refactor: helm configmaps (#6064)

* refactor: helm configmaps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: helm configmaps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * readme Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * changelog Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-13 19:28:55 +00:00 · 2023-01-20 15:36:54 +01:00 · 2023-01-20 15:36:54 +01:00 · 17805be0d7
commit 17805be0d7
parent fd0699c6d4
14 changed files with 257 additions and 210 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,8 +1,11 @@
 ## v1.10.0

+## v1.10.0-rc.1
+
 ### Note

 - Removed `GenerateRequest` CRD.
+- Refactored `kyverno` chart, migration instructions are available in chart `README.md`.

 ## v1.9.0-rc.1

--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@ -1,7 +1,7 @@
 apiVersion: v2
 type: application
 name: kyverno
-version: v2.5.3
+version: v3.0.0
 appVersion: latest
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Kubernetes Native Policy Management
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -2,7 +2,7 @@

 Kubernetes Native Policy Management

-![Version: v2.5.3](https://img.shields.io/badge/Version-v2.5.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: v3.0.0](https://img.shields.io/badge/Version-v3.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)

 ## About

@ -21,6 +21,10 @@ Access the complete user documentation and guides at: https://kyverno.io.

 ## Installing the Chart

+**IMPORTANT IMPORTANT IMPORTANT IMPORTANT**
+
+This chart changed significantly between `v2` and `v3`. If you are upgrading from `v2`, please read `Migrating from v2 to v3` section.
+
 **Add the Kyverno Helm repository:**

 ```console
@ -105,6 +109,14 @@ spec:
      - Replace=true
 ```

+## Migrating from v2 to v3
+
+In `v3` chart values changed significantly, please read the instructions below to migrate your values:
+
+- `config.metricsConfig` is now `metricsConfig`
+- `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__
+- `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__
+
 ## Uninstalling the Chart

 To uninstall/delete the `kyverno` deployment:
@ -122,6 +134,22 @@ The command removes all the Kubernetes components associated with the chart and
 | nameOverride | string | `nil` | Override the name of the chart |
 | fullnameOverride | string | `nil` | Override the expanded name of the chart |
 | namespace | string | `nil` | Namespace the chart deploys to |
+| config.create | bool | `true` | Create the configmap. |
+| config.name | string | `nil` | The configmap name (required if `create` is `false`). |
+| config.annotations | object | `{}` | Additional annotations to add to the configmap. |
+| config.enableDefaultRegistryMutation | bool | `true` | Enable registry mutation for container images. Enabled by default. |
+| config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. |
+| config.excludeGroupRole | list | `[]` | Exclude group role |
+| config.excludeUsername | list | `[]` | Exclude username |
+| config.generateSuccessEvents | bool | `false` | Generate success events. |
+| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
+| config.webhooks | string | `nil` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
+| metricsConfig.create | bool | `true` | Create the configmap. |
+| metricsConfig.name | string | `nil` | The configmap name (required if `create` is `false`). |
+| metricsConfig.annotations | object | `{}` | Additional annotations to add to the configmap. |
+| metricsConfig.namespaces.include | list | `[]` | List of namespaces to capture metrics for. |
+| metricsConfig.namespaces.exclude | list | `[]` | list of namespaces to NOT capture metrics for. |
+| metricsConfig.metricsRefreshInterval | string | `nil` | Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics |
 | customLabels | object | `{}` | Additional labels |
 | rbac.create | bool | `true` | Create ClusterRoles, ClusterRoleBindings, and ServiceAccount |
 | rbac.serviceAccount.create | bool | `true` | Create a ServiceAccount |
@ -177,17 +205,6 @@ The command removes all the Kubernetes components associated with the chart and
 | generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |
 | excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
 | resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
-| config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. |
-| config.enableDefaultRegistryMutation | bool | `true` | Enable registry mutation for container images. Enabled by default. |
-| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
-| config.existingConfig | string | `""` | Name of an existing config map (ignores default/provided resourceFilters) |
-| config.annotations | object | `{}` | Additional annotations to add to the configmap |
-| config.excludeGroupRole | string | `nil` | Exclude group role |
-| config.excludeUsername | string | `nil` | Exclude username |
-| config.webhooks | string | `nil` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
-| config.generateSuccessEvents | bool | `false` | Generate success events. |
-| config.metricsConfig | object | `{"annotations":{},"namespaces":{"exclude":[],"include":[]}}` | Metrics config. |
-| config.metricsConfig.annotations | object | `{}` | Additional annotations to add to the metricsconfigmap |
 | updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
 | service.port | int | `443` | Service port. |
 | service.type | string | `"ClusterIP"` | Service type. |
--- a/charts/kyverno/README.md.gotmpl
+++ b/charts/kyverno/README.md.gotmpl
@ -21,6 +21,10 @@ Access the complete user documentation and guides at: https://kyverno.io.

 ## Installing the Chart

+**IMPORTANT IMPORTANT IMPORTANT IMPORTANT**
+
+This chart changed significantly between `v2` and `v3`. If you are upgrading from `v2`, please read `Migrating from v2 to v3` section.
+
 **Add the Kyverno Helm repository:**

 ```console
@ -105,6 +109,14 @@ spec:
      - Replace=true
 ```

+## Migrating from v2 to v3
+
+In `v3` chart values changed significantly, please read the instructions below to migrate your values:
+
+- `config.metricsConfig` is now `metricsConfig`
+- `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__
+- `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__
+
 ## Uninstalling the Chart

 To uninstall/delete the `kyverno` deployment:
--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@ -102,16 +102,6 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{- end -}}

-{{/* Get the config map name. */}}
-{{- define "kyverno.configMapName" -}}
-{{- printf "%s" (default (include "kyverno.fullname" .) .Values.config.existingConfig) -}}
-{{- end -}}
-
-{{/* Get the metrics config map name. */}}
-{{- define "kyverno.metricsConfigMapName" -}}
-{{- printf "%s" (default (printf "%s-metrics" (include "kyverno.fullname" .)) .Values.config.existingMetricsConfig) -}}
-{{- end -}}
-
 {{/* Get the namespace name. */}}
 {{- define "kyverno.namespace" -}}
 {{- if .Values.namespace -}}
@ -175,30 +165,3 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
 {{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
  {{- end -}}
 {{- end }}
-
-{{- define "kyverno.resourceFilters" -}}
-{{- $resourceFilters := .Values.config.resourceFilters }}
-{{- if .Values.excludeKyvernoNamespace }}
-  {{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*,%s,*]" (include "kyverno.namespace" .)) }}
-{{- end }}
-{{- range $exclude := .Values.resourceFiltersExcludeNamespaces }}
-  {{- range $filter := $resourceFilters }}
-    {{- if (contains (printf ",%s," $exclude) $filter) }}
-      {{- $resourceFilters = without $resourceFilters $filter }}
-    {{- end }}
-  {{- end }}
-{{- end }}
-{{- tpl (join "" $resourceFilters) . }}
-{{- end }}
-
-{{- define "kyverno.webhooks" -}}
-{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
-{{- $newWebhook := list }}
-{{- range $webhook := .Values.config.webhooks }}
-  {{- $namespaceSelector := default dict $webhook.namespaceSelector }}
-  {{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
-  {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
-  {{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
-{{- end }}
-{{- $newWebhook | toJson }}
-{{- end }}
--- a/charts/kyverno/templates/cleanup-controller/deployment.yaml
+++ b/charts/kyverno/templates/cleanup-controller/deployment.yaml
@ -106,7 +106,7 @@ spec:
            {{- end }}
          env:
          - name: METRICS_CONFIG
-            value: {{ template "kyverno.metricsConfigMapName" . }}
+            value: {{ template "kyverno.config.metricsConfigMapName" . }}
          - name: KYVERNO_POD_NAME
            valueFrom:
              fieldRef:
--- a/charts/kyverno/templates/config/_helpers.tpl
+++ b/charts/kyverno/templates/config/_helpers.tpl
@ -0,0 +1,54 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.config.configMapName" -}}
+{{- if .Values.config.create -}}
+    {{ default (include "kyverno.fullname" .) .Values.config.name }}
+{{- else -}}
+    {{ required "A configmap name is required when `config.create` is set to `false`" .Values.config.name }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.config.metricsConfigMapName" -}}
+{{- if .Values.metricsConfig.create -}}
+    {{ default (printf "%s-metrics" (include "kyverno.fullname" .)) .Values.metricsConfig.name }}
+{{- else -}}
+    {{ required "A configmap name is required when `metricsConfig.create` is set to `false`" .Values.metricsConfig.name }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.config.labels" -}}
+app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
+{{- with (include "kyverno.helmLabels" .)     -}}{{- . | trim | nindent 0 -}}{{- end -}}
+{{- with (include "kyverno.matchLabels" .)    -}}{{- . | trim | nindent 0 -}}{{- end -}}
+{{- with (include "kyverno.versionLabels" .)  -}}{{- . | trim | nindent 0 -}}{{- end -}}
+{{- if .Values.customLabels }}
+{{ toYaml .Values.customLabels }}
+{{- end }}
+{{- end -}}
+
+{{- define "kyverno.config.resourceFilters" -}}
+{{- $resourceFilters := .Values.config.resourceFilters }}
+{{- if .Values.excludeKyvernoNamespace }}
+  {{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*,%s,*]" (include "kyverno.namespace" .)) }}
+{{- end }}
+{{- range $exclude := .Values.resourceFiltersExcludeNamespaces }}
+  {{- range $filter := $resourceFilters }}
+    {{- if (contains (printf ",%s," $exclude) $filter) }}
+      {{- $resourceFilters = without $resourceFilters $filter }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- tpl (join "" $resourceFilters) . }}
+{{- end }}
+
+{{- define "kyverno.config.webhooks" -}}
+{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
+{{- $newWebhook := list }}
+{{- range $webhook := .Values.config.webhooks }}
+  {{- $namespaceSelector := default dict $webhook.namespaceSelector }}
+  {{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
+  {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
+  {{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
+{{- end }}
+{{- $newWebhook | toJson }}
+{{- end }}
--- a/charts/kyverno/templates/config/configmap.yaml
+++ b/charts/kyverno/templates/config/configmap.yaml
@ -1,40 +1,35 @@
-{{- if (not .Values.config.existingConfig) }}
+{{- if .Values.config.create -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
+  name: {{ template "kyverno.config.configMapName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
+    {{- include "kyverno.config.labels" . | nindent 4 }}
  {{- with .Values.config.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
-  name: {{ template "kyverno.configMapName" . }}
-  namespace: {{ template "kyverno.namespace" . }}
 data:
-  {{- if .Values.config.defaultRegistry }}
-  defaultRegistry: {{ .Values.config.defaultRegistry | quote }}
-  {{- end }}
-  {{- if .Values.config.enableDefaultRegistryMutation }}
  enableDefaultRegistryMutation: {{ .Values.config.enableDefaultRegistryMutation | quote }}
+  {{- with .Values.config.defaultRegistry }}
+  defaultRegistry: {{ . | quote }}
  {{- end }}
-  # resource types to be skipped by kyverno policy engine
+  generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }}
+  {{- with .Values.config.excludeGroupRole }}
+  excludeGroupRole: {{ join "," . | quote }}
+  {{- end -}}
+  {{- with .Values.config.excludeUsername }}
+  excludeUsername: {{ join "," . | quote }}
+  {{- end -}}
  {{- if .Values.config.resourceFilters }}
-  resourceFilters: {{ include "kyverno.resourceFilters" . | quote }}
-  {{- end -}}
-  {{- if .Values.config.excludeGroupRole }}
-  excludeGroupRole: {{ join "," .Values.config.excludeGroupRole | quote }}
-  {{- end -}}
-  {{- if .Values.config.excludeUsername }}
-  excludeUsername: {{ join "," .Values.config.excludeUsername | quote }}
+  resourceFilters: {{ include "kyverno.config.resourceFilters" . | quote }}
  {{- end -}}
  {{- if and .Values.config.webhooks .Values.excludeKyvernoNamespace }}
-  webhooks: {{ include "kyverno.webhooks" . | quote }}
+  webhooks: {{ include "kyverno.config.webhooks" . | quote }}
  {{- else if .Values.config.webhooks }}
  webhooks: {{ .Values.config.webhooks | toJson | quote }}
  {{- else if .Values.excludeKyvernoNamespace }}
  webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["{{ include "kyverno.namespace" . }}"]}]}}]'
  {{- end -}}
-  {{- if .Values.config.generateSuccessEvents }}
-  generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }}
-  {{- end -}}
 {{- end -}}
--- a/charts/kyverno/templates/config/metricsconfigmap.yaml
+++ b/charts/kyverno/templates/config/metricsconfigmap.yaml
@ -0,0 +1,20 @@
+{{- if .Values.metricsConfig.create -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "kyverno.config.metricsConfigMapName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.config.labels" . | nindent 4 }}
+  {{- with .Values.metricsConfig.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+  {{- with .Values.metricsConfig.namespaces }}
+  namespaces: {{ toJson . | quote }}
+  {{- end }}
+  {{- with .Values.metricsConfig.metricsRefreshInterval }}
+  metricsRefreshInterval: {{ .Values.metricsConfig.metricsRefreshInterval }}
+  {{- end }}
+{{- end -}}
--- a/charts/kyverno/templates/deployment.yaml
+++ b/charts/kyverno/templates/deployment.yaml
@ -89,7 +89,7 @@ spec:
          {{- end }}
          env:
          - name: METRICS_CONFIG
-            value: {{ template "kyverno.metricsConfigMapName" . }}
+            value: {{ template "kyverno.config.metricsConfigMapName" . }}
          - name: KYVERNO_NAMESPACE
            valueFrom:
              fieldRef:
@ -134,9 +134,9 @@ spec:
            protocol: TCP
          env:
          - name: INIT_CONFIG
-            value: {{ template "kyverno.configMapName" . }}
+            value: {{ template "kyverno.config.configMapName" . }}
          - name: METRICS_CONFIG
-            value: {{ template "kyverno.metricsConfigMapName" . }}
+            value: {{ template "kyverno.config.metricsConfigMapName" . }}
          - name: KYVERNO_NAMESPACE
            valueFrom:
              fieldRef:
--- a/charts/kyverno/templates/metricsconfigmap.yaml
+++ b/charts/kyverno/templates/metricsconfigmap.yaml
@ -1,26 +0,0 @@
-{{- if (not .Values.config.existingMetricsConfig) }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  {{- with .Values.config.metricsConfig.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  name: {{ template "kyverno.metricsConfigMapName" . }}
-  namespace: {{ template "kyverno.namespace" . }}
-{{- if .Values.config.metricsConfig }}
-data:
-  {{- if .Values.config.metricsConfig.namespaces }}
-  namespaces: {{ .Values.config.metricsConfig.namespaces | toJson | quote }}
-  {{- end -}}
-  {{- if .Values.config.metricsConfig.metricsRefreshInterval }}
-  metricsRefreshInterval: {{ .Values.config.metricsConfig.metricsRefreshInterval }}
-  {{- end -}}
-{{- else }}
-data:
-  namespaces: '{"include": [], "exclude": []}'
-  metricsRefreshInterval: 0s
-{{- end }}
-{{- end -}}
--- a/charts/kyverno/templates/reports-controller/deployment.yaml
+++ b/charts/kyverno/templates/reports-controller/deployment.yaml
@ -106,7 +106,7 @@ spec:
            {{- end }}
          env:
          - name: METRICS_CONFIG
-            value: {{ template "kyverno.metricsConfigMapName" . }}
+            value: {{ template "kyverno.config.metricsConfigMapName" . }}
          - name: KYVERNO_POD_NAME
            valueFrom:
              fieldRef:
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -14,6 +14,112 @@ fullnameOverride:
 # -- Namespace the chart deploys to
 namespace:

+config:
+
+  # -- Create the configmap.
+  create: true
+
+  # -- (string) The configmap name (required if `create` is `false`).
+  name: ~
+
+  # -- Additional annotations to add to the configmap.
+  annotations: {}
+
+  # -- Enable registry mutation for container images. Enabled by default.
+  enableDefaultRegistryMutation: true
+
+  # -- The registry hostname used for the image mutation.
+  defaultRegistry: docker.io
+
+  # -- Exclude group role
+  excludeGroupRole: []
+
+  # -- Exclude username
+  excludeUsername: []
+
+  # -- Generate success events.
+  generateSuccessEvents: false
+
+  # -- Resource types to be skipped by the Kyverno policy engine.
+  # Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
+  # These are joined together without spaces, run through `tpl`, and the result is set in the config map.
+  # @default -- See [values.yaml](values.yaml)
+  resourceFilters:
+    - '[Event,*,*]'
+    - '[*,kube-system,*]'
+    - '[*,kube-public,*]'
+    - '[*,kube-node-lease,*]'
+    - '[Node,*,*]'
+    - '[APIService,*,*]'
+    - '[TokenReview,*,*]'
+    - '[SubjectAccessReview,*,*]'
+    - '[SelfSubjectAccessReview,*,*]'
+    - '[Binding,*,*]'
+    - '[ReplicaSet,*,*]'
+    - '[AdmissionReport,*,*]'
+    - '[ClusterAdmissionReport,*,*]'
+    - '[BackgroundScanReport,*,*]'
+    - '[ClusterBackgroundScanReport,*,*]'
+    # exclude resources from the chart
+    - '[ClusterRole,*,{{ template "kyverno.fullname" . }}:*]'
+    - '[ClusterRoleBinding,*,{{ template "kyverno.fullname" . }}:*]'
+    - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceAccountName" . }}]'
+    - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
+    - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
+    - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
+    - '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
+    - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
+    - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
+    - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
+    - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
+    - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
+    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}]'
+    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}-metrics]'
+    - '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.serviceName" . }}-service-monitor]'
+    - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-test]'
+
+  # -- Defines the `namespaceSelector` in the webhook configurations.
+  # Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
+  # will be forwarded to the webhook configurations.
+  # The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
+  webhooks:
+    # Exclude namespaces
+    # - namespaceSelector:
+    #     matchExpressions:
+    #     - key: kubernetes.io/metadata.name
+    #       operator: NotIn
+    #       values:
+    #         - kube-system
+    #         - kyverno
+    # Exclude objects
+    # - objectSelector:
+    #     matchExpressions:
+    #     - key: webhooks.kyverno.io/exclude
+    #       operator: DoesNotExist
+
+metricsConfig:
+
+  # -- Create the configmap.
+  create: true
+
+  # -- (string) The configmap name (required if `create` is `false`).
+  name: ~
+
+  # -- Additional annotations to add to the configmap.
+  annotations: {}
+
+  namespaces:
+
+    # -- List of namespaces to capture metrics for.
+    include: []
+
+    # -- list of namespaces to NOT capture metrics for.
+    exclude: []
+
+  # -- (string) Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics
+  metricsRefreshInterval: ~
+  # metricsRefreshInterval: 24h
+
 # -- Additional labels
 customLabels: {}

@ -67,7 +173,6 @@ initContainer:
    - --loggingFormat=text
    - --exceptionNamespace={{ include "kyverno.namespace" . }}

-
 testImage:
  # -- Image registry
  registry:
@ -304,100 +409,6 @@ excludeKyvernoNamespace: true
 # Namespaces to exclude from the default resourceFilters
 resourceFiltersExcludeNamespaces: []

-config:
-  # -- The registry hostname used for the image mutation.
-  defaultRegistry: docker.io
-
-  # -- Enable registry mutation for container images. Enabled by default.
-  enableDefaultRegistryMutation: true
-
-  # -- Resource types to be skipped by the Kyverno policy engine.
-  # Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
-  # These are joined together without spaces, run through `tpl`, and the result is set in the config map.
-  # @default -- See [values.yaml](values.yaml)
-  resourceFilters:
-  - '[Event,*,*]'
-  - '[*,kube-system,*]'
-  - '[*,kube-public,*]'
-  - '[*,kube-node-lease,*]'
-  - '[Node,*,*]'
-  - '[APIService,*,*]'
-  - '[TokenReview,*,*]'
-  - '[SubjectAccessReview,*,*]'
-  - '[SelfSubjectAccessReview,*,*]'
-  - '[Binding,*,*]'
-  - '[ReplicaSet,*,*]'
-  - '[AdmissionReport,*,*]'
-  - '[ClusterAdmissionReport,*,*]'
-  - '[BackgroundScanReport,*,*]'
-  - '[ClusterBackgroundScanReport,*,*]'
-  # exclude resources from the chart
-  - '[ClusterRole,*,{{ template "kyverno.fullname" . }}:*]'
-  - '[ClusterRoleBinding,*,{{ template "kyverno.fullname" . }}:*]'
-  - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceAccountName" . }}]'
-  - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.configMapName" . }}]'
-  - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.metricsConfigMapName" . }}]'
-  - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
-  - '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
-  - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
-  - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
-  - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
-  - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
-  - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
-  - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}]'
-  - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}-metrics]'
-  - '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.serviceName" . }}-service-monitor]'
-  - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-test]'
-
-  # -- Name of an existing config map (ignores default/provided resourceFilters)
-  existingConfig: ''
-  # -- Additional annotations to add to the configmap
-  annotations: {}
-    # example.com/annotation: foo
-  # -- Exclude group role
-  excludeGroupRole:
-  # - ''
-  # -- Exclude username
-  excludeUsername:
-  # - ''
-  # -- Defines the `namespaceSelector` in the webhook configurations.
-  # Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
-  # will be forwarded to the webhook configurations.
-  # The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
-  webhooks:
-    # Exclude namespaces
-    # - namespaceSelector:
-    #     matchExpressions:
-    #     - key: kubernetes.io/metadata.name
-    #       operator: NotIn
-    #       values:
-    #         - kube-system
-    #         - kyverno
-    # Exclude objects
-    # - objectSelector:
-    #     matchExpressions:
-    #     - key: webhooks.kyverno.io/exclude
-    #       operator: DoesNotExist
-
-  # -- Generate success events.
-  generateSuccessEvents: false
-  # -- Metrics config.
-  metricsConfig:
-    # -- Additional annotations to add to the metricsconfigmap
-    annotations: {}
-      # example.com/annotation: foo
-    namespaces: {
-      "include": [],
-      "exclude": []
-    }
-    # 'namespaces.include': list of namespaces to capture metrics for. Default: metrics being captured for all namespaces except excludeNamespaces.
-    # 'namespaces.exclude': list of namespaces to NOT capture metrics for. Default: []
-
-    # metricsRefreshInterval: 24h
-    # rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics
-
-  # Or provide an existing metrics config-map by uncommenting the below line
-  # existingMetricsConfig: sample-metrics-configmap. Refer to the ./templates/metricsconfigmap.yaml for the structure of metrics configmap.
 # -- Deployment update strategy.
 # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
 # @default -- See [values.yaml](values.yaml)
--- a/config/install.yaml
+++ b/config/install.yaml
@ -49,32 +49,30 @@ metadata:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  labels:
-    app.kubernetes.io/component: kyverno
-    app: kyverno
-    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: latest
  name: kyverno
  namespace: kyverno
+  labels:
+    app.kubernetes.io/part-of: kyverno
+    app: kyverno
+    app.kubernetes.io/name: kyverno
+    app.kubernetes.io/version: latest
 data:
-  defaultRegistry: "docker.io"
  enableDefaultRegistryMutation: "true"
-  # resource types to be skipped by kyverno policy engine
+  defaultRegistry: "docker.io"
+  generateSuccessEvents: "false"
  resourceFilters: "[*,kyverno,*][Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][Binding,*,*][ReplicaSet,*,*][AdmissionReport,*,*][ClusterAdmissionReport,*,*][BackgroundScanReport,*,*][ClusterBackgroundScanReport,*,*][ClusterRole,*,kyverno:*][ClusterRoleBinding,*,kyverno:*][ServiceAccount,kyverno,kyverno][ConfigMap,kyverno,kyverno][ConfigMap,kyverno,kyverno-metrics][Deployment,kyverno,kyverno][Job,kyverno,kyverno-hook-pre-delete][NetworkPolicy,kyverno,kyverno][PodDisruptionBudget,kyverno,kyverno][Role,kyverno,kyverno:*][RoleBinding,kyverno,kyverno:*][Secret,kyverno,kyverno-svc.kyverno.svc.*][Service,kyverno,kyverno-svc][Service,kyverno,kyverno-svc-metrics][ServiceMonitor,kyverno,kyverno-svc-service-monitor][Pod,kyverno,kyverno-test]"
  webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]'
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  labels:
-    app.kubernetes.io/component: kyverno
-    app: kyverno
-    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: latest
  name: kyverno-metrics
  namespace: kyverno
+  labels:
+    app.kubernetes.io/part-of: kyverno
+    app: kyverno
+    app.kubernetes.io/name: kyverno
+    app.kubernetes.io/version: latest
 data:
  namespaces: "{\"exclude\":[],\"include\":[]}"
 ---