mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

feat: improve crd migration helm hooks (#9481)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2024-01-22 15:13:29 +01:00 committed by GitHub
parent 0ee6933d71
commit 2f4b823030
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 223 additions and 279 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
Makefile
View file

@ -925,9 +925,9 @@ kind-install-kyverno: $(HELM) ## Install kyverno helm chart
--set backgroundController.image.registry=$(LOCAL_REGISTRY) \
--set backgroundController.image.repository=$(LOCAL_BACKGROUND_REPO) \
--set backgroundController.image.tag=$(GIT_SHA) \
--set crdsMigration.image.registry=$(LOCAL_REGISTRY) \
--set crdsMigration.image.repository=$(LOCAL_CLI_REPO) \
--set crdsMigration.image.tag=$(GIT_SHA) \
--set crds.migration.image.registry=$(LOCAL_REGISTRY) \
--set crds.migration.image.repository=$(LOCAL_CLI_REPO) \
--set crds.migration.image.tag=$(GIT_SHA) \
$(foreach CONFIG,$(subst $(COMMA), ,$(USE_CONFIG)),--values ./scripts/config/$(CONFIG)/kyverno.yaml)
.PHONY: kind-deploy-kyverno

30
charts/kyverno/README.md
View file

@ -255,6 +255,21 @@ The chart values are organised per component.
| crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created |
| crds.annotations | object | `{}` | Additional CRDs annotations |
| crds.customLabels | object | `{}` | Additional CRDs labels |
| crds.migration.enabled | bool | `true` | Enable CRDs migration using helm post upgrade hook |
| crds.migration.resources | list | `["cleanuppolicies.kyverno.io","clustercleanuppolicies.kyverno.io","policyexceptions.kyverno.io"]` | Resources to migrate |
| crds.migration.image.registry | string | `"ghcr.io"` | Image registry |
| crds.migration.image.repository | string | `"kyverno/kyverno-cli"` | Image repository |
| crds.migration.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
| crds.migration.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| crds.migration.imagePullSecrets | list | `[]` | Image pull secrets |
| crds.migration.podSecurityContext | object | `{}` | Security context for the pod |
| crds.migration.nodeSelector | object | `{}` | Node labels for pod assignment |
| crds.migration.tolerations | list | `[]` | List of node taints to tolerate |
| crds.migration.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
| crds.migration.podAffinity | object | `{}` | Pod affinity constraints. |
| crds.migration.podLabels | object | `{}` | Pod labels. |
| crds.migration.nodeAffinity | object | `{}` | Node affinity constraints. |
| crds.migration.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
### Config
@ -767,21 +782,6 @@ The chart values are organised per component.
| policyReportsCleanup.podLabels | object | `{}` | Pod labels. |
| policyReportsCleanup.nodeAffinity | object | `{}` | Node affinity constraints. |
| policyReportsCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
| crdsMigration.exceptions | object | `{"enabled":true}` | Create a helm post-upgrade hook to migrate the existing policy exceptions to the stored version |
| crdsMigration.cleanuppolicies | object | `{"enabled":true}` | Create a helm post-upgrade hook to migrate the existing cleanup policies to the stored version |
| crdsMigration.image.registry | string | `"ghcr.io"` | Image registry |
| crdsMigration.image.repository | string | `"kyverno/kyverno-cli"` | Image repository |
| crdsMigration.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
| crdsMigration.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| crdsMigration.imagePullSecrets | list | `[]` | Image pull secrets |
| crdsMigration.podSecurityContext | object | `{}` | Security context for the pod |
| crdsMigration.nodeSelector | object | `{}` | Node labels for pod assignment |
| crdsMigration.tolerations | list | `[]` | List of node taints to tolerate |
| crdsMigration.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
| crdsMigration.podAffinity | object | `{}` | Pod affinity constraints. |
| crdsMigration.podLabels | object | `{}` | Pod labels. |
| crdsMigration.nodeAffinity | object | `{}` | Node affinity constraints. |
| crdsMigration.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
## TLS Configuration

14
charts/kyverno/templates/admission-controller/clusterrole.yaml
View file

@ -98,20 +98,6 @@ rules:
- subjectaccessreviews
verbs:
- create
{{- if .Values.crdsMigration.exceptions.enabled }}
- apiGroups:
- kyverno.io
resources:
- policyexceptions
verbs:
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions/status
verbs:
- update
{{- end }}
- apiGroups:
- '*'
resources:

17
charts/kyverno/templates/cleanup-controller/clusterrole.yaml
View file

@ -45,9 +45,6 @@ rules:
verbs:
- list
- watch
{{- if .Values.crdsMigration.cleanuppolicies.enabled }}
- update
{{- end }}
- apiGroups:
- kyverno.io
resources:
@ -55,20 +52,6 @@ rules:
- cleanuppolicies/status
verbs:
- update
{{- if .Values.crdsMigration.cleanuppolicies.enabled }}
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions/status
verbs:
- update
{{- end }}
- apiGroups:
- ''
resources:

70
charts/kyverno/templates/hooks/crds-migration/cleanup-post-upgrade.yaml
View file

@ -1,70 +0,0 @@
{{- if .Values.cleanupController.enabled -}}
{{- if and .Values.crdsMigration.cleanuppolicies.enabled (not .Values.templating.enabled) -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kyverno.fullname" . }}-hook-post-upgrade-cleanuppolicies-migration
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
spec:
backoffLimit: 2
template:
metadata:
{{- with .Values.crdsMigration.podLabels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccount: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
{{- with .Values.crdsMigration.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
restartPolicy: Never
containers:
- name: kubectl
image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.crdsMigration.image "defaultTag" (default .Chart.AppVersion .Values.crdsMigration.image.tag))) | quote }}
imagePullPolicy: {{ .Values.crdsMigration.image.pullPolicy }}
args:
- migrate
- --resource
- cleanuppolicies.kyverno.io
- --resource
- clustercleanuppolicies.kyverno.io
{{- with .Values.crdsMigration.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.crdsMigration.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.crdsMigration.tolerations }}
tolerations:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.crdsMigration.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if or .Values.crdsMigration.podAntiAffinity .Values.crdsMigration.podAffinity .Values.crdsMigration.nodeAffinity }}
affinity:
{{- with .Values.crdsMigration.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.crdsMigration.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.crdsMigration.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}

66
charts/kyverno/templates/hooks/crds-migration/exceptions-post-upgrade.yaml
View file

@ -1,66 +0,0 @@
{{- if and .Values.crdsMigration.exceptions.enabled (not .Values.templating.enabled) -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kyverno.fullname" . }}-hook-post-upgrade-exceptions-migration
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
spec:
backoffLimit: 2
template:
metadata:
{{- with .Values.crdsMigration.podLabels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }}
{{- with .Values.crdsMigration.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
restartPolicy: Never
containers:
- name: kubectl
image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.crdsMigration.image "defaultTag" (default .Chart.AppVersion .Values.crdsMigration.image.tag))) | quote }}
imagePullPolicy: {{ .Values.crdsMigration.image.pullPolicy }}
args:
- migrate
- --resource
- policyexceptions.kyverno.io
{{- with .Values.crdsMigration.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.crdsMigration.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.crdsMigration.tolerations }}
tolerations:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.crdsMigration.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if or .Values.crdsMigration.podAntiAffinity .Values.crdsMigration.podAffinity .Values.crdsMigration.nodeAffinity }}
affinity:
{{- with .Values.crdsMigration.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.crdsMigration.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.crdsMigration.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- end -}}

10
charts/kyverno/templates/hooks/post-upgrade.yaml → charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml
View file

@ -1,15 +1,15 @@
{{- if .Values.policyReportsCleanup.enabled -}}
{{- if not .Values.templating.enabled -}}
{{- if not .Values.templating.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kyverno.fullname" . }}-hook-post-upgrade
name: {{ template "kyverno.fullname" . }}-clean-reports
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
spec:
backoffLimit: 2
template:
@ -86,5 +86,5 @@ spec:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}

134
charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml Normal file
View file

@ -0,0 +1,134 @@
{{- if .Values.crds.migration.enabled -}}
{{- if not .Values.templating.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:migrate-resources
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "100"
rules:
- apiGroups:
- kyverno.io
resources:
- '*'
verbs:
- get
- list
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions/status
verbs:
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:migrate-resources
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "100"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:migrate-resources
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.fullname" . }}-migrate-resources
namespace: {{ template "kyverno.namespace" . }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kyverno.fullname" . }}-migrate-resources
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "100"
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kyverno.fullname" . }}-migrate-resources
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "200"
spec:
backoffLimit: 2
template:
metadata:
{{- with .Values.crds.migration.podLabels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccount: {{ template "kyverno.fullname" . }}-migrate-resources
{{- with .Values.crds.migration.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
restartPolicy: Never
containers:
- name: kubectl
image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.crds.migration.image "defaultTag" (default .Chart.AppVersion .Values.crds.migration.image.tag))) | quote }}
imagePullPolicy: {{ .Values.crds.migration.image.pullPolicy }}
args:
- migrate
{{- range .Values.crds.migration.resources }}
- --resource
- {{ . }}
{{- end }}
{{- with .Values.crds.migration.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.crds.migration.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.crds.migration.tolerations }}
tolerations:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.crds.migration.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if or .Values.crds.migration.podAntiAffinity .Values.crds.migration.podAffinity .Values.crds.migration.nodeAffinity }}
affinity:
{{- with .Values.crds.migration.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.crds.migration.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.crds.migration.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}

10
charts/kyverno/templates/hooks/pre-delete.yaml → charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml
View file

@ -1,15 +1,15 @@
{{- if .Values.webhooksCleanup.enabled -}}
{{- if not .Values.templating.enabled -}}
{{- if not .Values.templating.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kyverno.fullname" . }}-hook-pre-delete
name: {{ template "kyverno.fullname" . }}-scale-to-zero
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
helm.sh/hook: pre-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
spec:
backoffLimit: 2
template:
@ -68,5 +68,5 @@ spec:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}

120
charts/kyverno/values.yaml
View file

@ -69,6 +69,67 @@ crds:
# -- Additional CRDs labels
customLabels: {}
migration:
# -- Enable CRDs migration using helm post upgrade hook
enabled: true
# -- Resources to migrate
resources:
- cleanuppolicies.kyverno.io
- clustercleanuppolicies.kyverno.io
- policyexceptions.kyverno.io
image:
# -- (string) Image registry
registry: ghcr.io
# -- (string) Image repository
repository: kyverno/kyverno-cli
# -- (string) Image tag
# Defaults to appVersion in Chart.yaml if omitted
tag: ~
# -- (string) Image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets
imagePullSecrets: []
# - name: secretName
# -- Security context for the pod
podSecurityContext: {}
# -- Node labels for pod assignment
nodeSelector: {}
# -- List of node taints to tolerate
tolerations: []
# -- Pod anti affinity constraints.
podAntiAffinity: {}
# -- Pod affinity constraints.
podAffinity: {}
# -- Pod labels.
podLabels: {}
# -- Node affinity constraints.
nodeAffinity: {}
# -- Security context for the hook containers
securityContext:
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# Configuration
config:
@ -467,65 +528,6 @@ policyReportsCleanup:
seccompProfile:
type: RuntimeDefault
crdsMigration:
# -- Create a helm post-upgrade hook to migrate the existing policy exceptions to the stored version
exceptions:
enabled: true
# -- Create a helm post-upgrade hook to migrate the existing cleanup policies to the stored version
cleanuppolicies:
enabled: true
image:
# -- (string) Image registry
registry: ghcr.io
# -- (string) Image repository
repository: kyverno/kyverno-cli
# -- (string) Image tag
# Defaults to appVersion in Chart.yaml if omitted
tag: ~
# -- (string) Image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets
imagePullSecrets: []
# - name: secretName
# -- Security context for the pod
podSecurityContext: {}
# -- Node labels for pod assignment
nodeSelector: {}
# -- List of node taints to tolerate
tolerations: []
# -- Pod anti affinity constraints.
podAntiAffinity: {}
# -- Pod affinity constraints.
podAffinity: {}
# -- Pod labels.
podLabels: {}
# -- Node affinity constraints.
nodeAffinity: {}
# -- Security context for the hook containers
securityContext:
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
grafana:
# -- Enable grafana dashboard creation.
enabled: false

25
config/install-latest-testing.yaml
View file

@ -49217,18 +49217,6 @@ rules:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- kyverno.io
resources:
- policyexceptions
verbs:
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions/status
verbs:
- update
- apiGroups:
- '*'
resources:
@ -49397,7 +49385,6 @@ rules:
verbs:
- list
- watch
- update
- apiGroups:
- kyverno.io
resources:
@ -49405,18 +49392,6 @@ rules:
- cleanuppolicies/status
verbs:
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions/status
verbs:
- update
- apiGroups:
- ''
resources: