changes added * kustomize changes for configmap * k8s resources added 2020-08-07 17:09:24 -07:00			`# enable profiling`
			`# - "--profile"`
add flag to kyverno's manifest Signed-off-by: Shuting Zhao <shutting06@gmail.com> 2021-03-22 19:19:12 -07:00			`# configure the workers for generate controller`
Changing flag names for consistency (#2467) * changing flag names for consistency Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * changes for backward compatibility Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * updated the CHANGELOG.md Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> 2021-10-06 23:02:48 +05:30			`# - --genWorkers=20`
configrable rules added (#1017) * configrable rules added * fix exclude group logic from code * flag added in yaml * exclude username added * exclude username added * config interface implimented * configure exclude username * get role ref * test case fixed * panic fix * move from interface to slice * exclude added in mutate * trim strings * configmap changes added * kustomize changes for configmap * k8s resources added 2020-08-07 17:09:24 -07:00			`- "-v=2"`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`ports:`
update pod security context and ports 2020-10-22 11:26:22 -07:00			`- containerPort: 9443`
			`name: https`
			`protocol: TCP`
feat: added support for exposing the metrics via kyverno-svc service Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com> 2021-05-16 13:22:21 +05:30			`- containerPort: 8000`
			`name: metrics-port`
			`protocol: TCP`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`env:`
e2e workflow added (#1021) * e2e flow added * add kustomize image change in ci 2020-08-05 23:26:31 -07:00			`- name: INIT_CONFIG`
Corrected the value of `INIT_CONFIG` env in deployment (#2927) Signed-off-by: Abhinav Sinha <zeborg3@gmail.com> Co-authored-by: shuting <shutting06@gmail.com> 2022-01-07 16:22:34 +05:30			`value: kyverno`
added: support for metrics configuration, periodic metrics cleanup and selective namespace whitelisting and blacklisting for metrics (#2288) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com> 2021-09-11 03:09:12 +05:30			`- name: METRICS_CONFIG`
			`value: kyverno-metrics`
e2e workflow added (#1021) * e2e flow added * add kustomize image change in ci 2020-08-05 23:26:31 -07:00			`- name: KYVERNO_NAMESPACE`
			`valueFrom:`
			`fieldRef:`
			`fieldPath: metadata.namespace`
			`- name: KYVERNO_SVC`
			`value: kyverno-svc`
update pod security context and ports 2020-10-22 11:26:22 -07:00			`securityContext:`
			`runAsNonRoot: true`
			`privileged: false`
			`allowPrivilegeEscalation: false`
			`readOnlyRootFilesystem: true`
			`capabilities:`
			`drop:`
			`- all`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`resources:`
			`requests:`
Increase Kyverno memory request and limit (#2862) * bump memory request and limit Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove quotes Signed-off-by: ShutingZhao <shuting@nirmata.com> 2021-12-21 15:11:28 +08:00			`memory: 128Mi`
			`cpu: 100m`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`limits:`
Increase Kyverno memory request and limit (#2862) * bump memory request and limit Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove quotes Signed-off-by: ShutingZhao <shuting@nirmata.com> 2021-12-21 15:11:28 +08:00			`memory: 384Mi`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`livenessProbe:`
			`httpGet:`
			`path: /health/liveness`
fix ports 2020-10-22 12:48:04 -07:00			`port: 9443`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`scheme: HTTPS`
added: support for metrics configuration, periodic metrics cleanup and selective namespace whitelisting and blacklisting for metrics (#2288) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com> 2021-09-11 03:09:12 +05:30			`initialDelaySeconds: 15`
Check webhooks are present during liveness (#1748) Fixes #1747 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> 2021-03-31 15:44:56 -04:00			`periodSeconds: 30`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`timeoutSeconds: 5`
Check webhooks are present during liveness (#1748) Fixes #1747 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> 2021-03-31 15:44:56 -04:00			`failureThreshold: 2`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`successThreshold: 1`
			`readinessProbe:`
			`httpGet:`
			`path: /health/readiness`
fix ports 2020-10-22 12:48:04 -07:00			`port: 9443`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`scheme: HTTPS`
			`initialDelaySeconds: 5`
			`periodSeconds: 10`
			`timeoutSeconds: 5`
			`failureThreshold: 4`
configrable rules added (#1017) * configrable rules added * fix exclude group logic from code * flag added in yaml * exclude username added * exclude username added * config interface implimented * configure exclude username * get role ref * test case fixed * panic fix * move from interface to slice * exclude added in mutate * trim strings * configmap changes added * kustomize changes for configmap * k8s resources added 2020-08-07 17:09:24 -07:00			`successThreshold: 1`
updated kyverno deployment strategy (#2006) * updated kyverno deployment strategy Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in> * update helm chart Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in> * minor changes Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in> * make updatestrategy configurable Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in> 2021-08-18 15:49:35 +05:30			`strategy:`
			`type: RollingUpdate`
			`rollingUpdate:`
			`maxUnavailable: 40%`
			`maxSurge: 1`