mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
refactor: helm configmaps (#6064)
* refactor: helm configmaps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: helm configmaps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * readme Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * changelog Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
fd0699c6d4
commit
17805be0d7
14 changed files with 257 additions and 210 deletions
|
@ -1,8 +1,11 @@
|
|||
## v1.10.0
|
||||
|
||||
## v1.10.0-rc.1
|
||||
|
||||
### Note
|
||||
|
||||
- Removed `GenerateRequest` CRD.
|
||||
- Refactored `kyverno` chart, migration instructions are available in chart `README.md`.
|
||||
|
||||
## v1.9.0-rc.1
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
apiVersion: v2
|
||||
type: application
|
||||
name: kyverno
|
||||
version: v2.5.3
|
||||
version: v3.0.0
|
||||
appVersion: latest
|
||||
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
|
||||
description: Kubernetes Native Policy Management
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
Kubernetes Native Policy Management
|
||||
|
||||
  
|
||||
  
|
||||
|
||||
## About
|
||||
|
||||
|
@ -21,6 +21,10 @@ Access the complete user documentation and guides at: https://kyverno.io.
|
|||
|
||||
## Installing the Chart
|
||||
|
||||
**IMPORTANT IMPORTANT IMPORTANT IMPORTANT**
|
||||
|
||||
This chart changed significantly between `v2` and `v3`. If you are upgrading from `v2`, please read `Migrating from v2 to v3` section.
|
||||
|
||||
**Add the Kyverno Helm repository:**
|
||||
|
||||
```console
|
||||
|
@ -105,6 +109,14 @@ spec:
|
|||
- Replace=true
|
||||
```
|
||||
|
||||
## Migrating from v2 to v3
|
||||
|
||||
In `v3` chart values changed significantly, please read the instructions below to migrate your values:
|
||||
|
||||
- `config.metricsConfig` is now `metricsConfig`
|
||||
- `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__
|
||||
- `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__
|
||||
|
||||
## Uninstalling the Chart
|
||||
|
||||
To uninstall/delete the `kyverno` deployment:
|
||||
|
@ -122,6 +134,22 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| nameOverride | string | `nil` | Override the name of the chart |
|
||||
| fullnameOverride | string | `nil` | Override the expanded name of the chart |
|
||||
| namespace | string | `nil` | Namespace the chart deploys to |
|
||||
| config.create | bool | `true` | Create the configmap. |
|
||||
| config.name | string | `nil` | The configmap name (required if `create` is `false`). |
|
||||
| config.annotations | object | `{}` | Additional annotations to add to the configmap. |
|
||||
| config.enableDefaultRegistryMutation | bool | `true` | Enable registry mutation for container images. Enabled by default. |
|
||||
| config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. |
|
||||
| config.excludeGroupRole | list | `[]` | Exclude group role |
|
||||
| config.excludeUsername | list | `[]` | Exclude username |
|
||||
| config.generateSuccessEvents | bool | `false` | Generate success events. |
|
||||
| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
|
||||
| config.webhooks | string | `nil` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
|
||||
| metricsConfig.create | bool | `true` | Create the configmap. |
|
||||
| metricsConfig.name | string | `nil` | The configmap name (required if `create` is `false`). |
|
||||
| metricsConfig.annotations | object | `{}` | Additional annotations to add to the configmap. |
|
||||
| metricsConfig.namespaces.include | list | `[]` | List of namespaces to capture metrics for. |
|
||||
| metricsConfig.namespaces.exclude | list | `[]` | list of namespaces to NOT capture metrics for. |
|
||||
| metricsConfig.metricsRefreshInterval | string | `nil` | Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics |
|
||||
| customLabels | object | `{}` | Additional labels |
|
||||
| rbac.create | bool | `true` | Create ClusterRoles, ClusterRoleBindings, and ServiceAccount |
|
||||
| rbac.serviceAccount.create | bool | `true` | Create a ServiceAccount |
|
||||
|
@ -177,17 +205,6 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |
|
||||
| excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
|
||||
| resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
|
||||
| config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. |
|
||||
| config.enableDefaultRegistryMutation | bool | `true` | Enable registry mutation for container images. Enabled by default. |
|
||||
| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
|
||||
| config.existingConfig | string | `""` | Name of an existing config map (ignores default/provided resourceFilters) |
|
||||
| config.annotations | object | `{}` | Additional annotations to add to the configmap |
|
||||
| config.excludeGroupRole | string | `nil` | Exclude group role |
|
||||
| config.excludeUsername | string | `nil` | Exclude username |
|
||||
| config.webhooks | string | `nil` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
|
||||
| config.generateSuccessEvents | bool | `false` | Generate success events. |
|
||||
| config.metricsConfig | object | `{"annotations":{},"namespaces":{"exclude":[],"include":[]}}` | Metrics config. |
|
||||
| config.metricsConfig.annotations | object | `{}` | Additional annotations to add to the metricsconfigmap |
|
||||
| updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
|
||||
| service.port | int | `443` | Service port. |
|
||||
| service.type | string | `"ClusterIP"` | Service type. |
|
||||
|
|
|
@ -21,6 +21,10 @@ Access the complete user documentation and guides at: https://kyverno.io.
|
|||
|
||||
## Installing the Chart
|
||||
|
||||
**IMPORTANT IMPORTANT IMPORTANT IMPORTANT**
|
||||
|
||||
This chart changed significantly between `v2` and `v3`. If you are upgrading from `v2`, please read `Migrating from v2 to v3` section.
|
||||
|
||||
**Add the Kyverno Helm repository:**
|
||||
|
||||
```console
|
||||
|
@ -105,6 +109,14 @@ spec:
|
|||
- Replace=true
|
||||
```
|
||||
|
||||
## Migrating from v2 to v3
|
||||
|
||||
In `v3` chart values changed significantly, please read the instructions below to migrate your values:
|
||||
|
||||
- `config.metricsConfig` is now `metricsConfig`
|
||||
- `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__
|
||||
- `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__
|
||||
|
||||
## Uninstalling the Chart
|
||||
|
||||
To uninstall/delete the `kyverno` deployment:
|
||||
|
|
|
@ -102,16 +102,6 @@ app.kubernetes.io/instance: {{ .Release.Name }}
|
|||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Get the config map name. */}}
|
||||
{{- define "kyverno.configMapName" -}}
|
||||
{{- printf "%s" (default (include "kyverno.fullname" .) .Values.config.existingConfig) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Get the metrics config map name. */}}
|
||||
{{- define "kyverno.metricsConfigMapName" -}}
|
||||
{{- printf "%s" (default (printf "%s-metrics" (include "kyverno.fullname" .)) .Values.config.existingMetricsConfig) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Get the namespace name. */}}
|
||||
{{- define "kyverno.namespace" -}}
|
||||
{{- if .Values.namespace -}}
|
||||
|
@ -175,30 +165,3 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
|
|||
{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
|
||||
{{- define "kyverno.resourceFilters" -}}
|
||||
{{- $resourceFilters := .Values.config.resourceFilters }}
|
||||
{{- if .Values.excludeKyvernoNamespace }}
|
||||
{{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*,%s,*]" (include "kyverno.namespace" .)) }}
|
||||
{{- end }}
|
||||
{{- range $exclude := .Values.resourceFiltersExcludeNamespaces }}
|
||||
{{- range $filter := $resourceFilters }}
|
||||
{{- if (contains (printf ",%s," $exclude) $filter) }}
|
||||
{{- $resourceFilters = without $resourceFilters $filter }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- tpl (join "" $resourceFilters) . }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "kyverno.webhooks" -}}
|
||||
{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
|
||||
{{- $newWebhook := list }}
|
||||
{{- range $webhook := .Values.config.webhooks }}
|
||||
{{- $namespaceSelector := default dict $webhook.namespaceSelector }}
|
||||
{{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
|
||||
{{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
|
||||
{{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
|
||||
{{- end }}
|
||||
{{- $newWebhook | toJson }}
|
||||
{{- end }}
|
||||
|
|
|
@ -106,7 +106,7 @@ spec:
|
|||
{{- end }}
|
||||
env:
|
||||
- name: METRICS_CONFIG
|
||||
value: {{ template "kyverno.metricsConfigMapName" . }}
|
||||
value: {{ template "kyverno.config.metricsConfigMapName" . }}
|
||||
- name: KYVERNO_POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
|
|
54
charts/kyverno/templates/config/_helpers.tpl
Normal file
54
charts/kyverno/templates/config/_helpers.tpl
Normal file
|
@ -0,0 +1,54 @@
|
|||
{{/* vim: set filetype=mustache: */}}
|
||||
|
||||
{{- define "kyverno.config.configMapName" -}}
|
||||
{{- if .Values.config.create -}}
|
||||
{{ default (include "kyverno.fullname" .) .Values.config.name }}
|
||||
{{- else -}}
|
||||
{{ required "A configmap name is required when `config.create` is set to `false`" .Values.config.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "kyverno.config.metricsConfigMapName" -}}
|
||||
{{- if .Values.metricsConfig.create -}}
|
||||
{{ default (printf "%s-metrics" (include "kyverno.fullname" .)) .Values.metricsConfig.name }}
|
||||
{{- else -}}
|
||||
{{ required "A configmap name is required when `metricsConfig.create` is set to `false`" .Values.metricsConfig.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "kyverno.config.labels" -}}
|
||||
app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
|
||||
{{- with (include "kyverno.helmLabels" .) -}}{{- . | trim | nindent 0 -}}{{- end -}}
|
||||
{{- with (include "kyverno.matchLabels" .) -}}{{- . | trim | nindent 0 -}}{{- end -}}
|
||||
{{- with (include "kyverno.versionLabels" .) -}}{{- . | trim | nindent 0 -}}{{- end -}}
|
||||
{{- if .Values.customLabels }}
|
||||
{{ toYaml .Values.customLabels }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "kyverno.config.resourceFilters" -}}
|
||||
{{- $resourceFilters := .Values.config.resourceFilters }}
|
||||
{{- if .Values.excludeKyvernoNamespace }}
|
||||
{{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*,%s,*]" (include "kyverno.namespace" .)) }}
|
||||
{{- end }}
|
||||
{{- range $exclude := .Values.resourceFiltersExcludeNamespaces }}
|
||||
{{- range $filter := $resourceFilters }}
|
||||
{{- if (contains (printf ",%s," $exclude) $filter) }}
|
||||
{{- $resourceFilters = without $resourceFilters $filter }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- tpl (join "" $resourceFilters) . }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "kyverno.config.webhooks" -}}
|
||||
{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
|
||||
{{- $newWebhook := list }}
|
||||
{{- range $webhook := .Values.config.webhooks }}
|
||||
{{- $namespaceSelector := default dict $webhook.namespaceSelector }}
|
||||
{{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
|
||||
{{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
|
||||
{{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
|
||||
{{- end }}
|
||||
{{- $newWebhook | toJson }}
|
||||
{{- end }}
|
|
@ -1,40 +1,35 @@
|
|||
{{- if (not .Values.config.existingConfig) }}
|
||||
{{- if .Values.config.create -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ template "kyverno.config.configMapName" . }}
|
||||
namespace: {{ template "kyverno.namespace" . }}
|
||||
labels:
|
||||
{{- include "kyverno.labels" . | nindent 4 }}
|
||||
{{- include "kyverno.config.labels" . | nindent 4 }}
|
||||
{{- with .Values.config.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
name: {{ template "kyverno.configMapName" . }}
|
||||
namespace: {{ template "kyverno.namespace" . }}
|
||||
data:
|
||||
{{- if .Values.config.defaultRegistry }}
|
||||
defaultRegistry: {{ .Values.config.defaultRegistry | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.config.enableDefaultRegistryMutation }}
|
||||
enableDefaultRegistryMutation: {{ .Values.config.enableDefaultRegistryMutation | quote }}
|
||||
{{- with .Values.config.defaultRegistry }}
|
||||
defaultRegistry: {{ . | quote }}
|
||||
{{- end }}
|
||||
# resource types to be skipped by kyverno policy engine
|
||||
generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }}
|
||||
{{- with .Values.config.excludeGroupRole }}
|
||||
excludeGroupRole: {{ join "," . | quote }}
|
||||
{{- end -}}
|
||||
{{- with .Values.config.excludeUsername }}
|
||||
excludeUsername: {{ join "," . | quote }}
|
||||
{{- end -}}
|
||||
{{- if .Values.config.resourceFilters }}
|
||||
resourceFilters: {{ include "kyverno.resourceFilters" . | quote }}
|
||||
{{- end -}}
|
||||
{{- if .Values.config.excludeGroupRole }}
|
||||
excludeGroupRole: {{ join "," .Values.config.excludeGroupRole | quote }}
|
||||
{{- end -}}
|
||||
{{- if .Values.config.excludeUsername }}
|
||||
excludeUsername: {{ join "," .Values.config.excludeUsername | quote }}
|
||||
resourceFilters: {{ include "kyverno.config.resourceFilters" . | quote }}
|
||||
{{- end -}}
|
||||
{{- if and .Values.config.webhooks .Values.excludeKyvernoNamespace }}
|
||||
webhooks: {{ include "kyverno.webhooks" . | quote }}
|
||||
webhooks: {{ include "kyverno.config.webhooks" . | quote }}
|
||||
{{- else if .Values.config.webhooks }}
|
||||
webhooks: {{ .Values.config.webhooks | toJson | quote }}
|
||||
{{- else if .Values.excludeKyvernoNamespace }}
|
||||
webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["{{ include "kyverno.namespace" . }}"]}]}}]'
|
||||
{{- end -}}
|
||||
{{- if .Values.config.generateSuccessEvents }}
|
||||
generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
20
charts/kyverno/templates/config/metricsconfigmap.yaml
Normal file
20
charts/kyverno/templates/config/metricsconfigmap.yaml
Normal file
|
@ -0,0 +1,20 @@
|
|||
{{- if .Values.metricsConfig.create -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ template "kyverno.config.metricsConfigMapName" . }}
|
||||
namespace: {{ template "kyverno.namespace" . }}
|
||||
labels:
|
||||
{{- include "kyverno.config.labels" . | nindent 4 }}
|
||||
{{- with .Values.metricsConfig.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
{{- with .Values.metricsConfig.namespaces }}
|
||||
namespaces: {{ toJson . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.metricsConfig.metricsRefreshInterval }}
|
||||
metricsRefreshInterval: {{ .Values.metricsConfig.metricsRefreshInterval }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
|
@ -89,7 +89,7 @@ spec:
|
|||
{{- end }}
|
||||
env:
|
||||
- name: METRICS_CONFIG
|
||||
value: {{ template "kyverno.metricsConfigMapName" . }}
|
||||
value: {{ template "kyverno.config.metricsConfigMapName" . }}
|
||||
- name: KYVERNO_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
|
@ -134,9 +134,9 @@ spec:
|
|||
protocol: TCP
|
||||
env:
|
||||
- name: INIT_CONFIG
|
||||
value: {{ template "kyverno.configMapName" . }}
|
||||
value: {{ template "kyverno.config.configMapName" . }}
|
||||
- name: METRICS_CONFIG
|
||||
value: {{ template "kyverno.metricsConfigMapName" . }}
|
||||
value: {{ template "kyverno.config.metricsConfigMapName" . }}
|
||||
- name: KYVERNO_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
|
|
|
@ -1,26 +0,0 @@
|
|||
{{- if (not .Values.config.existingMetricsConfig) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "kyverno.labels" . | nindent 4 }}
|
||||
{{- with .Values.config.metricsConfig.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
name: {{ template "kyverno.metricsConfigMapName" . }}
|
||||
namespace: {{ template "kyverno.namespace" . }}
|
||||
{{- if .Values.config.metricsConfig }}
|
||||
data:
|
||||
{{- if .Values.config.metricsConfig.namespaces }}
|
||||
namespaces: {{ .Values.config.metricsConfig.namespaces | toJson | quote }}
|
||||
{{- end -}}
|
||||
{{- if .Values.config.metricsConfig.metricsRefreshInterval }}
|
||||
metricsRefreshInterval: {{ .Values.config.metricsConfig.metricsRefreshInterval }}
|
||||
{{- end -}}
|
||||
{{- else }}
|
||||
data:
|
||||
namespaces: '{"include": [], "exclude": []}'
|
||||
metricsRefreshInterval: 0s
|
||||
{{- end }}
|
||||
{{- end -}}
|
|
@ -106,7 +106,7 @@ spec:
|
|||
{{- end }}
|
||||
env:
|
||||
- name: METRICS_CONFIG
|
||||
value: {{ template "kyverno.metricsConfigMapName" . }}
|
||||
value: {{ template "kyverno.config.metricsConfigMapName" . }}
|
||||
- name: KYVERNO_POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
|
|
|
@ -14,6 +14,112 @@ fullnameOverride:
|
|||
# -- Namespace the chart deploys to
|
||||
namespace:
|
||||
|
||||
config:
|
||||
|
||||
# -- Create the configmap.
|
||||
create: true
|
||||
|
||||
# -- (string) The configmap name (required if `create` is `false`).
|
||||
name: ~
|
||||
|
||||
# -- Additional annotations to add to the configmap.
|
||||
annotations: {}
|
||||
|
||||
# -- Enable registry mutation for container images. Enabled by default.
|
||||
enableDefaultRegistryMutation: true
|
||||
|
||||
# -- The registry hostname used for the image mutation.
|
||||
defaultRegistry: docker.io
|
||||
|
||||
# -- Exclude group role
|
||||
excludeGroupRole: []
|
||||
|
||||
# -- Exclude username
|
||||
excludeUsername: []
|
||||
|
||||
# -- Generate success events.
|
||||
generateSuccessEvents: false
|
||||
|
||||
# -- Resource types to be skipped by the Kyverno policy engine.
|
||||
# Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
|
||||
# These are joined together without spaces, run through `tpl`, and the result is set in the config map.
|
||||
# @default -- See [values.yaml](values.yaml)
|
||||
resourceFilters:
|
||||
- '[Event,*,*]'
|
||||
- '[*,kube-system,*]'
|
||||
- '[*,kube-public,*]'
|
||||
- '[*,kube-node-lease,*]'
|
||||
- '[Node,*,*]'
|
||||
- '[APIService,*,*]'
|
||||
- '[TokenReview,*,*]'
|
||||
- '[SubjectAccessReview,*,*]'
|
||||
- '[SelfSubjectAccessReview,*,*]'
|
||||
- '[Binding,*,*]'
|
||||
- '[ReplicaSet,*,*]'
|
||||
- '[AdmissionReport,*,*]'
|
||||
- '[ClusterAdmissionReport,*,*]'
|
||||
- '[BackgroundScanReport,*,*]'
|
||||
- '[ClusterBackgroundScanReport,*,*]'
|
||||
# exclude resources from the chart
|
||||
- '[ClusterRole,*,{{ template "kyverno.fullname" . }}:*]'
|
||||
- '[ClusterRoleBinding,*,{{ template "kyverno.fullname" . }}:*]'
|
||||
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceAccountName" . }}]'
|
||||
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
|
||||
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
|
||||
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
|
||||
- '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
|
||||
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
|
||||
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
|
||||
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
|
||||
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
|
||||
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}-metrics]'
|
||||
- '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.serviceName" . }}-service-monitor]'
|
||||
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-test]'
|
||||
|
||||
# -- Defines the `namespaceSelector` in the webhook configurations.
|
||||
# Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
|
||||
# will be forwarded to the webhook configurations.
|
||||
# The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
|
||||
webhooks:
|
||||
# Exclude namespaces
|
||||
# - namespaceSelector:
|
||||
# matchExpressions:
|
||||
# - key: kubernetes.io/metadata.name
|
||||
# operator: NotIn
|
||||
# values:
|
||||
# - kube-system
|
||||
# - kyverno
|
||||
# Exclude objects
|
||||
# - objectSelector:
|
||||
# matchExpressions:
|
||||
# - key: webhooks.kyverno.io/exclude
|
||||
# operator: DoesNotExist
|
||||
|
||||
metricsConfig:
|
||||
|
||||
# -- Create the configmap.
|
||||
create: true
|
||||
|
||||
# -- (string) The configmap name (required if `create` is `false`).
|
||||
name: ~
|
||||
|
||||
# -- Additional annotations to add to the configmap.
|
||||
annotations: {}
|
||||
|
||||
namespaces:
|
||||
|
||||
# -- List of namespaces to capture metrics for.
|
||||
include: []
|
||||
|
||||
# -- list of namespaces to NOT capture metrics for.
|
||||
exclude: []
|
||||
|
||||
# -- (string) Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics
|
||||
metricsRefreshInterval: ~
|
||||
# metricsRefreshInterval: 24h
|
||||
|
||||
# -- Additional labels
|
||||
customLabels: {}
|
||||
|
||||
|
@ -67,7 +173,6 @@ initContainer:
|
|||
- --loggingFormat=text
|
||||
- --exceptionNamespace={{ include "kyverno.namespace" . }}
|
||||
|
||||
|
||||
testImage:
|
||||
# -- Image registry
|
||||
registry:
|
||||
|
@ -304,100 +409,6 @@ excludeKyvernoNamespace: true
|
|||
# Namespaces to exclude from the default resourceFilters
|
||||
resourceFiltersExcludeNamespaces: []
|
||||
|
||||
config:
|
||||
# -- The registry hostname used for the image mutation.
|
||||
defaultRegistry: docker.io
|
||||
|
||||
# -- Enable registry mutation for container images. Enabled by default.
|
||||
enableDefaultRegistryMutation: true
|
||||
|
||||
# -- Resource types to be skipped by the Kyverno policy engine.
|
||||
# Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
|
||||
# These are joined together without spaces, run through `tpl`, and the result is set in the config map.
|
||||
# @default -- See [values.yaml](values.yaml)
|
||||
resourceFilters:
|
||||
- '[Event,*,*]'
|
||||
- '[*,kube-system,*]'
|
||||
- '[*,kube-public,*]'
|
||||
- '[*,kube-node-lease,*]'
|
||||
- '[Node,*,*]'
|
||||
- '[APIService,*,*]'
|
||||
- '[TokenReview,*,*]'
|
||||
- '[SubjectAccessReview,*,*]'
|
||||
- '[SelfSubjectAccessReview,*,*]'
|
||||
- '[Binding,*,*]'
|
||||
- '[ReplicaSet,*,*]'
|
||||
- '[AdmissionReport,*,*]'
|
||||
- '[ClusterAdmissionReport,*,*]'
|
||||
- '[BackgroundScanReport,*,*]'
|
||||
- '[ClusterBackgroundScanReport,*,*]'
|
||||
# exclude resources from the chart
|
||||
- '[ClusterRole,*,{{ template "kyverno.fullname" . }}:*]'
|
||||
- '[ClusterRoleBinding,*,{{ template "kyverno.fullname" . }}:*]'
|
||||
- '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceAccountName" . }}]'
|
||||
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.configMapName" . }}]'
|
||||
- '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.metricsConfigMapName" . }}]'
|
||||
- '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
|
||||
- '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
|
||||
- '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
|
||||
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
|
||||
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
|
||||
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
|
||||
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}]'
|
||||
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}-metrics]'
|
||||
- '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.serviceName" . }}-service-monitor]'
|
||||
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-test]'
|
||||
|
||||
# -- Name of an existing config map (ignores default/provided resourceFilters)
|
||||
existingConfig: ''
|
||||
# -- Additional annotations to add to the configmap
|
||||
annotations: {}
|
||||
# example.com/annotation: foo
|
||||
# -- Exclude group role
|
||||
excludeGroupRole:
|
||||
# - ''
|
||||
# -- Exclude username
|
||||
excludeUsername:
|
||||
# - ''
|
||||
# -- Defines the `namespaceSelector` in the webhook configurations.
|
||||
# Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
|
||||
# will be forwarded to the webhook configurations.
|
||||
# The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
|
||||
webhooks:
|
||||
# Exclude namespaces
|
||||
# - namespaceSelector:
|
||||
# matchExpressions:
|
||||
# - key: kubernetes.io/metadata.name
|
||||
# operator: NotIn
|
||||
# values:
|
||||
# - kube-system
|
||||
# - kyverno
|
||||
# Exclude objects
|
||||
# - objectSelector:
|
||||
# matchExpressions:
|
||||
# - key: webhooks.kyverno.io/exclude
|
||||
# operator: DoesNotExist
|
||||
|
||||
# -- Generate success events.
|
||||
generateSuccessEvents: false
|
||||
# -- Metrics config.
|
||||
metricsConfig:
|
||||
# -- Additional annotations to add to the metricsconfigmap
|
||||
annotations: {}
|
||||
# example.com/annotation: foo
|
||||
namespaces: {
|
||||
"include": [],
|
||||
"exclude": []
|
||||
}
|
||||
# 'namespaces.include': list of namespaces to capture metrics for. Default: metrics being captured for all namespaces except excludeNamespaces.
|
||||
# 'namespaces.exclude': list of namespaces to NOT capture metrics for. Default: []
|
||||
|
||||
# metricsRefreshInterval: 24h
|
||||
# rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics
|
||||
|
||||
# Or provide an existing metrics config-map by uncommenting the below line
|
||||
# existingMetricsConfig: sample-metrics-configmap. Refer to the ./templates/metricsconfigmap.yaml for the structure of metrics configmap.
|
||||
# -- Deployment update strategy.
|
||||
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
|
||||
# @default -- See [values.yaml](values.yaml)
|
||||
|
|
|
@ -49,32 +49,30 @@ metadata:
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: kyverno
|
||||
app: kyverno
|
||||
app.kubernetes.io/name: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
name: kyverno
|
||||
namespace: kyverno
|
||||
labels:
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app: kyverno
|
||||
app.kubernetes.io/name: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
data:
|
||||
defaultRegistry: "docker.io"
|
||||
enableDefaultRegistryMutation: "true"
|
||||
# resource types to be skipped by kyverno policy engine
|
||||
defaultRegistry: "docker.io"
|
||||
generateSuccessEvents: "false"
|
||||
resourceFilters: "[*,kyverno,*][Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][Binding,*,*][ReplicaSet,*,*][AdmissionReport,*,*][ClusterAdmissionReport,*,*][BackgroundScanReport,*,*][ClusterBackgroundScanReport,*,*][ClusterRole,*,kyverno:*][ClusterRoleBinding,*,kyverno:*][ServiceAccount,kyverno,kyverno][ConfigMap,kyverno,kyverno][ConfigMap,kyverno,kyverno-metrics][Deployment,kyverno,kyverno][Job,kyverno,kyverno-hook-pre-delete][NetworkPolicy,kyverno,kyverno][PodDisruptionBudget,kyverno,kyverno][Role,kyverno,kyverno:*][RoleBinding,kyverno,kyverno:*][Secret,kyverno,kyverno-svc.kyverno.svc.*][Service,kyverno,kyverno-svc][Service,kyverno,kyverno-svc-metrics][ServiceMonitor,kyverno,kyverno-svc-service-monitor][Pod,kyverno,kyverno-test]"
|
||||
webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]'
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: kyverno
|
||||
app: kyverno
|
||||
app.kubernetes.io/name: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
name: kyverno-metrics
|
||||
namespace: kyverno
|
||||
labels:
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app: kyverno
|
||||
app.kubernetes.io/name: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
data:
|
||||
namespaces: "{\"exclude\":[],\"include\":[]}"
|
||||
---
|
||||
|
|
Loading…
Add table
Reference in a new issue