diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index ed5710a14e..aa9d03c34a 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -161,6 +161,7 @@ In `v3` chart values changed significantly, please read the instructions below t
- `securityContext` has been replaced with `admissionController.container.securityContext` and `admissionController.initContainer.securityContext`
- `rbac` has been replaced with `admissionController.rbac`
- `generatecontrollerExtraResources` has been replaced with `admissionController.rbac.clusterRole.extraResources`
+- `networkPolicy` has been replaced with `admissionController.networkPolicy`
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
@@ -217,8 +218,6 @@ The command removes all the Kubernetes components associated with the chart and
| customLabels | object | `{}` | Additional labels |
| excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
| resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
-| networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
-| networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| webhooksCleanup.enabled | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
| webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
| grafana.enabled | bool | `false` | Enable grafana dashboard creation. |
@@ -289,6 +288,8 @@ The command removes all the Kubernetes components associated with the chart and
| admissionController.metricsService.type | string | `"ClusterIP"` | Service type. |
| admissionController.metricsService.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
| admissionController.metricsService.annotations | object | `{}` | Service annotations. |
+| admissionController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| admissionController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| cleanupController.enabled | bool | `true` | Enable cleanup controller. |
| cleanupController.rbac.create | bool | `true` | Create RBAC resources |
| cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name |
@@ -331,6 +332,8 @@ The command removes all the Kubernetes components associated with the chart and
| cleanupController.metricsService.type | string | `"ClusterIP"` | Service type. |
| cleanupController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
| cleanupController.metricsService.annotations | object | `{}` | Service annotations. |
+| cleanupController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| cleanupController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| cleanupController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
| cleanupController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
| cleanupController.serviceMonitor.namespace | string | `nil` | Override namespace |
@@ -382,6 +385,8 @@ The command removes all the Kubernetes components associated with the chart and
| reportsController.metricsService.type | string | `"ClusterIP"` | Service type. |
| reportsController.metricsService.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
| reportsController.metricsService.annotations | object | `{}` | Service annotations. |
+| reportsController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| reportsController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| reportsController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
| reportsController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
| reportsController.serviceMonitor.namespace | string | `nil` | Override namespace |
@@ -433,6 +438,8 @@ The command removes all the Kubernetes components associated with the chart and
| backgroundController.metricsService.type | string | `"ClusterIP"` | Service type. |
| backgroundController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
| backgroundController.metricsService.annotations | object | `{}` | Service annotations. |
+| backgroundController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| backgroundController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| backgroundController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
| backgroundController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
| backgroundController.serviceMonitor.namespace | string | `nil` | Override namespace |
diff --git a/charts/kyverno/README.md.gotmpl b/charts/kyverno/README.md.gotmpl
index dcffabad7f..9c9d28a4bc 100644
--- a/charts/kyverno/README.md.gotmpl
+++ b/charts/kyverno/README.md.gotmpl
@@ -161,6 +161,7 @@ In `v3` chart values changed significantly, please read the instructions below t
- `securityContext` has been replaced with `admissionController.container.securityContext` and `admissionController.initContainer.securityContext`
- `rbac` has been replaced with `admissionController.rbac`
- `generatecontrollerExtraResources` has been replaced with `admissionController.rbac.clusterRole.extraResources`
+- `networkPolicy` has been replaced with `admissionController.networkPolicy`
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
diff --git a/charts/kyverno/templates/admission-controller/networkpolicy.yaml b/charts/kyverno/templates/admission-controller/networkpolicy.yaml
new file mode 100644
index 0000000000..67219e19f5
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/networkpolicy.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.admissionController.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ template "kyverno.admission-controller.name" . }}
+ namespace: {{ template "kyverno.namespace" . }}
+ labels:
+ {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+spec:
+ podSelector:
+ matchLabels:
+ {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
+ policyTypes:
+ - Ingress
+ {{- if .Values.admissionController.networkPolicy.ingressFrom }}
+ ingress:
+ - from:
+ {{- toYaml .Values.admissionController.networkPolicy.ingressFrom | nindent 8 }}
+ ports:
+ - protocol: TCP
+ port: 9443 # webhook access
+ # Allow prometheus scrapes for metrics
+ {{- if .Values.admissionController.metricsService.create }}
+ - protocol: TCP
+ port: {{ .Values.admissionController.metricsService.port }}
+ {{- end }}
+ {{- else }}
+ ingress:
+ - {}
+ {{- end }}
+{{- end -}}
diff --git a/charts/kyverno/templates/background-controller/deployment.yaml b/charts/kyverno/templates/background-controller/deployment.yaml
index 42bf932ab0..3c8f9abc29 100644
--- a/charts/kyverno/templates/background-controller/deployment.yaml
+++ b/charts/kyverno/templates/background-controller/deployment.yaml
@@ -4,9 +4,9 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "kyverno.background-controller.name" . }}
+ namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.background-controller.labels" . | nindent 4 }}
- namespace: {{ template "kyverno.namespace" . }}
spec:
replicas: {{ template "kyverno.deployment.replicas" .Values.backgroundController.replicas }}
{{- with .Values.backgroundController.updateStrategy }}
diff --git a/charts/kyverno/templates/background-controller/networkpolicy.yaml b/charts/kyverno/templates/background-controller/networkpolicy.yaml
new file mode 100644
index 0000000000..660bbfd490
--- /dev/null
+++ b/charts/kyverno/templates/background-controller/networkpolicy.yaml
@@ -0,0 +1,30 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.networkPolicy.enabled -}}
+{{- if .Values.backgroundController.metricsService.create -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ template "kyverno.background-controller.name" . }}
+ namespace: {{ template "kyverno.namespace" . }}
+ labels:
+ {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+spec:
+ podSelector:
+ matchLabels:
+ {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }}
+ policyTypes:
+ - Ingress
+ {{- if .Values.backgroundController.networkPolicy.ingressFrom }}
+ ingress:
+ - from:
+ {{- toYaml .Values.backgroundController.networkPolicy.ingressFrom | nindent 8 }}
+ ports:
+ - protocol: TCP
+ port: {{ .Values.backgroundController.metricsService.port }}
+ {{- else }}
+ ingress:
+ - {}
+ {{- end }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/cleanup-controller/networkpolicy.yaml b/charts/kyverno/templates/cleanup-controller/networkpolicy.yaml
new file mode 100644
index 0000000000..e9e8da3524
--- /dev/null
+++ b/charts/kyverno/templates/cleanup-controller/networkpolicy.yaml
@@ -0,0 +1,33 @@
+{{- if .Values.cleanupController.enabled -}}
+{{- if .Values.cleanupController.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ template "kyverno.cleanup-controller.name" . }}
+ namespace: {{ template "kyverno.namespace" . }}
+ labels:
+ {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
+spec:
+ podSelector:
+ matchLabels:
+ {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }}
+ policyTypes:
+ - Ingress
+ {{- if .Values.cleanupController.networkPolicy.ingressFrom }}
+ ingress:
+ - from:
+ {{- toYaml .Values.cleanupController.networkPolicy.ingressFrom | nindent 8 }}
+ ports:
+ - protocol: TCP
+ port: 9443 # webhook access
+ # Allow prometheus scrapes for metrics
+ {{- if .Values.cleanupController.metricsService.create }}
+ - protocol: TCP
+ port: {{ .Values.cleanupController.metricsService.port }}
+ {{- end }}
+ {{- else }}
+ ingress:
+ - {}
+ {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/networkpolicy.yaml b/charts/kyverno/templates/networkpolicy.yaml
deleted file mode 100644
index c1742e8743..0000000000
--- a/charts/kyverno/templates/networkpolicy.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-{{- if .Values.networkPolicy.enabled }}
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
- labels:
- {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
- name: {{ template "kyverno.fullname" . }}
- namespace: {{ template "kyverno.namespace" . }}
-spec:
- podSelector:
- matchLabels:
- {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
- policyTypes:
- - Ingress
- {{- if .Values.networkPolicy.ingressFrom }}
- ingress:
- - from:
- {{- with .Values.networkPolicy.ingressFrom }}
- {{- toYaml . | nindent 4 }}
- {{- end }}
- ports:
- - protocol: TCP
- port: 9443 # webhook access
- # Allow prometheus scrapes for metrics
- {{- if .Values.admissionController.metricsService.create }}
- - protocol: TCP
- port: {{ .Values.admissionController.metricsService.port }}
- {{- end }}
- {{- else }}
- ingress:
- - {}
- {{- end }}
-{{- end }}
diff --git a/charts/kyverno/templates/reports-controller/deployment.yaml b/charts/kyverno/templates/reports-controller/deployment.yaml
index 8cb1deddbd..3084ee2a0b 100644
--- a/charts/kyverno/templates/reports-controller/deployment.yaml
+++ b/charts/kyverno/templates/reports-controller/deployment.yaml
@@ -4,9 +4,9 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "kyverno.reports-controller.name" . }}
+ namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 4 }}
- namespace: {{ template "kyverno.namespace" . }}
spec:
replicas: {{ template "kyverno.deployment.replicas" .Values.reportsController.replicas }}
{{- with .Values.reportsController.updateStrategy }}
diff --git a/charts/kyverno/templates/reports-controller/networkpolicy.yaml b/charts/kyverno/templates/reports-controller/networkpolicy.yaml
new file mode 100644
index 0000000000..e70c6d821d
--- /dev/null
+++ b/charts/kyverno/templates/reports-controller/networkpolicy.yaml
@@ -0,0 +1,30 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.networkPolicy.enabled -}}
+{{- if .Values.reportsController.metricsService.create -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ template "kyverno.reports-controller.name" . }}
+ namespace: {{ template "kyverno.namespace" . }}
+ labels:
+ {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+spec:
+ podSelector:
+ matchLabels:
+ {{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }}
+ policyTypes:
+ - Ingress
+ {{- if .Values.reportsController.networkPolicy.ingressFrom }}
+ ingress:
+ - from:
+ {{- toYaml .Values.reportsController.networkPolicy.ingressFrom | nindent 8 }}
+ ports:
+ - protocol: TCP
+ port: {{ .Values.reportsController.metricsService.port }}
+ {{- else }}
+ ingress:
+ - {}
+ {{- end }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index 086a4ce250..d0a9a4d59a 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -207,13 +207,6 @@ excludeKyvernoNamespace: true
# Namespaces to exclude from the default resourceFilters
resourceFiltersExcludeNamespaces: []
-networkPolicy:
- # -- When true, use a NetworkPolicy to allow ingress to the webhook
- # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
- enabled: false
- # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
- ingressFrom: []
-
webhooksCleanup:
# -- Create a helm pre-delete hook to cleanup webhooks.
enabled: false
@@ -534,6 +527,15 @@ admissionController:
# -- Service annotations.
annotations: {}
+ networkPolicy:
+
+ # -- When true, use a NetworkPolicy to allow ingress to the webhook
+ # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+ enabled: false
+
+ # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+ ingressFrom: []
+
# Cleanup controller configuration
cleanupController:
@@ -740,6 +742,15 @@ cleanupController:
# -- Service annotations.
annotations: {}
+ networkPolicy:
+
+ # -- When true, use a NetworkPolicy to allow ingress to the webhook
+ # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+ enabled: false
+
+ # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+ ingressFrom: []
+
serviceMonitor:
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
enabled: false
@@ -976,6 +987,15 @@ reportsController:
# -- Service annotations.
annotations: {}
+ networkPolicy:
+
+ # -- When true, use a NetworkPolicy to allow ingress to the webhook
+ # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+ enabled: false
+
+ # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+ ingressFrom: []
+
serviceMonitor:
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
enabled: false
@@ -1169,6 +1189,15 @@ backgroundController:
# -- Service annotations.
annotations: {}
+ networkPolicy:
+
+ # -- When true, use a NetworkPolicy to allow ingress to the webhook
+ # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+ enabled: false
+
+ # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+ ingressFrom: []
+
serviceMonitor:
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
enabled: false