mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 02:18:15 +00:00
Code Activity

feat: remove old reports from helm chart and disable cleanup jobs by default (#10533)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2024-06-25 15:34:26 +02:00 committed by GitHub
parent a70532a5e9
commit 28db48573a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
17 changed files with 10 additions and 735 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
charts/kyverno/README.md
View file

@ -728,50 +728,6 @@ The chart values are organised per component.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| cleanupJobs.admissionReports.enabled | bool | `true` | Enable cleanup cronjob |
| cleanupJobs.admissionReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. |
| cleanupJobs.admissionReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted |
| cleanupJobs.admissionReports.image.registry | string | `nil` | Image registry |
| cleanupJobs.admissionReports.image.repository | string | `"bitnami/kubectl"` | Image repository |
| cleanupJobs.admissionReports.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted |
| cleanupJobs.admissionReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
| cleanupJobs.admissionReports.imagePullSecrets | list | `[]` | Image pull secrets |
| cleanupJobs.admissionReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule |
| cleanupJobs.admissionReports.threshold | int | `10000` | Reports threshold, if number of reports are above this value the cronjob will start deleting them |
| cleanupJobs.admissionReports.history | object | `{"failure":1,"success":1}` | Cronjob history |
| cleanupJobs.admissionReports.podSecurityContext | object | `{}` | Security context for the pod |
| cleanupJobs.admissionReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| cleanupJobs.admissionReports.priorityClassName | string | `""` | Pod PriorityClassName |
| cleanupJobs.admissionReports.resources | object | `{}` | Job resources |
| cleanupJobs.admissionReports.tolerations | list | `[]` | List of node taints to tolerate |
| cleanupJobs.admissionReports.nodeSelector | object | `{}` | Node labels for pod assignment |
| cleanupJobs.admissionReports.podAnnotations | object | `{}` | Pod Annotations |
| cleanupJobs.admissionReports.podLabels | object | `{}` | Pod labels |
| cleanupJobs.admissionReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
| cleanupJobs.admissionReports.podAffinity | object | `{}` | Pod affinity constraints. |
| cleanupJobs.admissionReports.nodeAffinity | object | `{}` | Node affinity constraints. |
| cleanupJobs.clusterAdmissionReports.enabled | bool | `true` | Enable cleanup cronjob |
| cleanupJobs.clusterAdmissionReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. |
| cleanupJobs.clusterAdmissionReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted |
| cleanupJobs.clusterAdmissionReports.image.registry | string | `nil` | Image registry |
| cleanupJobs.clusterAdmissionReports.image.repository | string | `"bitnami/kubectl"` | Image repository |
| cleanupJobs.clusterAdmissionReports.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted |
| cleanupJobs.clusterAdmissionReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
| cleanupJobs.clusterAdmissionReports.imagePullSecrets | list | `[]` | Image pull secrets |
| cleanupJobs.clusterAdmissionReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule |
| cleanupJobs.clusterAdmissionReports.threshold | int | `10000` | Reports threshold, if number of reports are above this value the cronjob will start deleting them |
| cleanupJobs.clusterAdmissionReports.history | object | `{"failure":1,"success":1}` | Cronjob history |
| cleanupJobs.clusterAdmissionReports.podSecurityContext | object | `{}` | Security context for the pod |
| cleanupJobs.clusterAdmissionReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| cleanupJobs.clusterAdmissionReports.priorityClassName | string | `""` | Pod PriorityClassName |
| cleanupJobs.clusterAdmissionReports.resources | object | `{}` | Job resources |
| cleanupJobs.clusterAdmissionReports.tolerations | list | `[]` | List of node taints to tolerate |
| cleanupJobs.clusterAdmissionReports.nodeSelector | object | `{}` | Node labels for pod assignment |
| cleanupJobs.clusterAdmissionReports.podAnnotations | object | `{}` | Pod Annotations |
| cleanupJobs.clusterAdmissionReports.podLabels | object | `{}` | Pod Labels |
| cleanupJobs.clusterAdmissionReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
| cleanupJobs.clusterAdmissionReports.podAffinity | object | `{}` | Pod affinity constraints. |
| cleanupJobs.clusterAdmissionReports.nodeAffinity | object | `{}` | Node affinity constraints. |
| cleanupJobs.updateRequests.enabled | bool | `true` | Enable cleanup cronjob |
| cleanupJobs.updateRequests.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. |
| cleanupJobs.updateRequests.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted |
@ -794,7 +750,7 @@ The chart values are organised per component.
| cleanupJobs.updateRequests.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
| cleanupJobs.updateRequests.podAffinity | object | `{}` | Pod affinity constraints. |
| cleanupJobs.updateRequests.nodeAffinity | object | `{}` | Node affinity constraints. |
| cleanupJobs.ephemeralReports.enabled | bool | `true` | Enable cleanup cronjob |
| cleanupJobs.ephemeralReports.enabled | bool | `false` | Enable cleanup cronjob |
| cleanupJobs.ephemeralReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. |
| cleanupJobs.ephemeralReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted |
| cleanupJobs.ephemeralReports.image.registry | string | `nil` | Image registry |
@ -816,7 +772,7 @@ The chart values are organised per component.
| cleanupJobs.ephemeralReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
| cleanupJobs.ephemeralReports.podAffinity | object | `{}` | Pod affinity constraints. |
| cleanupJobs.ephemeralReports.nodeAffinity | object | `{}` | Node affinity constraints. |
| cleanupJobs.clusterEphemeralReports.enabled | bool | `true` | Enable cleanup cronjob |
| cleanupJobs.clusterEphemeralReports.enabled | bool | `false` | Enable cleanup cronjob |
| cleanupJobs.clusterEphemeralReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. |
| cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted |
| cleanupJobs.clusterEphemeralReports.image.registry | string | `nil` | Image registry |

2
charts/kyverno/charts/crds/README.md
View file

@ -6,7 +6,7 @@
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| groups.kyverno | object | `{"admissionreports":true,"backgroundscanreports":true,"cleanuppolicies":true,"clusteradmissionreports":true,"clusterbackgroundscanreports":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| annotations | object | `{}` | This field can be overwritten by setting crds.annotations in the parent chart |

4
charts/kyverno/charts/crds/values.yaml
View file

@ -10,11 +10,7 @@ groups:
# -- Install CRDs in group `kyverno.io`
# -- This field can be overwritten by setting crds.labels in the parent chart
kyverno:
admissionreports: true
backgroundscanreports: true
cleanuppolicies: true
clusteradmissionreports: true
clusterbackgroundscanreports: true
clustercleanuppolicies: true
clusterpolicies: true
globalcontextentries: true

6
charts/kyverno/ci/cleanupJobs-values.yaml
View file

@ -1,5 +1,6 @@
cleanupJobs:
admissionReports:
ephemeralReports:
enabled: true
nodeSelector:
kubernetes.io/os: linux
podAntiAffinity:
@ -13,7 +14,8 @@ cleanupJobs:
values:
- cleanup
topologyKey: kubernetes.io/hostname
clusterAdmissionReports:
clusterEphemeralReports:
enabled: true
nodeSelector:
kubernetes.io/os: linux
podAntiAffinity:

4
charts/kyverno/templates/admission-controller/clusterrole.yaml
View file

@ -62,10 +62,6 @@ rules:
- updaterequests/status
- globalcontextentries
- globalcontextentries/status
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
- policyexceptions
verbs:
- create

4
charts/kyverno/templates/admission-controller/flowschema.yaml
View file

@ -52,8 +52,6 @@ spec:
- clusterpolicies/status
- globalcontextentries
- globalcontextentries/status
- clusteradmissionreports
- clusterbackgroundscanreports
verbs:
- create
- delete
@ -72,8 +70,6 @@ spec:
- policies/status
- updaterequests
- updaterequests/status
- admissionreports
- backgroundscanreports
verbs:
- create
- delete

91
charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml
View file

@ -1,91 +0,0 @@
{{- if .Values.cleanupJobs.admissionReports.enabled -}}
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ template "kyverno.name" . }}-cleanup-admission-reports
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.cleanup.labels" . | nindent 4 }}
spec:
schedule: {{ .Values.cleanupJobs.admissionReports.schedule | quote }}
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: {{ .Values.cleanupJobs.admissionReports.history.success }}
failedJobsHistoryLimit: {{ .Values.cleanupJobs.admissionReports.history.failure }}
jobTemplate:
spec:
backoffLimit: {{ .Values.cleanupJobs.admissionReports.backoffLimit }}
{{- if .Values.cleanupJobs.admissionReports.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ .Values.cleanupJobs.admissionReports.ttlSecondsAfterFinished }}
{{- end }}
template:
metadata:
{{- with .Values.cleanupJobs.admissionReports.podAnnotations }}
annotations:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.admissionReports.podLabels }}
labels:
{{- toYaml . | nindent 12 }}
{{- end }}
spec:
serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
{{- with .Values.cleanupJobs.admissionReports.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.admissionReports.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
containers:
- name: cleanup
image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.admissionReports.image)) | quote }}
imagePullPolicy: {{ .Values.cleanupJobs.admissionReports.image.pullPolicy }}
command:
- /bin/bash
- -c
- |
set -euo pipefail
COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l)
if [ "$COUNT" -gt {{ .Values.cleanupJobs.admissionReports.threshold }} ]; then
echo "too many reports found ($COUNT), cleaning up..."
kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
else
echo "($COUNT) reports found, no clean up needed"
fi
{{- with .Values.cleanupJobs.admissionReports.securityContext }}
securityContext:
{{- toYaml . | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.admissionReports.resources }}
resources:
{{- toYaml . | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.admissionReports.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
{{- with .Values.cleanupJobs.admissionReports.tolerations | default .Values.global.tolerations}}
tolerations:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.admissionReports.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- if or .Values.cleanupJobs.admissionReports.podAntiAffinity .Values.cleanupJobs.admissionReports.podAffinity .Values.cleanupJobs.admissionReports.nodeAffinity }}
affinity:
{{- with .Values.cleanupJobs.admissionReports.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.admissionReports.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.admissionReports.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 14 }}
{{- end }}
{{- end }}
{{- end -}}

91
charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml
View file

@ -1,91 +0,0 @@
{{- if .Values.cleanupJobs.clusterAdmissionReports.enabled -}}
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ template "kyverno.name" . }}-cleanup-cluster-admission-reports
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.cleanup.labels" . | nindent 4 }}
spec:
schedule: {{ .Values.cleanupJobs.clusterAdmissionReports.schedule | quote }}
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: {{ .Values.cleanupJobs.clusterAdmissionReports.history.success }}
failedJobsHistoryLimit: {{ .Values.cleanupJobs.clusterAdmissionReports.history.failure }}
jobTemplate:
spec:
backoffLimit: {{ .Values.cleanupJobs.clusterAdmissionReports.backoffLimit }}
{{- if .Values.cleanupJobs.clusterAdmissionReports.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ .Values.cleanupJobs.clusterAdmissionReports.ttlSecondsAfterFinished }}
{{- end }}
template:
metadata:
{{- with .Values.cleanupJobs.clusterAdmissionReports.podAnnotations }}
annotations:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.clusterAdmissionReports.podLabels }}
labels:
{{- toYaml . | nindent 12 }}
{{- end }}
spec:
serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
{{- with .Values.cleanupJobs.clusterAdmissionReports.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.clusterAdmissionReports.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
containers:
- name: cleanup
image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.clusterAdmissionReports.image)) | quote }}
imagePullPolicy: {{ .Values.cleanupJobs.clusterAdmissionReports.image.pullPolicy }}
command:
- /bin/bash
- -c
- |
set -euo pipefail
COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l)
if [ "$COUNT" -gt {{ .Values.cleanupJobs.clusterAdmissionReports.threshold }} ]; then
echo "too many reports found ($COUNT), cleaning up..."
kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
else
echo "($COUNT) reports found, no clean up needed"
fi
{{- with .Values.cleanupJobs.clusterAdmissionReports.securityContext }}
securityContext:
{{- toYaml . | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.clusterAdmissionReports.resources }}
resources:
{{- toYaml . | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.clusterAdmissionReports.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
{{- with .Values.cleanupJobs.clusterAdmissionReports.tolerations | default .Values.global.tolerations}}
tolerations:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.clusterAdmissionReports.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- if or .Values.cleanupJobs.clusterAdmissionReports.podAntiAffinity .Values.cleanupJobs.clusterAdmissionReports.podAffinity .Values.cleanupJobs.clusterAdmissionReports.nodeAffinity }}
affinity:
{{- with .Values.cleanupJobs.clusterAdmissionReports.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.clusterAdmissionReports.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.clusterAdmissionReports.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 14 }}
{{- end }}
{{- end }}
{{- end -}}

2
charts/kyverno/templates/cleanup/cleanup-update-requests.yaml
View file

@ -73,7 +73,7 @@ spec:
nodeSelector:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- if or .Values.cleanupJobs.updateRequests.podAntiAffinity .Values.cleanupJobs.updateRequests.podAffinity .Values.cleanupJobs.admissionReports.nodeAffinity }}
{{- if or .Values.cleanupJobs.updateRequests.podAntiAffinity .Values.cleanupJobs.updateRequests.podAffinity .Values.cleanupJobs.updateRequests.nodeAffinity }}
affinity:
{{- with .Values.cleanupJobs.updateRequests.podAntiAffinity }}
podAntiAffinity:

2
charts/kyverno/templates/cleanup/clusterrole.yaml
View file

@ -8,8 +8,6 @@ rules:
- apiGroups:
- kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- updaterequests
verbs:
- list

26
charts/kyverno/templates/rbac/reports.yaml
View file

@ -6,21 +6,6 @@ metadata:
labels:
{{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- reports.kyverno.io
resources:
@ -42,17 +27,6 @@ metadata:
labels:
{{- include "kyverno.rbac.labels.view" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- get
- list
- watch
- apiGroups:
- reports.kyverno.io
resources:

4
charts/kyverno/templates/reports-controller/clusterrole.yaml
View file

@ -39,10 +39,6 @@ rules:
resources:
- globalcontextentries
- globalcontextentries/status
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
- policyexceptions
- policies
- clusterpolicies

31
charts/kyverno/templates/reports-controller/flowschema.yaml
View file

@ -20,37 +20,6 @@ spec:
- get
- list
- watch
- apiGroups:
- kyverno.io
clusterScope: true
resources:
- clusteradmissionreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- kyverno.io
namespaces:
- '*'
resources:
- admissionreports
- backgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- reports.kyverno.io
clusterScope: true

164
charts/kyverno/values.yaml
View file

@ -687,166 +687,6 @@ features:
# Cleanup cronjobs to prevent internal resources from stacking up in the cluster
cleanupJobs:
admissionReports:
# -- Enable cleanup cronjob
enabled: true
# -- Maximum number of retries before considering a Job as failed. Defaults to 3.
backoffLimit: 3
# -- Time until the pod from the cronjob is deleted
ttlSecondsAfterFinished: ""
image:
# -- (string) Image registry
registry: ~
# -- Image repository
repository: bitnami/kubectl
# -- Image tag
# Defaults to `latest` if omitted
tag: '1.30.2'
# -- (string) Image pull policy
# Defaults to image.pullPolicy if omitted
pullPolicy: ~
# -- Image pull secrets
imagePullSecrets: []
# - name: secretName
# -- Cronjob schedule
schedule: '*/10 * * * *'
# -- Reports threshold, if number of reports are above this value the cronjob will start deleting them
threshold: 10000
# -- Cronjob history
history:
success: 1
failure: 1
# -- Security context for the pod
podSecurityContext: {}
# -- Security context for the containers
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# -- Pod PriorityClassName
priorityClassName: ""
# -- Job resources
resources: {}
# -- List of node taints to tolerate
tolerations: []
# -- Node labels for pod assignment
nodeSelector: {}
# -- Pod Annotations
podAnnotations: {}
# -- Pod labels
podLabels: {}
# -- Pod anti affinity constraints.
podAntiAffinity: {}
# -- Pod affinity constraints.
podAffinity: {}
# -- Node affinity constraints.
nodeAffinity: {}
clusterAdmissionReports:
# -- Enable cleanup cronjob
enabled: true
# -- Maximum number of retries before considering a Job as failed. Defaults to 3.
backoffLimit: 3
# -- Time until the pod from the cronjob is deleted
ttlSecondsAfterFinished: ""
image:
# -- (string) Image registry
registry: ~
# -- Image repository
repository: bitnami/kubectl
# -- Image tag
# Defaults to `latest` if omitted
tag: '1.30.2'
# -- (string) Image pull policy
# Defaults to image.pullPolicy if omitted
pullPolicy: ~
# -- Image pull secrets
imagePullSecrets: []
# - name: secretName
# -- Cronjob schedule
schedule: '*/10 * * * *'
# -- Reports threshold, if number of reports are above this value the cronjob will start deleting them
threshold: 10000
# -- Cronjob history
history:
success: 1
failure: 1
# -- Security context for the pod
podSecurityContext: {}
# -- Security context for the containers
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# -- Pod PriorityClassName
priorityClassName: ""
# -- Job resources
resources: {}
# -- List of node taints to tolerate
tolerations: []
# -- Node labels for pod assignment
nodeSelector: {}
# -- Pod Annotations
podAnnotations: {}
# -- Pod Labels
podLabels: {}
# -- Pod anti affinity constraints.
podAntiAffinity: {}
# -- Pod affinity constraints.
podAffinity: {}
# -- Node affinity constraints.
nodeAffinity: {}
updateRequests:
# -- Enable cleanup cronjob
@ -930,7 +770,7 @@ cleanupJobs:
ephemeralReports:
# -- Enable cleanup cronjob
enabled: true
enabled: false
# -- Maximum number of retries before considering a Job as failed. Defaults to 3.
backoffLimit: 3
@ -1010,7 +850,7 @@ cleanupJobs:
clusterEphemeralReports:
# -- Enable cleanup cronjob
enabled: true
enabled: false
# -- Maximum number of retries before considering a Job as failed. Defaults to 3.
backoffLimit: 3

