diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index fed22061de..aa486ad0f5 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -728,50 +728,6 @@ The chart values are organised per component.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
-| cleanupJobs.admissionReports.enabled | bool | `true` | Enable cleanup cronjob |
-| cleanupJobs.admissionReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. |
-| cleanupJobs.admissionReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted |
-| cleanupJobs.admissionReports.image.registry | string | `nil` | Image registry |
-| cleanupJobs.admissionReports.image.repository | string | `"bitnami/kubectl"` | Image repository |
-| cleanupJobs.admissionReports.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted |
-| cleanupJobs.admissionReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
-| cleanupJobs.admissionReports.imagePullSecrets | list | `[]` | Image pull secrets |
-| cleanupJobs.admissionReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule |
-| cleanupJobs.admissionReports.threshold | int | `10000` | Reports threshold, if number of reports are above this value the cronjob will start deleting them |
-| cleanupJobs.admissionReports.history | object | `{"failure":1,"success":1}` | Cronjob history |
-| cleanupJobs.admissionReports.podSecurityContext | object | `{}` | Security context for the pod |
-| cleanupJobs.admissionReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
-| cleanupJobs.admissionReports.priorityClassName | string | `""` | Pod PriorityClassName |
-| cleanupJobs.admissionReports.resources | object | `{}` | Job resources |
-| cleanupJobs.admissionReports.tolerations | list | `[]` | List of node taints to tolerate |
-| cleanupJobs.admissionReports.nodeSelector | object | `{}` | Node labels for pod assignment |
-| cleanupJobs.admissionReports.podAnnotations | object | `{}` | Pod Annotations |
-| cleanupJobs.admissionReports.podLabels | object | `{}` | Pod labels |
-| cleanupJobs.admissionReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
-| cleanupJobs.admissionReports.podAffinity | object | `{}` | Pod affinity constraints. |
-| cleanupJobs.admissionReports.nodeAffinity | object | `{}` | Node affinity constraints. |
-| cleanupJobs.clusterAdmissionReports.enabled | bool | `true` | Enable cleanup cronjob |
-| cleanupJobs.clusterAdmissionReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. |
-| cleanupJobs.clusterAdmissionReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted |
-| cleanupJobs.clusterAdmissionReports.image.registry | string | `nil` | Image registry |
-| cleanupJobs.clusterAdmissionReports.image.repository | string | `"bitnami/kubectl"` | Image repository |
-| cleanupJobs.clusterAdmissionReports.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted |
-| cleanupJobs.clusterAdmissionReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
-| cleanupJobs.clusterAdmissionReports.imagePullSecrets | list | `[]` | Image pull secrets |
-| cleanupJobs.clusterAdmissionReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule |
-| cleanupJobs.clusterAdmissionReports.threshold | int | `10000` | Reports threshold, if number of reports are above this value the cronjob will start deleting them |
-| cleanupJobs.clusterAdmissionReports.history | object | `{"failure":1,"success":1}` | Cronjob history |
-| cleanupJobs.clusterAdmissionReports.podSecurityContext | object | `{}` | Security context for the pod |
-| cleanupJobs.clusterAdmissionReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
-| cleanupJobs.clusterAdmissionReports.priorityClassName | string | `""` | Pod PriorityClassName |
-| cleanupJobs.clusterAdmissionReports.resources | object | `{}` | Job resources |
-| cleanupJobs.clusterAdmissionReports.tolerations | list | `[]` | List of node taints to tolerate |
-| cleanupJobs.clusterAdmissionReports.nodeSelector | object | `{}` | Node labels for pod assignment |
-| cleanupJobs.clusterAdmissionReports.podAnnotations | object | `{}` | Pod Annotations |
-| cleanupJobs.clusterAdmissionReports.podLabels | object | `{}` | Pod Labels |
-| cleanupJobs.clusterAdmissionReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
-| cleanupJobs.clusterAdmissionReports.podAffinity | object | `{}` | Pod affinity constraints. |
-| cleanupJobs.clusterAdmissionReports.nodeAffinity | object | `{}` | Node affinity constraints. |
| cleanupJobs.updateRequests.enabled | bool | `true` | Enable cleanup cronjob |
| cleanupJobs.updateRequests.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. |
| cleanupJobs.updateRequests.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted |
@@ -794,7 +750,7 @@ The chart values are organised per component.
| cleanupJobs.updateRequests.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
| cleanupJobs.updateRequests.podAffinity | object | `{}` | Pod affinity constraints. |
| cleanupJobs.updateRequests.nodeAffinity | object | `{}` | Node affinity constraints. |
-| cleanupJobs.ephemeralReports.enabled | bool | `true` | Enable cleanup cronjob |
+| cleanupJobs.ephemeralReports.enabled | bool | `false` | Enable cleanup cronjob |
| cleanupJobs.ephemeralReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. |
| cleanupJobs.ephemeralReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted |
| cleanupJobs.ephemeralReports.image.registry | string | `nil` | Image registry |
@@ -816,7 +772,7 @@ The chart values are organised per component.
| cleanupJobs.ephemeralReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
| cleanupJobs.ephemeralReports.podAffinity | object | `{}` | Pod affinity constraints. |
| cleanupJobs.ephemeralReports.nodeAffinity | object | `{}` | Node affinity constraints. |
-| cleanupJobs.clusterEphemeralReports.enabled | bool | `true` | Enable cleanup cronjob |
+| cleanupJobs.clusterEphemeralReports.enabled | bool | `false` | Enable cleanup cronjob |
| cleanupJobs.clusterEphemeralReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. |
| cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted |
| cleanupJobs.clusterEphemeralReports.image.registry | string | `nil` | Image registry |
diff --git a/charts/kyverno/charts/crds/README.md b/charts/kyverno/charts/crds/README.md
index 75ec9d7393..f12f5c62f6 100644
--- a/charts/kyverno/charts/crds/README.md
+++ b/charts/kyverno/charts/crds/README.md
@@ -6,7 +6,7 @@
| Key | Type | Default | Description |
|-----|------|---------|-------------|
-| groups.kyverno | object | `{"admissionreports":true,"backgroundscanreports":true,"cleanuppolicies":true,"clusteradmissionreports":true,"clusterbackgroundscanreports":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | This field can be overwritten by setting crds.labels in the parent chart |
+| groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| annotations | object | `{}` | This field can be overwritten by setting crds.annotations in the parent chart |
diff --git a/charts/kyverno/charts/crds/values.yaml b/charts/kyverno/charts/crds/values.yaml
index 6969f5f797..07cfa8403e 100644
--- a/charts/kyverno/charts/crds/values.yaml
+++ b/charts/kyverno/charts/crds/values.yaml
@@ -10,11 +10,7 @@ groups:
# -- Install CRDs in group `kyverno.io`
# -- This field can be overwritten by setting crds.labels in the parent chart
kyverno:
- admissionreports: true
- backgroundscanreports: true
cleanuppolicies: true
- clusteradmissionreports: true
- clusterbackgroundscanreports: true
clustercleanuppolicies: true
clusterpolicies: true
globalcontextentries: true
diff --git a/charts/kyverno/ci/cleanupJobs-values.yaml b/charts/kyverno/ci/cleanupJobs-values.yaml
index 93c04d945c..6490a11c1d 100644
--- a/charts/kyverno/ci/cleanupJobs-values.yaml
+++ b/charts/kyverno/ci/cleanupJobs-values.yaml
@@ -1,5 +1,6 @@
cleanupJobs:
- admissionReports:
+ ephemeralReports:
+ enabled: true
nodeSelector:
kubernetes.io/os: linux
podAntiAffinity:
@@ -13,7 +14,8 @@ cleanupJobs:
values:
- cleanup
topologyKey: kubernetes.io/hostname
- clusterAdmissionReports:
+ clusterEphemeralReports:
+ enabled: true
nodeSelector:
kubernetes.io/os: linux
podAntiAffinity:
diff --git a/charts/kyverno/templates/admission-controller/clusterrole.yaml b/charts/kyverno/templates/admission-controller/clusterrole.yaml
index 4ea7088614..25f1ade81a 100644
--- a/charts/kyverno/templates/admission-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml
@@ -62,10 +62,6 @@ rules:
- updaterequests/status
- globalcontextentries
- globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- policyexceptions
verbs:
- create
diff --git a/charts/kyverno/templates/admission-controller/flowschema.yaml b/charts/kyverno/templates/admission-controller/flowschema.yaml
index 8bb6f52311..779eeefc43 100644
--- a/charts/kyverno/templates/admission-controller/flowschema.yaml
+++ b/charts/kyverno/templates/admission-controller/flowschema.yaml
@@ -52,8 +52,6 @@ spec:
- clusterpolicies/status
- globalcontextentries
- globalcontextentries/status
- - clusteradmissionreports
- - clusterbackgroundscanreports
verbs:
- create
- delete
@@ -72,8 +70,6 @@ spec:
- policies/status
- updaterequests
- updaterequests/status
- - admissionreports
- - backgroundscanreports
verbs:
- create
- delete
diff --git a/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml b/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml
deleted file mode 100644
index 7686d3efb5..0000000000
--- a/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml
+++ /dev/null
@@ -1,91 +0,0 @@
-{{- if .Values.cleanupJobs.admissionReports.enabled -}}
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: {{ template "kyverno.name" . }}-cleanup-admission-reports
- namespace: {{ template "kyverno.namespace" . }}
- labels:
- {{- include "kyverno.cleanup.labels" . | nindent 4 }}
-spec:
- schedule: {{ .Values.cleanupJobs.admissionReports.schedule | quote }}
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: {{ .Values.cleanupJobs.admissionReports.history.success }}
- failedJobsHistoryLimit: {{ .Values.cleanupJobs.admissionReports.history.failure }}
- jobTemplate:
- spec:
- backoffLimit: {{ .Values.cleanupJobs.admissionReports.backoffLimit }}
- {{- if .Values.cleanupJobs.admissionReports.ttlSecondsAfterFinished }}
- ttlSecondsAfterFinished: {{ .Values.cleanupJobs.admissionReports.ttlSecondsAfterFinished }}
- {{- end }}
- template:
- metadata:
- {{- with .Values.cleanupJobs.admissionReports.podAnnotations }}
- annotations:
- {{- toYaml . | nindent 12 }}
- {{- end }}
- {{- with .Values.cleanupJobs.admissionReports.podLabels }}
- labels:
- {{- toYaml . | nindent 12 }}
- {{- end }}
- spec:
- serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
- {{- with .Values.cleanupJobs.admissionReports.podSecurityContext }}
- securityContext:
- {{- tpl (toYaml .) $ | nindent 12 }}
- {{- end }}
- {{- with .Values.cleanupJobs.admissionReports.priorityClassName }}
- priorityClassName: {{ . }}
- {{- end }}
- containers:
- - name: cleanup
- image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.admissionReports.image)) | quote }}
- imagePullPolicy: {{ .Values.cleanupJobs.admissionReports.image.pullPolicy }}
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt {{ .Values.cleanupJobs.admissionReports.threshold }} ]; then
- echo "too many reports found ($COUNT), cleaning up..."
- kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- {{- with .Values.cleanupJobs.admissionReports.securityContext }}
- securityContext:
- {{- toYaml . | nindent 14 }}
- {{- end }}
- {{- with .Values.cleanupJobs.admissionReports.resources }}
- resources:
- {{- toYaml . | nindent 14 }}
- {{- end }}
- {{- with .Values.cleanupJobs.admissionReports.imagePullSecrets }}
- imagePullSecrets:
- {{- tpl (toYaml .) $ | nindent 12 }}
- {{- end }}
- restartPolicy: OnFailure
- {{- with .Values.cleanupJobs.admissionReports.tolerations | default .Values.global.tolerations}}
- tolerations:
- {{- tpl (toYaml .) $ | nindent 12 }}
- {{- end }}
- {{- with .Values.cleanupJobs.admissionReports.nodeSelector | default .Values.global.nodeSelector }}
- nodeSelector:
- {{- tpl (toYaml .) $ | nindent 12 }}
- {{- end }}
- {{- if or .Values.cleanupJobs.admissionReports.podAntiAffinity .Values.cleanupJobs.admissionReports.podAffinity .Values.cleanupJobs.admissionReports.nodeAffinity }}
- affinity:
- {{- with .Values.cleanupJobs.admissionReports.podAntiAffinity }}
- podAntiAffinity:
- {{- tpl (toYaml .) $ | nindent 14 }}
- {{- end }}
- {{- with .Values.cleanupJobs.admissionReports.podAffinity }}
- podAffinity:
- {{- tpl (toYaml .) $ | nindent 14 }}
- {{- end }}
- {{- with .Values.cleanupJobs.admissionReports.nodeAffinity }}
- nodeAffinity:
- {{- tpl (toYaml .) $ | nindent 14 }}
- {{- end }}
- {{- end }}
-{{- end -}}
diff --git a/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml b/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml
deleted file mode 100644
index 3aed886802..0000000000
--- a/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml
+++ /dev/null
@@ -1,91 +0,0 @@
-{{- if .Values.cleanupJobs.clusterAdmissionReports.enabled -}}
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: {{ template "kyverno.name" . }}-cleanup-cluster-admission-reports
- namespace: {{ template "kyverno.namespace" . }}
- labels:
- {{- include "kyverno.cleanup.labels" . | nindent 4 }}
-spec:
- schedule: {{ .Values.cleanupJobs.clusterAdmissionReports.schedule | quote }}
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: {{ .Values.cleanupJobs.clusterAdmissionReports.history.success }}
- failedJobsHistoryLimit: {{ .Values.cleanupJobs.clusterAdmissionReports.history.failure }}
- jobTemplate:
- spec:
- backoffLimit: {{ .Values.cleanupJobs.clusterAdmissionReports.backoffLimit }}
- {{- if .Values.cleanupJobs.clusterAdmissionReports.ttlSecondsAfterFinished }}
- ttlSecondsAfterFinished: {{ .Values.cleanupJobs.clusterAdmissionReports.ttlSecondsAfterFinished }}
- {{- end }}
- template:
- metadata:
- {{- with .Values.cleanupJobs.clusterAdmissionReports.podAnnotations }}
- annotations:
- {{- toYaml . | nindent 12 }}
- {{- end }}
- {{- with .Values.cleanupJobs.clusterAdmissionReports.podLabels }}
- labels:
- {{- toYaml . | nindent 12 }}
- {{- end }}
- spec:
- serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
- {{- with .Values.cleanupJobs.clusterAdmissionReports.podSecurityContext }}
- securityContext:
- {{- tpl (toYaml .) $ | nindent 12 }}
- {{- end }}
- {{- with .Values.cleanupJobs.clusterAdmissionReports.priorityClassName }}
- priorityClassName: {{ . }}
- {{- end }}
- containers:
- - name: cleanup
- image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.clusterAdmissionReports.image)) | quote }}
- imagePullPolicy: {{ .Values.cleanupJobs.clusterAdmissionReports.image.pullPolicy }}
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt {{ .Values.cleanupJobs.clusterAdmissionReports.threshold }} ]; then
- echo "too many reports found ($COUNT), cleaning up..."
- kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- {{- with .Values.cleanupJobs.clusterAdmissionReports.securityContext }}
- securityContext:
- {{- toYaml . | nindent 14 }}
- {{- end }}
- {{- with .Values.cleanupJobs.clusterAdmissionReports.resources }}
- resources:
- {{- toYaml . | nindent 14 }}
- {{- end }}
- {{- with .Values.cleanupJobs.clusterAdmissionReports.imagePullSecrets }}
- imagePullSecrets:
- {{- tpl (toYaml .) $ | nindent 12 }}
- {{- end }}
- restartPolicy: OnFailure
- {{- with .Values.cleanupJobs.clusterAdmissionReports.tolerations | default .Values.global.tolerations}}
- tolerations:
- {{- tpl (toYaml .) $ | nindent 12 }}
- {{- end }}
- {{- with .Values.cleanupJobs.clusterAdmissionReports.nodeSelector | default .Values.global.nodeSelector }}
- nodeSelector:
- {{- tpl (toYaml .) $ | nindent 12 }}
- {{- end }}
- {{- if or .Values.cleanupJobs.clusterAdmissionReports.podAntiAffinity .Values.cleanupJobs.clusterAdmissionReports.podAffinity .Values.cleanupJobs.clusterAdmissionReports.nodeAffinity }}
- affinity:
- {{- with .Values.cleanupJobs.clusterAdmissionReports.podAntiAffinity }}
- podAntiAffinity:
- {{- tpl (toYaml .) $ | nindent 14 }}
- {{- end }}
- {{- with .Values.cleanupJobs.clusterAdmissionReports.podAffinity }}
- podAffinity:
- {{- tpl (toYaml .) $ | nindent 14 }}
- {{- end }}
- {{- with .Values.cleanupJobs.clusterAdmissionReports.nodeAffinity }}
- nodeAffinity:
- {{- tpl (toYaml .) $ | nindent 14 }}
- {{- end }}
- {{- end }}
-{{- end -}}
diff --git a/charts/kyverno/templates/cleanup/cleanup-update-requests.yaml b/charts/kyverno/templates/cleanup/cleanup-update-requests.yaml
index 51d7ee10a7..9344354fae 100644
--- a/charts/kyverno/templates/cleanup/cleanup-update-requests.yaml
+++ b/charts/kyverno/templates/cleanup/cleanup-update-requests.yaml
@@ -73,7 +73,7 @@ spec:
nodeSelector:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
- {{- if or .Values.cleanupJobs.updateRequests.podAntiAffinity .Values.cleanupJobs.updateRequests.podAffinity .Values.cleanupJobs.admissionReports.nodeAffinity }}
+ {{- if or .Values.cleanupJobs.updateRequests.podAntiAffinity .Values.cleanupJobs.updateRequests.podAffinity .Values.cleanupJobs.updateRequests.nodeAffinity }}
affinity:
{{- with .Values.cleanupJobs.updateRequests.podAntiAffinity }}
podAntiAffinity:
diff --git a/charts/kyverno/templates/cleanup/clusterrole.yaml b/charts/kyverno/templates/cleanup/clusterrole.yaml
index b97c50dd2d..094328dbc2 100644
--- a/charts/kyverno/templates/cleanup/clusterrole.yaml
+++ b/charts/kyverno/templates/cleanup/clusterrole.yaml
@@ -8,8 +8,6 @@ rules:
- apiGroups:
- kyverno.io
resources:
- - admissionreports
- - clusteradmissionreports
- updaterequests
verbs:
- list
diff --git a/charts/kyverno/templates/rbac/reports.yaml b/charts/kyverno/templates/rbac/reports.yaml
index e0c4c9d153..89ea5dc4f8 100644
--- a/charts/kyverno/templates/rbac/reports.yaml
+++ b/charts/kyverno/templates/rbac/reports.yaml
@@ -6,21 +6,6 @@ metadata:
labels:
{{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
rules:
- - apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- apiGroups:
- reports.kyverno.io
resources:
@@ -42,17 +27,6 @@ metadata:
labels:
{{- include "kyverno.rbac.labels.view" . | nindent 4 }}
rules:
- - apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - get
- - list
- - watch
- apiGroups:
- reports.kyverno.io
resources:
diff --git a/charts/kyverno/templates/reports-controller/clusterrole.yaml b/charts/kyverno/templates/reports-controller/clusterrole.yaml
index 45bccb9c2c..b21ac21786 100644
--- a/charts/kyverno/templates/reports-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/reports-controller/clusterrole.yaml
@@ -39,10 +39,6 @@ rules:
resources:
- globalcontextentries
- globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- policyexceptions
- policies
- clusterpolicies
diff --git a/charts/kyverno/templates/reports-controller/flowschema.yaml b/charts/kyverno/templates/reports-controller/flowschema.yaml
index 0f5ab20203..7dbd98a07e 100644
--- a/charts/kyverno/templates/reports-controller/flowschema.yaml
+++ b/charts/kyverno/templates/reports-controller/flowschema.yaml
@@ -20,37 +20,6 @@ spec:
- get
- list
- watch
- - apiGroups:
- - kyverno.io
- clusterScope: true
- resources:
- - clusteradmissionreports
- - clusterbackgroundscanreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- - deletecollection
- - apiGroups:
- - kyverno.io
- namespaces:
- - '*'
- resources:
- - admissionreports
- - backgroundscanreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- - deletecollection
- apiGroups:
- reports.kyverno.io
clusterScope: true
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index d824c63abc..0ce6ae34f4 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -687,166 +687,6 @@ features:
# Cleanup cronjobs to prevent internal resources from stacking up in the cluster
cleanupJobs:
- admissionReports:
-
- # -- Enable cleanup cronjob
- enabled: true
-
- # -- Maximum number of retries before considering a Job as failed. Defaults to 3.
- backoffLimit: 3
-
- # -- Time until the pod from the cronjob is deleted
- ttlSecondsAfterFinished: ""
-
- image:
- # -- (string) Image registry
- registry: ~
- # -- Image repository
- repository: bitnami/kubectl
- # -- Image tag
- # Defaults to `latest` if omitted
- tag: '1.30.2'
- # -- (string) Image pull policy
- # Defaults to image.pullPolicy if omitted
- pullPolicy: ~
-
- # -- Image pull secrets
- imagePullSecrets: []
- # - name: secretName
-
- # -- Cronjob schedule
- schedule: '*/10 * * * *'
-
- # -- Reports threshold, if number of reports are above this value the cronjob will start deleting them
- threshold: 10000
-
- # -- Cronjob history
- history:
- success: 1
- failure: 1
-
- # -- Security context for the pod
- podSecurityContext: {}
-
- # -- Security context for the containers
- securityContext:
- runAsNonRoot: true
- privileged: false
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- capabilities:
- drop:
- - ALL
- seccompProfile:
- type: RuntimeDefault
-
- # -- Pod PriorityClassName
- priorityClassName: ""
-
- # -- Job resources
- resources: {}
-
- # -- List of node taints to tolerate
- tolerations: []
-
- # -- Node labels for pod assignment
- nodeSelector: {}
-
- # -- Pod Annotations
- podAnnotations: {}
-
- # -- Pod labels
- podLabels: {}
-
- # -- Pod anti affinity constraints.
- podAntiAffinity: {}
-
- # -- Pod affinity constraints.
- podAffinity: {}
-
- # -- Node affinity constraints.
- nodeAffinity: {}
-
- clusterAdmissionReports:
-
- # -- Enable cleanup cronjob
- enabled: true
-
- # -- Maximum number of retries before considering a Job as failed. Defaults to 3.
- backoffLimit: 3
-
- # -- Time until the pod from the cronjob is deleted
- ttlSecondsAfterFinished: ""
-
- image:
- # -- (string) Image registry
- registry: ~
- # -- Image repository
- repository: bitnami/kubectl
- # -- Image tag
- # Defaults to `latest` if omitted
- tag: '1.30.2'
- # -- (string) Image pull policy
- # Defaults to image.pullPolicy if omitted
- pullPolicy: ~
-
- # -- Image pull secrets
- imagePullSecrets: []
- # - name: secretName
-
- # -- Cronjob schedule
- schedule: '*/10 * * * *'
-
- # -- Reports threshold, if number of reports are above this value the cronjob will start deleting them
- threshold: 10000
-
- # -- Cronjob history
- history:
- success: 1
- failure: 1
-
- # -- Security context for the pod
- podSecurityContext: {}
-
- # -- Security context for the containers
- securityContext:
- runAsNonRoot: true
- privileged: false
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- capabilities:
- drop:
- - ALL
- seccompProfile:
- type: RuntimeDefault
-
- # -- Pod PriorityClassName
- priorityClassName: ""
-
- # -- Job resources
- resources: {}
-
- # -- List of node taints to tolerate
- tolerations: []
-
- # -- Node labels for pod assignment
- nodeSelector: {}
-
- # -- Pod Annotations
- podAnnotations: {}
-
- # -- Pod Labels
- podLabels: {}
-
- # -- Pod anti affinity constraints.
- podAntiAffinity: {}
-
- # -- Pod affinity constraints.
- podAffinity: {}
-
- # -- Node affinity constraints.
- nodeAffinity: {}
-
updateRequests:
# -- Enable cleanup cronjob
@@ -930,7 +770,7 @@ cleanupJobs:
ephemeralReports:
# -- Enable cleanup cronjob
- enabled: true
+ enabled: false
# -- Maximum number of retries before considering a Job as failed. Defaults to 3.
backoffLimit: 3
@@ -1010,7 +850,7 @@ cleanupJobs:
clusterEphemeralReports:
# -- Enable cleanup cronjob
- enabled: true
+ enabled: false
# -- Maximum number of retries before considering a Job as failed. Defaults to 3.
backoffLimit: 3
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index c572659c60..52f7c7b82d 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -43008,10 +43008,6 @@ rules:
- updaterequests/status
- globalcontextentries
- globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- policyexceptions
verbs:
- create
@@ -43326,8 +43322,6 @@ rules:
- apiGroups:
- kyverno.io
resources:
- - admissionreports
- - clusteradmissionreports
- updaterequests
verbs:
- list
@@ -43450,21 +43444,6 @@ metadata:
app.kubernetes.io/version: latest
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- - apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- apiGroups:
- reports.kyverno.io
resources:
@@ -43490,17 +43469,6 @@ metadata:
app.kubernetes.io/version: latest
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- - apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - get
- - list
- - watch
- apiGroups:
- reports.kyverno.io
resources:
@@ -43602,10 +43570,6 @@ rules:
resources:
- globalcontextentries
- globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- policyexceptions
- policies
- clusterpolicies
@@ -44724,206 +44688,6 @@ spec:
---
apiVersion: batch/v1
kind: CronJob
-metadata:
- name: kyverno-cleanup-admission-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
- app.kubernetes.io/version: latest
-spec:
- schedule: "*/10 * * * *"
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata:
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: "bitnami/kubectl:1.30.2"
- imagePullPolicy:
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many reports found ($COUNT), cleaning up..."
- kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-cluster-admission-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
- app.kubernetes.io/version: latest
-spec:
- schedule: "*/10 * * * *"
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata:
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: "bitnami/kubectl:1.30.2"
- imagePullPolicy:
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many reports found ($COUNT), cleaning up..."
- kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-cluster-ephemeral-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
- app.kubernetes.io/version: latest
-spec:
- schedule: "*/10 * * * *"
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata:
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: "bitnami/kubectl:1.30.2"
- imagePullPolicy:
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get clusterephemeralreports.reports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many clusterephemeralreports found ($COUNT), cleaning up..."
- kubectl delete clusterephemeralreports.reports.kyverno.io -A --all
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-ephemeral-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
- app.kubernetes.io/version: latest
-spec:
- schedule: "*/10 * * * *"
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata:
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: "bitnami/kubectl:1.30.2"
- imagePullPolicy:
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get ephemeralreports.reports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many ephemeralreports found ($COUNT), cleaning up..."
- kubectl delete ephemeralreports.reports.kyverno.io -A --all
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
----
-apiVersion: batch/v1
-kind: CronJob
metadata:
name: kyverno-cleanup-update-requests
namespace: kyverno
diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/rbac.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/rbac.yaml
index 92dd88b39d..759e6c41ae 100644
--- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/rbac.yaml
+++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/rbac.yaml
@@ -364,21 +364,6 @@ rules:
- patch
- update
- watch
-- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- apiGroups:
- reports.kyverno.io
resources:
diff --git a/test/conformance/chainsaw/rbac/aggregate-to-admin/admin-reports.yaml b/test/conformance/chainsaw/rbac/aggregate-to-admin/admin-reports.yaml
index fd30b4e4f8..873fd8ae8e 100644
--- a/test/conformance/chainsaw/rbac/aggregate-to-admin/admin-reports.yaml
+++ b/test/conformance/chainsaw/rbac/aggregate-to-admin/admin-reports.yaml
@@ -5,21 +5,6 @@ metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- - apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- apiGroups:
- reports.kyverno.io
resources: