feat: add cleanup cronjobs for (cluster)ephemeralreports (#10325)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
2025-03-13 19:28:55 +00:00 · 2024-05-29 20:19:57 +08:00 · 2024-05-29 20:19:57 +08:00 · 022620ef43
commit 022620ef43
parent 084336c5f5
6 changed files with 504 additions and 0 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -793,6 +793,50 @@ The chart values are organised per component.
 | cleanupJobs.updateRequests.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
 | cleanupJobs.updateRequests.podAffinity | object | `{}` | Pod affinity constraints. |
 | cleanupJobs.updateRequests.nodeAffinity | object | `{}` | Node affinity constraints. |
+| cleanupJobs.ephemeralReports.enabled | bool | `true` | Enable cleanup cronjob |
+| cleanupJobs.ephemeralReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. |
+| cleanupJobs.ephemeralReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted |
+| cleanupJobs.ephemeralReports.image.registry | string | `nil` | Image registry |
+| cleanupJobs.ephemeralReports.image.repository | string | `"bitnami/kubectl"` | Image repository |
+| cleanupJobs.ephemeralReports.image.tag | string | `"1.28.5"` | Image tag Defaults to `latest` if omitted |
+| cleanupJobs.ephemeralReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
+| cleanupJobs.ephemeralReports.imagePullSecrets | list | `[]` | Image pull secrets |
+| cleanupJobs.ephemeralReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule |
+| cleanupJobs.ephemeralReports.threshold | int | `10000` | Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them |
+| cleanupJobs.ephemeralReports.history | object | `{"failure":1,"success":1}` | Cronjob history |
+| cleanupJobs.ephemeralReports.podSecurityContext | object | `{}` | Security context for the pod |
+| cleanupJobs.ephemeralReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
+| cleanupJobs.ephemeralReports.priorityClassName | string | `""` | Pod PriorityClassName |
+| cleanupJobs.ephemeralReports.resources | object | `{}` | Job resources |
+| cleanupJobs.ephemeralReports.tolerations | list | `[]` | List of node taints to tolerate |
+| cleanupJobs.ephemeralReports.nodeSelector | object | `{}` | Node labels for pod assignment |
+| cleanupJobs.ephemeralReports.podAnnotations | object | `{}` | Pod Annotations |
+| cleanupJobs.ephemeralReports.podLabels | object | `{}` | Pod labels |
+| cleanupJobs.ephemeralReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
+| cleanupJobs.ephemeralReports.podAffinity | object | `{}` | Pod affinity constraints. |
+| cleanupJobs.ephemeralReports.nodeAffinity | object | `{}` | Node affinity constraints. |
+| cleanupJobs.clusterEphemeralReports.enabled | bool | `true` | Enable cleanup cronjob |
+| cleanupJobs.clusterEphemeralReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. |
+| cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted |
+| cleanupJobs.clusterEphemeralReports.image.registry | string | `nil` | Image registry |
+| cleanupJobs.clusterEphemeralReports.image.repository | string | `"bitnami/kubectl"` | Image repository |
+| cleanupJobs.clusterEphemeralReports.image.tag | string | `"1.28.5"` | Image tag Defaults to `latest` if omitted |
+| cleanupJobs.clusterEphemeralReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
+| cleanupJobs.clusterEphemeralReports.imagePullSecrets | list | `[]` | Image pull secrets |
+| cleanupJobs.clusterEphemeralReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule |
+| cleanupJobs.clusterEphemeralReports.threshold | int | `10000` | Reports threshold, if number of reports are above this value the cronjob will start deleting them |
+| cleanupJobs.clusterEphemeralReports.history | object | `{"failure":1,"success":1}` | Cronjob history |
+| cleanupJobs.clusterEphemeralReports.podSecurityContext | object | `{}` | Security context for the pod |
+| cleanupJobs.clusterEphemeralReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
+| cleanupJobs.clusterEphemeralReports.priorityClassName | string | `""` | Pod PriorityClassName |
+| cleanupJobs.clusterEphemeralReports.resources | object | `{}` | Job resources |
+| cleanupJobs.clusterEphemeralReports.tolerations | list | `[]` | List of node taints to tolerate |
+| cleanupJobs.clusterEphemeralReports.nodeSelector | object | `{}` | Node labels for pod assignment |
+| cleanupJobs.clusterEphemeralReports.podAnnotations | object | `{}` | Pod Annotations |
+| cleanupJobs.clusterEphemeralReports.podLabels | object | `{}` | Pod Labels |
+| cleanupJobs.clusterEphemeralReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
+| cleanupJobs.clusterEphemeralReports.podAffinity | object | `{}` | Pod affinity constraints. |
+| cleanupJobs.clusterEphemeralReports.nodeAffinity | object | `{}` | Node affinity constraints. |

 ### Other

--- a/charts/kyverno/templates/cleanup/cleanup-cluster-ephemeral-reports.yaml
+++ b/charts/kyverno/templates/cleanup/cleanup-cluster-ephemeral-reports.yaml
@ -0,0 +1,91 @@
+{{- if .Values.cleanupJobs.clusterEphemeralReports.enabled -}}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ template "kyverno.name" . }}-cleanup-cluster-ephemeral-reports
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.cleanup.labels" . | nindent 4 }}
+spec:
+  schedule: {{ .Values.cleanupJobs.clusterEphemeralReports.schedule | quote }}
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: {{ .Values.cleanupJobs.clusterEphemeralReports.history.success }}
+  failedJobsHistoryLimit: {{ .Values.cleanupJobs.clusterEphemeralReports.history.failure }}
+  jobTemplate:
+    spec:
+      backoffLimit: {{ .Values.cleanupJobs.clusterEphemeralReports.backoffLimit }}
+      {{- if .Values.cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished }}
+      ttlSecondsAfterFinished: {{ .Values.cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished }}
+      {{- end }}
+      template:
+        metadata:
+          {{- with .Values.cleanupJobs.clusterEphemeralReports.podAnnotations }}
+          annotations:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.cleanupJobs.clusterEphemeralReports.podLabels }}
+          labels:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        spec:
+          serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
+          {{- with .Values.cleanupJobs.clusterEphemeralReports.podSecurityContext }}
+          securityContext:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.cleanupJobs.clusterEphemeralReports.priorityClassName }}
+          priorityClassName: {{ . }}
+          {{- end }}
+          containers:
+          - name: cleanup
+            image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.clusterEphemeralReports.image)) | quote }}
+            imagePullPolicy: {{ .Values.cleanupJobs.clusterEphemeralReports.image.pullPolicy }}
+            command:
+            - /bin/bash
+            - -c
+            - |
+              set -euo pipefail
+              COUNT=$(kubectl get clusterephemeralreports.reports.kyverno.io -A | wc -l)
+              if [ "$COUNT" -gt {{ .Values.cleanupJobs.clusterEphemeralReports.threshold }} ]; then
+                echo "too many clusterephemeralreports found ($COUNT), cleaning up..."
+                kubectl delete clusterephemeralreports.reports.kyverno.io -A --all
+              else
+                echo "($COUNT) reports found, no clean up needed"
+              fi
+            {{- with .Values.cleanupJobs.clusterEphemeralReports.securityContext }}
+            securityContext:
+              {{- toYaml . | nindent 14 }}
+            {{- end }}
+            {{- with .Values.cleanupJobs.clusterEphemeralReports.resources }}
+            resources:
+              {{- toYaml . | nindent 14 }}
+            {{- end }}
+          {{- with .Values.cleanupJobs.clusterEphemeralReports.imagePullSecrets }}
+          imagePullSecrets:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          restartPolicy: OnFailure
+          {{- with .Values.cleanupJobs.clusterEphemeralReports.tolerations }}
+          tolerations:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.cleanupJobs.clusterEphemeralReports.nodeSelector | default .Values.global.nodeSelector }}
+          nodeSelector:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- if or .Values.cleanupJobs.clusterEphemeralReports.podAntiAffinity .Values.cleanupJobs.clusterEphemeralReports.podAffinity .Values.cleanupJobs.clusterEphemeralReports.nodeAffinity }}
+          affinity:
+            {{- with .Values.cleanupJobs.clusterEphemeralReports.podAntiAffinity }}
+            podAntiAffinity:
+              {{- tpl (toYaml .) $ | nindent 14 }}
+            {{- end }}
+            {{- with .Values.cleanupJobs.clusterEphemeralReports.podAffinity }}
+            podAffinity:
+              {{- tpl (toYaml .) $ | nindent 14 }}
+            {{- end }}
+            {{- with .Values.cleanupJobs.clusterEphemeralReports.nodeAffinity }}
+            nodeAffinity:
+              {{- tpl (toYaml .) $ | nindent 14 }}
+            {{- end }}
+          {{- end }}
+{{- end -}}
--- a/charts/kyverno/templates/cleanup/cleanup-ephemeral-reports.yaml
+++ b/charts/kyverno/templates/cleanup/cleanup-ephemeral-reports.yaml
@ -0,0 +1,91 @@
+{{- if .Values.cleanupJobs.ephemeralReports.enabled -}}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ template "kyverno.name" . }}-cleanup-ephemeral-reports
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.cleanup.labels" . | nindent 4 }}
+spec:
+  schedule: {{ .Values.cleanupJobs.ephemeralReports.schedule | quote }}
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: {{ .Values.cleanupJobs.ephemeralReports.history.success }}
+  failedJobsHistoryLimit: {{ .Values.cleanupJobs.ephemeralReports.history.failure }}
+  jobTemplate:
+    spec:
+      backoffLimit: {{ .Values.cleanupJobs.ephemeralReports.backoffLimit }}
+      {{- if .Values.cleanupJobs.ephemeralReports.ttlSecondsAfterFinished }}
+      ttlSecondsAfterFinished: {{ .Values.cleanupJobs.ephemeralReports.ttlSecondsAfterFinished }}
+      {{- end }}
+      template:
+        metadata:
+          {{- with .Values.cleanupJobs.ephemeralReports.podAnnotations }}
+          annotations:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.cleanupJobs.ephemeralReports.podLabels }}
+          labels:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        spec:
+          serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
+          {{- with .Values.cleanupJobs.ephemeralReports.podSecurityContext }}
+          securityContext:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.cleanupJobs.ephemeralReports.priorityClassName }}
+          priorityClassName: {{ . }}
+          {{- end }}
+          containers:
+          - name: cleanup
+            image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.ephemeralReports.image)) | quote }}
+            imagePullPolicy: {{ .Values.cleanupJobs.ephemeralReports.image.pullPolicy }}
+            command:
+            - /bin/bash
+            - -c
+            - |
+              set -euo pipefail
+              COUNT=$(kubectl get ephemeralreports.reports.kyverno.io -A | wc -l)
+              if [ "$COUNT" -gt {{ .Values.cleanupJobs.ephemeralReports.threshold }} ]; then
+                echo "too many ephemeralreports found ($COUNT), cleaning up..."
+                kubectl delete ephemeralreports.reports.kyverno.io -A --all
+              else
+                echo "($COUNT) reports found, no clean up needed"
+              fi
+            {{- with .Values.cleanupJobs.ephemeralReports.securityContext }}
+            securityContext:
+              {{- toYaml . | nindent 14 }}
+            {{- end }}
+            {{- with .Values.cleanupJobs.ephemeralReports.resources }}
+            resources:
+              {{- toYaml . | nindent 14 }}
+            {{- end }}
+          {{- with .Values.cleanupJobs.ephemeralReports.imagePullSecrets }}
+          imagePullSecrets:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          restartPolicy: OnFailure
+          {{- with .Values.cleanupJobs.ephemeralReports.tolerations }}
+          tolerations:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.cleanupJobs.ephemeralReports.nodeSelector | default .Values.global.nodeSelector }}
+          nodeSelector:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- if or .Values.cleanupJobs.ephemeralReports.podAntiAffinity .Values.cleanupJobs.ephemeralReports.podAffinity .Values.cleanupJobs.ephemeralReports.nodeAffinity }}
+          affinity:
+            {{- with .Values.cleanupJobs.ephemeralReports.podAntiAffinity }}
+            podAntiAffinity:
+              {{- tpl (toYaml .) $ | nindent 14 }}
+            {{- end }}
+            {{- with .Values.cleanupJobs.ephemeralReports.podAffinity }}
+            podAffinity:
+              {{- tpl (toYaml .) $ | nindent 14 }}
+            {{- end }}
+            {{- with .Values.cleanupJobs.ephemeralReports.nodeAffinity }}
+            nodeAffinity:
+              {{- tpl (toYaml .) $ | nindent 14 }}
+            {{- end }}
+          {{- end }}
+{{- end -}}
--- a/charts/kyverno/templates/cleanup/clusterrole.yaml
+++ b/charts/kyverno/templates/cleanup/clusterrole.yaml
@ -15,3 +15,12 @@ rules:
      - list
      - deletecollection
      - delete
+  - apiGroups:
+      - reports.kyverno.io
+    resources:
+      - ephemeralreports
+      - clusterephemeralreports
+    verbs:
+      - list
+      - deletecollection
+      - delete
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -937,6 +937,166 @@ cleanupJobs:
    # -- Node affinity constraints.
    nodeAffinity: {}

+  ephemeralReports:
+
+    # -- Enable cleanup cronjob
+    enabled: true
+
+    # -- Maximum number of retries before considering a Job as failed. Defaults to 3.
+    backoffLimit: 3
+
+    # -- Time until the pod from the cronjob is deleted
+    ttlSecondsAfterFinished: ""
+
+    image:
+      # -- (string) Image registry
+      registry: ~
+      # -- Image repository
+      repository: bitnami/kubectl
+      # -- Image tag
+      # Defaults to `latest` if omitted
+      tag: '1.28.5'
+      # -- (string) Image pull policy
+      # Defaults to image.pullPolicy if omitted
+      pullPolicy: ~
+
+    # -- Image pull secrets
+    imagePullSecrets: []
+      # - name: secretName
+
+    # -- Cronjob schedule
+    schedule: '*/10 * * * *'
+
+    # -- Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them
+    threshold: 10000
+
+    # -- Cronjob history
+    history:
+      success: 1
+      failure: 1
+
+    # -- Security context for the pod
+    podSecurityContext: {}
+
+    # -- Security context for the containers
+    securityContext:
+      runAsNonRoot: true
+      privileged: false
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
+      seccompProfile:
+        type: RuntimeDefault
+
+    # -- Pod PriorityClassName
+    priorityClassName: ""
+
+    # -- Job resources
+    resources: {}
+
+    # -- List of node taints to tolerate
+    tolerations: []
+
+    # -- Node labels for pod assignment
+    nodeSelector: {}
+
+    # -- Pod Annotations
+    podAnnotations: {}
+
+    # -- Pod labels
+    podLabels: {}
+
+    # -- Pod anti affinity constraints.
+    podAntiAffinity: {}
+
+    # -- Pod affinity constraints.
+    podAffinity: {}
+
+    # -- Node affinity constraints.
+    nodeAffinity: {}
+    
+  clusterEphemeralReports:
+
+    # -- Enable cleanup cronjob
+    enabled: true
+
+    # -- Maximum number of retries before considering a Job as failed. Defaults to 3.
+    backoffLimit: 3
+
+    # -- Time until the pod from the cronjob is deleted
+    ttlSecondsAfterFinished: ""
+
+    image:
+      # -- (string) Image registry
+      registry: ~
+      # -- Image repository
+      repository: bitnami/kubectl
+      # -- Image tag
+      # Defaults to `latest` if omitted
+      tag: '1.28.5'
+      # -- (string) Image pull policy
+      # Defaults to image.pullPolicy if omitted
+      pullPolicy: ~
+
+    # -- Image pull secrets
+    imagePullSecrets: []
+      # - name: secretName
+
+    # -- Cronjob schedule
+    schedule: '*/10 * * * *'
+
+    # -- Reports threshold, if number of reports are above this value the cronjob will start deleting them
+    threshold: 10000
+
+    # -- Cronjob history
+    history:
+      success: 1
+      failure: 1
+
+    # -- Security context for the pod
+    podSecurityContext: {}
+
+    # -- Security context for the containers
+    securityContext:
+      runAsNonRoot: true
+      privileged: false
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
+      seccompProfile:
+        type: RuntimeDefault
+
+    # -- Pod PriorityClassName
+    priorityClassName: ""
+
+    # -- Job resources
+    resources: {}
+
+    # -- List of node taints to tolerate
+    tolerations: []
+
+    # -- Node labels for pod assignment
+    nodeSelector: {}
+
+    # -- Pod Annotations
+    podAnnotations: {}
+
+    # -- Pod Labels
+    podLabels: {}
+
+    # -- Pod anti affinity constraints.
+    podAntiAffinity: {}
+
+    # -- Pod affinity constraints.
+    podAffinity: {}
+
+    # -- Node affinity constraints.
+    nodeAffinity: {}
+
 # Admission controller configuration
 admissionController:

--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@ -48802,6 +48802,15 @@ rules:
      - list
      - deletecollection
      - delete
+  - apiGroups:
+      - reports.kyverno.io
+    resources:
+      - ephemeralreports
+      - clusterephemeralreports
+    verbs:
+      - list
+      - deletecollection
+      - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@ -50284,6 +50293,106 @@ spec:
 ---
 apiVersion: batch/v1
 kind: CronJob
+metadata:
+  name: kyverno-cleanup-cluster-ephemeral-reports
+  namespace: kyverno
+  labels:
+    app.kubernetes.io/component: cleanup
+    app.kubernetes.io/instance: kyverno
+    app.kubernetes.io/part-of: kyverno
+    app.kubernetes.io/version: latest
+spec:
+  schedule: "*/10 * * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      backoffLimit: 3
+      template:
+        metadata:
+        spec:
+          serviceAccountName: kyverno-cleanup-jobs
+          containers:
+          - name: cleanup
+            image: "bitnami/kubectl:1.28.5"
+            imagePullPolicy: 
+            command:
+            - /bin/bash
+            - -c
+            - |
+              set -euo pipefail
+              COUNT=$(kubectl get clusterephemeralreports.reports.kyverno.io -A | wc -l)
+              if [ "$COUNT" -gt 10000 ]; then
+                echo "too many clusterephemeralreports found ($COUNT), cleaning up..."
+                kubectl delete clusterephemeralreports.reports.kyverno.io -A --all
+              else
+                echo "($COUNT) reports found, no clean up needed"
+              fi
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsNonRoot: true
+              seccompProfile:
+                type: RuntimeDefault
+          restartPolicy: OnFailure
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: kyverno-cleanup-ephemeral-reports
+  namespace: kyverno
+  labels:
+    app.kubernetes.io/component: cleanup
+    app.kubernetes.io/instance: kyverno
+    app.kubernetes.io/part-of: kyverno
+    app.kubernetes.io/version: latest
+spec:
+  schedule: "*/10 * * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      backoffLimit: 3
+      template:
+        metadata:
+        spec:
+          serviceAccountName: kyverno-cleanup-jobs
+          containers:
+          - name: cleanup
+            image: "bitnami/kubectl:1.28.5"
+            imagePullPolicy: 
+            command:
+            - /bin/bash
+            - -c
+            - |
+              set -euo pipefail
+              COUNT=$(kubectl get ephemeralreports.reports.kyverno.io -A | wc -l)
+              if [ "$COUNT" -gt 10000 ]; then
+                echo "too many ephemeralreports found ($COUNT), cleaning up..."
+                kubectl delete ephemeralreports.reports.kyverno.io -A --all
+              else
+                echo "($COUNT) reports found, no clean up needed"
+              fi
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                - ALL
+              privileged: false
+              readOnlyRootFilesystem: true
+              runAsNonRoot: true
+              seccompProfile:
+                type: RuntimeDefault
+          restartPolicy: OnFailure
+---
+apiVersion: batch/v1
+kind: CronJob
 metadata:
  name: kyverno-cleanup-update-requests
  namespace: kyverno