236
config/install-latest-testing.yaml
View file

@ -43008,10 +43008,6 @@ rules:
- updaterequests/status
- globalcontextentries
- globalcontextentries/status
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
- policyexceptions
verbs:
- create
@ -43326,8 +43322,6 @@ rules:
- apiGroups:
- kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- updaterequests
verbs:
- list
@ -43450,21 +43444,6 @@ metadata:
app.kubernetes.io/version: latest
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- reports.kyverno.io
resources:
@ -43490,17 +43469,6 @@ metadata:
app.kubernetes.io/version: latest
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- get
- list
- watch
- apiGroups:
- reports.kyverno.io
resources:
@ -43602,10 +43570,6 @@ rules:
resources:
- globalcontextentries
- globalcontextentries/status
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
- policyexceptions
- policies
- clusterpolicies
@ -44724,206 +44688,6 @@ spec:
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: kyverno-cleanup-admission-reports
namespace: kyverno
labels:
app.kubernetes.io/component: cleanup
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
spec:
schedule: "*/10 * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
jobTemplate:
spec:
backoffLimit: 3
template:
metadata:
spec:
serviceAccountName: kyverno-cleanup-jobs
containers:
- name: cleanup
image: "bitnami/kubectl:1.30.2"
imagePullPolicy:
command:
- /bin/bash
- -c
- |
set -euo pipefail
COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l)
if [ "$COUNT" -gt 10000 ]; then
echo "too many reports found ($COUNT), cleaning up..."
kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
else
echo "($COUNT) reports found, no clean up needed"
fi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
restartPolicy: OnFailure
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: kyverno-cleanup-cluster-admission-reports
namespace: kyverno
labels:
app.kubernetes.io/component: cleanup
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
spec:
schedule: "*/10 * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
jobTemplate:
spec:
backoffLimit: 3
template:
metadata:
spec:
serviceAccountName: kyverno-cleanup-jobs
containers:
- name: cleanup
image: "bitnami/kubectl:1.30.2"
imagePullPolicy:
command:
- /bin/bash
- -c
- |
set -euo pipefail
COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l)
if [ "$COUNT" -gt 10000 ]; then
echo "too many reports found ($COUNT), cleaning up..."
kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
else
echo "($COUNT) reports found, no clean up needed"
fi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
restartPolicy: OnFailure
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: kyverno-cleanup-cluster-ephemeral-reports
namespace: kyverno
labels:
app.kubernetes.io/component: cleanup
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
spec:
schedule: "*/10 * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
jobTemplate:
spec:
backoffLimit: 3
template:
metadata:
spec:
serviceAccountName: kyverno-cleanup-jobs
containers:
- name: cleanup
image: "bitnami/kubectl:1.30.2"
imagePullPolicy:
command:
- /bin/bash
- -c
- |
set -euo pipefail
COUNT=$(kubectl get clusterephemeralreports.reports.kyverno.io -A | wc -l)
if [ "$COUNT" -gt 10000 ]; then
echo "too many clusterephemeralreports found ($COUNT), cleaning up..."
kubectl delete clusterephemeralreports.reports.kyverno.io -A --all
else
echo "($COUNT) reports found, no clean up needed"
fi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
restartPolicy: OnFailure
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: kyverno-cleanup-ephemeral-reports
namespace: kyverno
labels:
app.kubernetes.io/component: cleanup
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
spec:
schedule: "*/10 * * * *"
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
jobTemplate:
spec:
backoffLimit: 3
template:
metadata:
spec:
serviceAccountName: kyverno-cleanup-jobs
containers:
- name: cleanup
image: "bitnami/kubectl:1.30.2"
imagePullPolicy:
command:
- /bin/bash
- -c
- |
set -euo pipefail
COUNT=$(kubectl get ephemeralreports.reports.kyverno.io -A | wc -l)
if [ "$COUNT" -gt 10000 ]; then
echo "too many ephemeralreports found ($COUNT), cleaning up..."
kubectl delete ephemeralreports.reports.kyverno.io -A --all
else
echo "($COUNT) reports found, no clean up needed"
fi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
restartPolicy: OnFailure
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: kyverno-cleanup-update-requests
namespace: kyverno

15
test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/rbac.yaml
View file

@ -364,21 +364,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- reports.kyverno.io
resources:

15
test/conformance/chainsaw/rbac/aggregate-to-admin/admin-reports.yaml
View file

@ -5,21 +5,6 @@ metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- reports.kyverno.io
resources: