kyverno/config/manifest/deployment.yaml

---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: kyverno
    # do not remove
    app.kubernetes.io/name: kyverno
  name: kyverno
spec:
  selector:
    matchLabels:
      app: kyverno
      # do not remove
      app.kubernetes.io/name: kyverno
  replicas: 1
  template:
    metadata:
      labels:
        app: kyverno
        # do not remove
        app.kubernetes.io/name: kyverno
    spec:
      volumes:
        - name: sigstore
          emptyDir: {}
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 1
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                  - kyverno
              topologyKey: "kubernetes.io/hostname"
      serviceAccountName: kyverno-service-account
      securityContext:
        runAsNonRoot: true
      initContainers:
        - name: kyverno-pre
          image: ghcr.io/kyverno/kyvernopre:latest
          imagePullPolicy: Always
          resources:
            limits:
              cpu: 100m
              memory: 256Mi
            requests:
              cpu: 10m
              memory: 64Mi
          securityContext:
            runAsNonRoot: true
            privileged: false
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          env:
            - name: METRICS_CONFIG
              value: kyverno-metrics
            - name: KYVERNO_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
      containers:
        - name: kyverno
          image: ghcr.io/kyverno/kyverno:latest
          imagePullPolicy: Always
          args:
          # customize webhook timeout
          #- "--webhookTimeout=4"
          # enable profiling
          # - "--profile"
          # configure the workers for generate controller
          # - --genWorkers=20
          - "-v=2"
          - --autogenInternals=false
          ports:
            - containerPort: 9443
              name: https
              protocol: TCP
            - containerPort: 8000
              name: metrics-port
              protocol: TCP
          env:
            - name: INIT_CONFIG
              value: kyverno
            - name: METRICS_CONFIG
              value: kyverno-metrics
            - name: KYVERNO_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: KYVERNO_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: KYVERNO_SVC
              value: kyverno-svc
            - name: TUF_ROOT
              value: /.sigstore
          securityContext:
            runAsNonRoot: true
            privileged: false
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          resources:
            requests:
              memory: 128Mi
              cpu: 100m
            limits:
              memory: 384Mi
          livenessProbe:
            httpGet:
              path: /health/liveness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 15
            periodSeconds: 30
            timeoutSeconds: 5
            failureThreshold: 2
            successThreshold: 1
          readinessProbe:
            httpGet:
              path: /health/readiness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 4
            successThreshold: 1
          # Failing to provide a writable $TUF_ROOT can cause TUF client initialization to panic
          volumeMounts:
          - mountPath: /.sigstore
            name: sigstore
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 40%
      maxSurge: 1
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`---`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`labels:`
			`app: kyverno`
- update version to v1.3.6; - split Kustomization manifests; - revert release/install.yaml (#1945) Signed-off-by: Shuting Zhao <shutting06@gmail.com> 2021-06-01 21:58:37 -07:00			`# do not remove`
			`app.kubernetes.io/name: kyverno`
Recommanded Kubernetes labels and custom labels (#1873) * Add: Recommanded Kubernetes labels Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Add: feature to add custom labels to resources metadata Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Add: manage labels with Kustomize Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Add: app label Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Add: app label for chart Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Update: make kustomize-crds Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Update: refactoring labels Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Fix: clean kustomize code Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Fix: typo Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Update: application version v1.3.6 Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Update: version v1.3.6 Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> 2021-06-01 20:54:33 +02:00			`name: kyverno`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`spec:`
			`selector:`
			`matchLabels:`
			`app: kyverno`
