1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00

refactor: helm configmaps (#6064)

* refactor: helm configmaps

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: helm configmaps

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* readme

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* changelog

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-01-20 15:36:54 +01:00 committed by GitHub
parent fd0699c6d4
commit 17805be0d7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 257 additions and 210 deletions

View file

@ -1,8 +1,11 @@
## v1.10.0
## v1.10.0-rc.1
### Note
- Removed `GenerateRequest` CRD.
- Refactored `kyverno` chart, migration instructions are available in chart `README.md`.
## v1.9.0-rc.1

View file

@ -1,7 +1,7 @@
apiVersion: v2
type: application
name: kyverno
version: v2.5.3
version: v3.0.0
appVersion: latest
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
description: Kubernetes Native Policy Management

View file

@ -2,7 +2,7 @@
Kubernetes Native Policy Management
![Version: v2.5.3](https://img.shields.io/badge/Version-v2.5.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
![Version: v3.0.0](https://img.shields.io/badge/Version-v3.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
## About
@ -21,6 +21,10 @@ Access the complete user documentation and guides at: https://kyverno.io.
## Installing the Chart
**IMPORTANT IMPORTANT IMPORTANT IMPORTANT**
This chart changed significantly between `v2` and `v3`. If you are upgrading from `v2`, please read `Migrating from v2 to v3` section.
**Add the Kyverno Helm repository:**
```console
@ -105,6 +109,14 @@ spec:
- Replace=true
```
## Migrating from v2 to v3
In `v3` chart values changed significantly, please read the instructions below to migrate your values:
- `config.metricsConfig` is now `metricsConfig`
- `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__
- `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__
## Uninstalling the Chart
To uninstall/delete the `kyverno` deployment:
@ -122,6 +134,22 @@ The command removes all the Kubernetes components associated with the chart and
| nameOverride | string | `nil` | Override the name of the chart |
| fullnameOverride | string | `nil` | Override the expanded name of the chart |
| namespace | string | `nil` | Namespace the chart deploys to |
| config.create | bool | `true` | Create the configmap. |
| config.name | string | `nil` | The configmap name (required if `create` is `false`). |
| config.annotations | object | `{}` | Additional annotations to add to the configmap. |
| config.enableDefaultRegistryMutation | bool | `true` | Enable registry mutation for container images. Enabled by default. |
| config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. |
| config.excludeGroupRole | list | `[]` | Exclude group role |
| config.excludeUsername | list | `[]` | Exclude username |
| config.generateSuccessEvents | bool | `false` | Generate success events. |
| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
| config.webhooks | string | `nil` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
| metricsConfig.create | bool | `true` | Create the configmap. |
| metricsConfig.name | string | `nil` | The configmap name (required if `create` is `false`). |
| metricsConfig.annotations | object | `{}` | Additional annotations to add to the configmap. |
| metricsConfig.namespaces.include | list | `[]` | List of namespaces to capture metrics for. |
| metricsConfig.namespaces.exclude | list | `[]` | list of namespaces to NOT capture metrics for. |
| metricsConfig.metricsRefreshInterval | string | `nil` | Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics |
| customLabels | object | `{}` | Additional labels |
| rbac.create | bool | `true` | Create ClusterRoles, ClusterRoleBindings, and ServiceAccount |
| rbac.serviceAccount.create | bool | `true` | Create a ServiceAccount |
@ -177,17 +205,6 @@ The command removes all the Kubernetes components associated with the chart and
| generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |
| excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
| resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
| config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. |
| config.enableDefaultRegistryMutation | bool | `true` | Enable registry mutation for container images. Enabled by default. |
| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
| config.existingConfig | string | `""` | Name of an existing config map (ignores default/provided resourceFilters) |
| config.annotations | object | `{}` | Additional annotations to add to the configmap |
| config.excludeGroupRole | string | `nil` | Exclude group role |
| config.excludeUsername | string | `nil` | Exclude username |
| config.webhooks | string | `nil` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
| config.generateSuccessEvents | bool | `false` | Generate success events. |
| config.metricsConfig | object | `{"annotations":{},"namespaces":{"exclude":[],"include":[]}}` | Metrics config. |
| config.metricsConfig.annotations | object | `{}` | Additional annotations to add to the metricsconfigmap |
| updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
| service.port | int | `443` | Service port. |
| service.type | string | `"ClusterIP"` | Service type. |

View file

@ -21,6 +21,10 @@ Access the complete user documentation and guides at: https://kyverno.io.
## Installing the Chart
**IMPORTANT IMPORTANT IMPORTANT IMPORTANT**
This chart changed significantly between `v2` and `v3`. If you are upgrading from `v2`, please read `Migrating from v2 to v3` section.
**Add the Kyverno Helm repository:**
```console
@ -105,6 +109,14 @@ spec:
- Replace=true
```
## Migrating from v2 to v3
In `v3` chart values changed significantly, please read the instructions below to migrate your values:
- `config.metricsConfig` is now `metricsConfig`
- `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__
- `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__
## Uninstalling the Chart
To uninstall/delete the `kyverno` deployment:

View file

@ -102,16 +102,6 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- end -}}
{{/* Get the config map name. */}}
{{- define "kyverno.configMapName" -}}
{{- printf "%s" (default (include "kyverno.fullname" .) .Values.config.existingConfig) -}}
{{- end -}}
{{/* Get the metrics config map name. */}}
{{- define "kyverno.metricsConfigMapName" -}}
{{- printf "%s" (default (printf "%s-metrics" (include "kyverno.fullname" .)) .Values.config.existingMetricsConfig) -}}
{{- end -}}
{{/* Get the namespace name. */}}
{{- define "kyverno.namespace" -}}
{{- if .Values.namespace -}}
@ -175,30 +165,3 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
{{- end -}}
{{- end }}
{{- define "kyverno.resourceFilters" -}}
{{- $resourceFilters := .Values.config.resourceFilters }}
{{- if .Values.excludeKyvernoNamespace }}
{{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*,%s,*]" (include "kyverno.namespace" .)) }}
{{- end }}
{{- range $exclude := .Values.resourceFiltersExcludeNamespaces }}
{{- range $filter := $resourceFilters }}
{{- if (contains (printf ",%s," $exclude) $filter) }}
{{- $resourceFilters = without $resourceFilters $filter }}
{{- end }}
{{- end }}
{{- end }}
{{- tpl (join "" $resourceFilters) . }}
{{- end }}
{{- define "kyverno.webhooks" -}}
{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
{{- $newWebhook := list }}
{{- range $webhook := .Values.config.webhooks }}
{{- $namespaceSelector := default dict $webhook.namespaceSelector }}
{{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
{{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
{{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
{{- end }}
{{- $newWebhook | toJson }}
{{- end }}

View file

@ -106,7 +106,7 @@ spec:
{{- end }}
env:
- name: METRICS_CONFIG
value: {{ template "kyverno.metricsConfigMapName" . }}
value: {{ template "kyverno.config.metricsConfigMapName" . }}
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:

View file

@ -0,0 +1,54 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.config.configMapName" -}}
{{- if .Values.config.create -}}
{{ default (include "kyverno.fullname" .) .Values.config.name }}
{{- else -}}
{{ required "A configmap name is required when `config.create` is set to `false`" .Values.config.name }}
{{- end -}}
{{- end -}}
{{- define "kyverno.config.metricsConfigMapName" -}}
{{- if .Values.metricsConfig.create -}}
{{ default (printf "%s-metrics" (include "kyverno.fullname" .)) .Values.metricsConfig.name }}
{{- else -}}
{{ required "A configmap name is required when `metricsConfig.create` is set to `false`" .Values.metricsConfig.name }}
{{- end -}}
{{- end -}}
{{- define "kyverno.config.labels" -}}
app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
{{- with (include "kyverno.helmLabels" .) -}}{{- . | trim | nindent 0 -}}{{- end -}}
{{- with (include "kyverno.matchLabels" .) -}}{{- . | trim | nindent 0 -}}{{- end -}}
{{- with (include "kyverno.versionLabels" .) -}}{{- . | trim | nindent 0 -}}{{- end -}}
{{- if .Values.customLabels }}
{{ toYaml .Values.customLabels }}
{{- end }}
{{- end -}}
{{- define "kyverno.config.resourceFilters" -}}
{{- $resourceFilters := .Values.config.resourceFilters }}
{{- if .Values.excludeKyvernoNamespace }}
{{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*,%s,*]" (include "kyverno.namespace" .)) }}
{{- end }}
{{- range $exclude := .Values.resourceFiltersExcludeNamespaces }}
{{- range $filter := $resourceFilters }}
{{- if (contains (printf ",%s," $exclude) $filter) }}
{{- $resourceFilters = without $resourceFilters $filter }}
{{- end }}
{{- end }}
{{- end }}
{{- tpl (join "" $resourceFilters) . }}
{{- end }}
{{- define "kyverno.config.webhooks" -}}
{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
{{- $newWebhook := list }}
{{- range $webhook := .Values.config.webhooks }}
{{- $namespaceSelector := default dict $webhook.namespaceSelector }}
{{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
{{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
{{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
{{- end }}
{{- $newWebhook | toJson }}
{{- end }}

View file

@ -1,40 +1,35 @@
{{- if (not .Values.config.existingConfig) }}
{{- if .Values.config.create -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kyverno.config.configMapName" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.labels" . | nindent 4 }}
{{- include "kyverno.config.labels" . | nindent 4 }}
{{- with .Values.config.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ template "kyverno.configMapName" . }}
namespace: {{ template "kyverno.namespace" . }}
data:
{{- if .Values.config.defaultRegistry }}
defaultRegistry: {{ .Values.config.defaultRegistry | quote }}
{{- end }}
{{- if .Values.config.enableDefaultRegistryMutation }}
enableDefaultRegistryMutation: {{ .Values.config.enableDefaultRegistryMutation | quote }}
{{- with .Values.config.defaultRegistry }}
defaultRegistry: {{ . | quote }}
{{- end }}
# resource types to be skipped by kyverno policy engine
generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }}
{{- with .Values.config.excludeGroupRole }}
excludeGroupRole: {{ join "," . | quote }}
{{- end -}}
{{- with .Values.config.excludeUsername }}
excludeUsername: {{ join "," . | quote }}
{{- end -}}
{{- if .Values.config.resourceFilters }}
resourceFilters: {{ include "kyverno.resourceFilters" . | quote }}
{{- end -}}
{{- if .Values.config.excludeGroupRole }}
excludeGroupRole: {{ join "," .Values.config.excludeGroupRole | quote }}
{{- end -}}
{{- if .Values.config.excludeUsername }}
excludeUsername: {{ join "," .Values.config.excludeUsername | quote }}
resourceFilters: {{ include "kyverno.config.resourceFilters" . | quote }}
{{- end -}}
{{- if and .Values.config.webhooks .Values.excludeKyvernoNamespace }}
webhooks: {{ include "kyverno.webhooks" . | quote }}
webhooks: {{ include "kyverno.config.webhooks" . | quote }}
{{- else if .Values.config.webhooks }}
webhooks: {{ .Values.config.webhooks | toJson | quote }}
{{- else if .Values.excludeKyvernoNamespace }}
webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["{{ include "kyverno.namespace" . }}"]}]}}]'
{{- end -}}
{{- if .Values.config.generateSuccessEvents }}
generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }}
{{- end -}}
{{- end -}}

View file

@ -0,0 +1,20 @@
{{- if .Values.metricsConfig.create -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kyverno.config.metricsConfigMapName" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.config.labels" . | nindent 4 }}
{{- with .Values.metricsConfig.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
{{- with .Values.metricsConfig.namespaces }}
namespaces: {{ toJson . | quote }}
{{- end }}
{{- with .Values.metricsConfig.metricsRefreshInterval }}
metricsRefreshInterval: {{ .Values.metricsConfig.metricsRefreshInterval }}
{{- end }}
{{- end -}}

View file

@ -89,7 +89,7 @@ spec:
{{- end }}
env:
- name: METRICS_CONFIG
value: {{ template "kyverno.metricsConfigMapName" . }}
value: {{ template "kyverno.config.metricsConfigMapName" . }}
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
@ -134,9 +134,9 @@ spec:
protocol: TCP
env:
- name: INIT_CONFIG
value: {{ template "kyverno.configMapName" . }}
value: {{ template "kyverno.config.configMapName" . }}
- name: METRICS_CONFIG
value: {{ template "kyverno.metricsConfigMapName" . }}
value: {{ template "kyverno.config.metricsConfigMapName" . }}
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:

View file

@ -1,26 +0,0 @@
{{- if (not .Values.config.existingMetricsConfig) }}
apiVersion: v1
kind: ConfigMap
metadata:
labels:
{{- include "kyverno.labels" . | nindent 4 }}
{{- with .Values.config.metricsConfig.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ template "kyverno.metricsConfigMapName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- if .Values.config.metricsConfig }}
data:
{{- if .Values.config.metricsConfig.namespaces }}
namespaces: {{ .Values.config.metricsConfig.namespaces | toJson | quote }}
{{- end -}}
{{- if .Values.config.metricsConfig.metricsRefreshInterval }}
metricsRefreshInterval: {{ .Values.config.metricsConfig.metricsRefreshInterval }}
{{- end -}}
{{- else }}
data:
namespaces: '{"include": [], "exclude": []}'
metricsRefreshInterval: 0s
{{- end }}
{{- end -}}

View file

@ -106,7 +106,7 @@ spec:
{{- end }}
env:
- name: METRICS_CONFIG
value: {{ template "kyverno.metricsConfigMapName" . }}
value: {{ template "kyverno.config.metricsConfigMapName" . }}
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:

View file

@ -14,6 +14,112 @@ fullnameOverride:
# -- Namespace the chart deploys to
namespace:
config:
# -- Create the configmap.
create: true
# -- (string) The configmap name (required if `create` is `false`).
name: ~
# -- Additional annotations to add to the configmap.
annotations: {}
# -- Enable registry mutation for container images. Enabled by default.
enableDefaultRegistryMutation: true
# -- The registry hostname used for the image mutation.
defaultRegistry: docker.io
# -- Exclude group role
excludeGroupRole: []
# -- Exclude username
excludeUsername: []
# -- Generate success events.
generateSuccessEvents: false
# -- Resource types to be skipped by the Kyverno policy engine.
# Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
# These are joined together without spaces, run through `tpl`, and the result is set in the config map.
# @default -- See [values.yaml](values.yaml)
resourceFilters:
- '[Event,*,*]'
- '[*,kube-system,*]'
- '[*,kube-public,*]'
- '[*,kube-node-lease,*]'
- '[Node,*,*]'
- '[APIService,*,*]'
- '[TokenReview,*,*]'
- '[SubjectAccessReview,*,*]'
- '[SelfSubjectAccessReview,*,*]'
- '[Binding,*,*]'
- '[ReplicaSet,*,*]'
- '[AdmissionReport,*,*]'
- '[ClusterAdmissionReport,*,*]'
- '[BackgroundScanReport,*,*]'
- '[ClusterBackgroundScanReport,*,*]'
# exclude resources from the chart
- '[ClusterRole,*,{{ template "kyverno.fullname" . }}:*]'
- '[ClusterRoleBinding,*,{{ template "kyverno.fullname" . }}:*]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceAccountName" . }}]'
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
- '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}-metrics]'
- '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.serviceName" . }}-service-monitor]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-test]'
# -- Defines the `namespaceSelector` in the webhook configurations.
# Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
# will be forwarded to the webhook configurations.
# The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
webhooks:
# Exclude namespaces
# - namespaceSelector:
# matchExpressions:
# - key: kubernetes.io/metadata.name
# operator: NotIn
# values:
# - kube-system
# - kyverno
# Exclude objects
# - objectSelector:
# matchExpressions:
# - key: webhooks.kyverno.io/exclude
# operator: DoesNotExist
metricsConfig:
# -- Create the configmap.
create: true
# -- (string) The configmap name (required if `create` is `false`).
name: ~
# -- Additional annotations to add to the configmap.
annotations: {}
namespaces:
# -- List of namespaces to capture metrics for.
include: []
# -- list of namespaces to NOT capture metrics for.
exclude: []
# -- (string) Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics
metricsRefreshInterval: ~
# metricsRefreshInterval: 24h
# -- Additional labels
customLabels: {}
@ -67,7 +173,6 @@ initContainer:
- --loggingFormat=text
- --exceptionNamespace={{ include "kyverno.namespace" . }}
testImage:
# -- Image registry
registry:
@ -304,100 +409,6 @@ excludeKyvernoNamespace: true
# Namespaces to exclude from the default resourceFilters
resourceFiltersExcludeNamespaces: []
config:
# -- The registry hostname used for the image mutation.
defaultRegistry: docker.io
# -- Enable registry mutation for container images. Enabled by default.
enableDefaultRegistryMutation: true
# -- Resource types to be skipped by the Kyverno policy engine.
# Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
# These are joined together without spaces, run through `tpl`, and the result is set in the config map.
# @default -- See [values.yaml](values.yaml)
resourceFilters:
- '[Event,*,*]'
- '[*,kube-system,*]'
- '[*,kube-public,*]'
- '[*,kube-node-lease,*]'
- '[Node,*,*]'
- '[APIService,*,*]'
- '[TokenReview,*,*]'
- '[SubjectAccessReview,*,*]'
- '[SelfSubjectAccessReview,*,*]'
- '[Binding,*,*]'
- '[ReplicaSet,*,*]'
- '[AdmissionReport,*,*]'
- '[ClusterAdmissionReport,*,*]'
- '[BackgroundScanReport,*,*]'
- '[ClusterBackgroundScanReport,*,*]'
# exclude resources from the chart
- '[ClusterRole,*,{{ template "kyverno.fullname" . }}:*]'
- '[ClusterRoleBinding,*,{{ template "kyverno.fullname" . }}:*]'
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceAccountName" . }}]'
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.configMapName" . }}]'
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.metricsConfigMapName" . }}]'
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
- '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}-metrics]'
- '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.serviceName" . }}-service-monitor]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-test]'
# -- Name of an existing config map (ignores default/provided resourceFilters)
existingConfig: ''
# -- Additional annotations to add to the configmap
annotations: {}
# example.com/annotation: foo
# -- Exclude group role
excludeGroupRole:
# - ''
# -- Exclude username
excludeUsername:
# - ''
# -- Defines the `namespaceSelector` in the webhook configurations.
# Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
# will be forwarded to the webhook configurations.
# The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
webhooks:
# Exclude namespaces
# - namespaceSelector:
# matchExpressions:
# - key: kubernetes.io/metadata.name
# operator: NotIn
# values:
# - kube-system
# - kyverno
# Exclude objects
# - objectSelector:
# matchExpressions:
# - key: webhooks.kyverno.io/exclude
# operator: DoesNotExist
# -- Generate success events.
generateSuccessEvents: false
# -- Metrics config.
metricsConfig:
# -- Additional annotations to add to the metricsconfigmap
annotations: {}
# example.com/annotation: foo
namespaces: {
"include": [],
"exclude": []
}
# 'namespaces.include': list of namespaces to capture metrics for. Default: metrics being captured for all namespaces except excludeNamespaces.
# 'namespaces.exclude': list of namespaces to NOT capture metrics for. Default: []
# metricsRefreshInterval: 24h
# rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics
# Or provide an existing metrics config-map by uncommenting the below line
# existingMetricsConfig: sample-metrics-configmap. Refer to the ./templates/metricsconfigmap.yaml for the structure of metrics configmap.
# -- Deployment update strategy.
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
# @default -- See [values.yaml](values.yaml)

View file

@ -49,32 +49,30 @@ metadata:
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: kyverno
app: kyverno
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno
namespace: kyverno
labels:
app.kubernetes.io/part-of: kyverno
app: kyverno
app.kubernetes.io/name: kyverno
app.kubernetes.io/version: latest
data:
defaultRegistry: "docker.io"
enableDefaultRegistryMutation: "true"
# resource types to be skipped by kyverno policy engine
defaultRegistry: "docker.io"
generateSuccessEvents: "false"
resourceFilters: "[*,kyverno,*][Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][Binding,*,*][ReplicaSet,*,*][AdmissionReport,*,*][ClusterAdmissionReport,*,*][BackgroundScanReport,*,*][ClusterBackgroundScanReport,*,*][ClusterRole,*,kyverno:*][ClusterRoleBinding,*,kyverno:*][ServiceAccount,kyverno,kyverno][ConfigMap,kyverno,kyverno][ConfigMap,kyverno,kyverno-metrics][Deployment,kyverno,kyverno][Job,kyverno,kyverno-hook-pre-delete][NetworkPolicy,kyverno,kyverno][PodDisruptionBudget,kyverno,kyverno][Role,kyverno,kyverno:*][RoleBinding,kyverno,kyverno:*][Secret,kyverno,kyverno-svc.kyverno.svc.*][Service,kyverno,kyverno-svc][Service,kyverno,kyverno-svc-metrics][ServiceMonitor,kyverno,kyverno-svc-service-monitor][Pod,kyverno,kyverno-test]"
webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]'
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: kyverno
app: kyverno
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: kyverno-metrics
namespace: kyverno
labels:
app.kubernetes.io/part-of: kyverno
app: kyverno
app.kubernetes.io/name: kyverno
app.kubernetes.io/version: latest
data:
namespaces: "{\"exclude\":[],\"include\":[]}"
---