- update version to v1.3.6; - split Kustomization manifests; - revert release/install.yaml (#1945) Signed-off-by: Shuting Zhao <shutting06@gmail.com> 2021-06-01 21:58:37 -07:00			`# do not remove`
			`app.kubernetes.io/name: kyverno`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`replicas: 1`
			`template:`
			`metadata:`
			`labels:`
			`app: kyverno`
- update version to v1.3.6; - split Kustomization manifests; - revert release/install.yaml (#1945) Signed-off-by: Shuting Zhao <shutting06@gmail.com> 2021-06-01 21:58:37 -07:00			`# do not remove`
			`app.kubernetes.io/name: kyverno`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`spec:`
adding emptyDir vol for keyless signing (#3366) * adding emptyDir vol Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * adding env TUF_ROOT Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> 2022-03-10 13:39:22 +05:30			`volumes:`
			`- name: sigstore`
			`emptyDir: {}`
adding pod anti-affinity to Kyverno (#1985) * added for deployment.yaml Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * added for helm Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * to be tested Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * removed not needed ends Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * made changes to pass the test Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * removed hard from values.yaml Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com> * added condition to disable pod-affinity Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * changed with to if condition Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * small fix for trailing spaces Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * small fix Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> Co-authored-by: NoSkillGirl <singhpooja240393@gmail.com> 2021-09-20 15:52:46 +05:30			`affinity:`
			`podAntiAffinity:`
Update anti-affinity to the soft limit (#2441) 2021-09-29 02:30:49 +05:30			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 1`
			`podAffinityTerm:`
			`labelSelector:`
			`matchExpressions:`
			`- key: app.kubernetes.io/name`
			`operator: In`
			`values:`
			`- kyverno`
			`topologyKey: "kubernetes.io/hostname"`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`serviceAccountName: kyverno-service-account`
update pod security context and ports 2020-10-22 11:26:22 -07:00			`securityContext:`
			`runAsNonRoot: true`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`initContainers:`
			`- name: kyverno-pre`
Migrate image to GitHub registry (#1299) * migrate image to GitHub registry * remove registry login 2020-11-24 11:49:08 -08:00			`image: ghcr.io/kyverno/kyvernopre:latest`
update image pull policy for YAML install which uses :latest (#3565) Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2022-04-07 14:31:14 -07:00			`imagePullPolicy: Always`
Resources for initContainers (#1871) * Add: resources for initContainers Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Update: increase memory limit for init container Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Add: init container resources Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Fix: kustomize CRD Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> 2021-05-07 18:53:00 +02:00			`resources:`
			`limits:`
			`cpu: 100m`
			`memory: 256Mi`
			`requests:`
			`cpu: 10m`
			`memory: 64Mi`
update pod security context and ports 2020-10-22 11:26:22 -07:00			`securityContext:`
			`runAsNonRoot: true`
			`privileged: false`
			`allowPrivilegeEscalation: false`
			`readOnlyRootFilesystem: true`
			`capabilities:`
			`drop:`
Modify capabilities for compatibility with Pod Security (#3274) Kyverno manifests are incompatible with the restricted Pod Security Standards included with Kubernetes 1.22 and 1.23 because the Pod Security admission controller looks for "ALL" in securityContext.capabilities.drop, but does not accept "all". https://github.com/kubernetes/pod-security-admission/blob/1b741f89aa417a489aa68ec2d0cc65eeca8dff80/policy/check_capabilities_restricted.go#L88 Signed-off-by: Ryan White <ryan@alzabo.io> 2022-02-22 03:14:17 -05:00			`- ALL`
added: support for metrics configuration, periodic metrics cleanup and selective namespace whitelisting and blacklisting for metrics (#2288) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com> 2021-09-11 03:09:12 +05:30			`env:`
			`- name: METRICS_CONFIG`
			`value: kyverno-metrics`
Bugfixes - handle verifyImage rules for webhooks configurations (#2501) * dynamic webhooks for verifyImages rule Signed-off-by: ShutingZhao <shutting06@gmail.com> * add namespace env to the initContainer Signed-off-by: ShutingZhao <shutting06@gmail.com> * add debug log Signed-off-by: ShutingZhao <shutting06@gmail.com> * update operator schema validation tag Signed-off-by: ShutingZhao <shutting06@gmail.com> * set policy to ready if auto-update-webhook disabled Signed-off-by: ShutingZhao <shutting06@gmail.com> 2021-10-07 13:50:30 -07:00			`- name: KYVERNO_NAMESPACE`
			`valueFrom:`
			`fieldRef:`
			`fieldPath: metadata.namespace`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`containers:`
			`- name: kyverno`
Migrate image to GitHub registry (#1299) * migrate image to GitHub registry * remove registry login 2020-11-24 11:49:08 -08:00			`image: ghcr.io/kyverno/kyverno:latest`
update image pull policy for YAML install which uses :latest (#3565) Signed-off-by: Jim Bugwadia <jim@nirmata.com> 2022-04-07 14:31:14 -07:00			`imagePullPolicy: Always`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`args:`
configrable rules added (#1017) * configrable rules added * fix exclude group logic from code * flag added in yaml * exclude username added * exclude username added * config interface implimented * configure exclude username * get role ref * test case fixed * panic fix * move from interface to slice * exclude added in mutate * trim strings * configmap changes added * kustomize changes for configmap * k8s resources added 2020-08-07 17:09:24 -07:00			`# customize webhook timeout`
Changing flag names for consistency (#2467) * changing flag names for consistency Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * changes for backward compatibility Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * updated the CHANGELOG.md Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> 2021-10-06 23:02:48 +05:30			`#- "--webhookTimeout=4"`
configrable rules added (#1017) * configrable rules added * fix exclude group logic from code * flag added in yaml * exclude username added * exclude username added * config interface implimented * configure exclude username * get role ref * test case fixed * panic fix * move from interface to slice * exclude added in mutate * trim strings * configmap changes added * kustomize changes for configmap * k8s resources added 2020-08-07 17:09:24 -07:00			`# enable profiling`
			`# - "--profile"`
add flag to kyverno's manifest Signed-off-by: Shuting Zhao <shutting06@gmail.com> 2021-03-22 19:19:12 -07:00			`# configure the workers for generate controller`
Changing flag names for consistency (#2467) * changing flag names for consistency Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * changes for backward compatibility Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * updated the CHANGELOG.md Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> 2021-10-06 23:02:48 +05:30			`# - --genWorkers=20`
configrable rules added (#1017) * configrable rules added * fix exclude group logic from code * flag added in yaml * exclude username added * exclude username added * config interface implimented * configure exclude username * get role ref * test case fixed * panic fix * move from interface to slice * exclude added in mutate * trim strings * configmap changes added * kustomize changes for configmap * k8s resources added 2020-08-07 17:09:24 -07:00			`- "-v=2"`
feat: stop mutating rules (#3410) * feat: stop adding autogen annotation Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * feat: stop mutating rules Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * feat: stop mutating rules Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: use toggle Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: review comments Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> 2022-03-28 16:01:27 +02:00			`- --autogenInternals=false`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`ports:`
update pod security context and ports 2020-10-22 11:26:22 -07:00			`- containerPort: 9443`
			`name: https`
			`protocol: TCP`
feat: added support for exposing the metrics via kyverno-svc service Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com> 2021-05-16 13:22:21 +05:30			`- containerPort: 8000`
			`name: metrics-port`
			`protocol: TCP`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`env:`
e2e workflow added (#1021) * e2e flow added * add kustomize image change in ci 2020-08-05 23:26:31 -07:00			`- name: INIT_CONFIG`
Corrected the value of `INIT_CONFIG` env in deployment (#2927) Signed-off-by: Abhinav Sinha <zeborg3@gmail.com> Co-authored-by: shuting <shutting06@gmail.com> 2022-01-07 16:22:34 +05:30			`value: kyverno`
added: support for metrics configuration, periodic metrics cleanup and selective namespace whitelisting and blacklisting for metrics (#2288) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com> 2021-09-11 03:09:12 +05:30			`- name: METRICS_CONFIG`
			`value: kyverno-metrics`
e2e workflow added (#1021) * e2e flow added * add kustomize image change in ci 2020-08-05 23:26:31 -07:00			`- name: KYVERNO_NAMESPACE`
			`valueFrom:`
			`fieldRef:`
			`fieldPath: metadata.namespace`
Add `handler` to `UR.status` (#3791) * - Add "handler" to "ur.status" - Mark / Unmark handler upon UR reconciliation Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add field onPolicyUpdate Signed-off-by: ShutingZhao <shuting@nirmata.com> * Update API docs Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add delay in generate e2e tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * Remove duplicate logic for cleaning up the cloned resource Signed-off-by: ShutingZhao <shuting@nirmata.com> 2022-05-05 18:56:27 +08:00			`- name: KYVERNO_POD_NAME`
			`valueFrom:`
			`fieldRef:`
			`fieldPath: metadata.name`
e2e workflow added (#1021) * e2e flow added * add kustomize image change in ci 2020-08-05 23:26:31 -07:00			`- name: KYVERNO_SVC`
			`value: kyverno-svc`
adding emptyDir vol for keyless signing (#3366) * adding emptyDir vol Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * adding env TUF_ROOT Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> 2022-03-10 13:39:22 +05:30			`- name: TUF_ROOT`
			`value: /.sigstore`
update pod security context and ports 2020-10-22 11:26:22 -07:00			`securityContext:`
			`runAsNonRoot: true`
			`privileged: false`
			`allowPrivilegeEscalation: false`
			`readOnlyRootFilesystem: true`
			`capabilities:`
			`drop:`
Modify capabilities for compatibility with Pod Security (#3274) Kyverno manifests are incompatible with the restricted Pod Security Standards included with Kubernetes 1.22 and 1.23 because the Pod Security admission controller looks for "ALL" in securityContext.capabilities.drop, but does not accept "all". https://github.com/kubernetes/pod-security-admission/blob/1b741f89aa417a489aa68ec2d0cc65eeca8dff80/policy/check_capabilities_restricted.go#L88 Signed-off-by: Ryan White <ryan@alzabo.io> 2022-02-22 03:14:17 -05:00			`- ALL`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`resources:`
			`requests:`
Increase Kyverno memory request and limit (#2862) * bump memory request and limit Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove quotes Signed-off-by: ShutingZhao <shuting@nirmata.com> 2021-12-21 15:11:28 +08:00			`memory: 128Mi`
			`cpu: 100m`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`limits:`
Increase Kyverno memory request and limit (#2862) * bump memory request and limit Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove quotes Signed-off-by: ShutingZhao <shuting@nirmata.com> 2021-12-21 15:11:28 +08:00			`memory: 384Mi`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`livenessProbe:`
			`httpGet:`
			`path: /health/liveness`
fix ports 2020-10-22 12:48:04 -07:00			`port: 9443`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`scheme: HTTPS`
added: support for metrics configuration, periodic metrics cleanup and selective namespace whitelisting and blacklisting for metrics (#2288) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com> 2021-09-11 03:09:12 +05:30			`initialDelaySeconds: 15`
Check webhooks are present during liveness (#1748) Fixes #1747 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> 2021-03-31 15:44:56 -04:00			`periodSeconds: 30`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`timeoutSeconds: 5`
Check webhooks are present during liveness (#1748) Fixes #1747 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> 2021-03-31 15:44:56 -04:00			`failureThreshold: 2`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`successThreshold: 1`
			`readinessProbe:`
			`httpGet:`
			`path: /health/readiness`
fix ports 2020-10-22 12:48:04 -07:00			`port: 9443`
remove duplicate crd changes 2020-06-05 13:42:53 -07:00			`scheme: HTTPS`
			`initialDelaySeconds: 5`
			`periodSeconds: 10`
			`timeoutSeconds: 5`
			`failureThreshold: 4`
configrable rules added (#1017) * configrable rules added * fix exclude group logic from code * flag added in yaml * exclude username added * exclude username added * config interface implimented * configure exclude username * get role ref * test case fixed * panic fix * move from interface to slice * exclude added in mutate * trim strings * configmap changes added * kustomize changes for configmap * k8s resources added 2020-08-07 17:09:24 -07:00			`successThreshold: 1`
adding emptyDir vol for keyless signing (#3366) * adding emptyDir vol Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * adding env TUF_ROOT Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> 2022-03-10 13:39:22 +05:30			`# Failing to provide a writable $TUF_ROOT can cause TUF client initialization to panic`
			`volumeMounts:`
			`- mountPath: /.sigstore`
			`name: sigstore`
updated kyverno deployment strategy (#2006) * updated kyverno deployment strategy Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in> * update helm chart Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in> * minor changes Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in> * make updatestrategy configurable Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in> 2021-08-18 15:49:35 +05:30			`strategy:`
			`type: RollingUpdate`
			`rollingUpdate:`
			`maxUnavailable: 40%`
			`maxSurge: 1`