diff --git a/Makefile b/Makefile index 0c9808265d..c2d99af004 100644 --- a/Makefile +++ b/Makefile @@ -925,9 +925,9 @@ kind-install-kyverno: $(HELM) ## Install kyverno helm chart --set backgroundController.image.registry=$(LOCAL_REGISTRY) \ --set backgroundController.image.repository=$(LOCAL_BACKGROUND_REPO) \ --set backgroundController.image.tag=$(GIT_SHA) \ - --set crdsMigration.image.registry=$(LOCAL_REGISTRY) \ - --set crdsMigration.image.repository=$(LOCAL_CLI_REPO) \ - --set crdsMigration.image.tag=$(GIT_SHA) \ + --set crds.migration.image.registry=$(LOCAL_REGISTRY) \ + --set crds.migration.image.repository=$(LOCAL_CLI_REPO) \ + --set crds.migration.image.tag=$(GIT_SHA) \ $(foreach CONFIG,$(subst $(COMMA), ,$(USE_CONFIG)),--values ./scripts/config/$(CONFIG)/kyverno.yaml) .PHONY: kind-deploy-kyverno diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 81bb85e813..d2d1ebabca 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -255,6 +255,21 @@ The chart values are organised per component. | crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created | | crds.annotations | object | `{}` | Additional CRDs annotations | | crds.customLabels | object | `{}` | Additional CRDs labels | +| crds.migration.enabled | bool | `true` | Enable CRDs migration using helm post upgrade hook | +| crds.migration.resources | list | `["cleanuppolicies.kyverno.io","clustercleanuppolicies.kyverno.io","policyexceptions.kyverno.io"]` | Resources to migrate | +| crds.migration.image.registry | string | `"ghcr.io"` | Image registry | +| crds.migration.image.repository | string | `"kyverno/kyverno-cli"` | Image repository | +| crds.migration.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | +| crds.migration.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| crds.migration.imagePullSecrets | list | `[]` | Image pull secrets | +| crds.migration.podSecurityContext | object | `{}` | Security context for the pod | +| crds.migration.nodeSelector | object | `{}` | Node labels for pod assignment | +| crds.migration.tolerations | list | `[]` | List of node taints to tolerate | +| crds.migration.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | +| crds.migration.podAffinity | object | `{}` | Pod affinity constraints. | +| crds.migration.podLabels | object | `{}` | Pod labels. | +| crds.migration.nodeAffinity | object | `{}` | Node affinity constraints. | +| crds.migration.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | ### Config @@ -767,21 +782,6 @@ The chart values are organised per component. | policyReportsCleanup.podLabels | object | `{}` | Pod labels. | | policyReportsCleanup.nodeAffinity | object | `{}` | Node affinity constraints. | | policyReportsCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | -| crdsMigration.exceptions | object | `{"enabled":true}` | Create a helm post-upgrade hook to migrate the existing policy exceptions to the stored version | -| crdsMigration.cleanuppolicies | object | `{"enabled":true}` | Create a helm post-upgrade hook to migrate the existing cleanup policies to the stored version | -| crdsMigration.image.registry | string | `"ghcr.io"` | Image registry | -| crdsMigration.image.repository | string | `"kyverno/kyverno-cli"` | Image repository | -| crdsMigration.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | -| crdsMigration.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | -| crdsMigration.imagePullSecrets | list | `[]` | Image pull secrets | -| crdsMigration.podSecurityContext | object | `{}` | Security context for the pod | -| crdsMigration.nodeSelector | object | `{}` | Node labels for pod assignment | -| crdsMigration.tolerations | list | `[]` | List of node taints to tolerate | -| crdsMigration.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | -| crdsMigration.podAffinity | object | `{}` | Pod affinity constraints. | -| crdsMigration.podLabels | object | `{}` | Pod labels. | -| crdsMigration.nodeAffinity | object | `{}` | Node affinity constraints. | -| crdsMigration.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | ## TLS Configuration diff --git a/charts/kyverno/templates/admission-controller/clusterrole.yaml b/charts/kyverno/templates/admission-controller/clusterrole.yaml index 9a2b4019b9..75e8862cbc 100644 --- a/charts/kyverno/templates/admission-controller/clusterrole.yaml +++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml @@ -98,20 +98,6 @@ rules: - subjectaccessreviews verbs: - create - {{- if .Values.crdsMigration.exceptions.enabled }} - - apiGroups: - - kyverno.io - resources: - - policyexceptions - verbs: - - update - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions/status - verbs: - - update - {{- end }} - apiGroups: - '*' resources: diff --git a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml index f26dac225e..9f20026639 100644 --- a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml +++ b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml @@ -45,9 +45,6 @@ rules: verbs: - list - watch - {{- if .Values.crdsMigration.cleanuppolicies.enabled }} - - update - {{- end }} - apiGroups: - kyverno.io resources: @@ -55,20 +52,6 @@ rules: - cleanuppolicies/status verbs: - update - {{- if .Values.crdsMigration.cleanuppolicies.enabled }} - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions/status - verbs: - - update - {{- end }} - apiGroups: - '' resources: diff --git a/charts/kyverno/templates/hooks/crds-migration/cleanup-post-upgrade.yaml b/charts/kyverno/templates/hooks/crds-migration/cleanup-post-upgrade.yaml deleted file mode 100644 index 8b5f4761ff..0000000000 --- a/charts/kyverno/templates/hooks/crds-migration/cleanup-post-upgrade.yaml +++ /dev/null @@ -1,70 +0,0 @@ -{{- if .Values.cleanupController.enabled -}} -{{- if and .Values.crdsMigration.cleanuppolicies.enabled (not .Values.templating.enabled) -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "kyverno.fullname" . }}-hook-post-upgrade-cleanuppolicies-migration - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.hooks.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded,hook-failed -spec: - backoffLimit: 2 - template: - metadata: - {{- with .Values.crdsMigration.podLabels }} - labels: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - serviceAccount: {{ template "kyverno.cleanup-controller.serviceAccountName" . }} - {{- with .Values.crdsMigration.podSecurityContext }} - securityContext: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - restartPolicy: Never - containers: - - name: kubectl - image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.crdsMigration.image "defaultTag" (default .Chart.AppVersion .Values.crdsMigration.image.tag))) | quote }} - imagePullPolicy: {{ .Values.crdsMigration.image.pullPolicy }} - args: - - migrate - - --resource - - cleanuppolicies.kyverno.io - - --resource - - clustercleanuppolicies.kyverno.io - {{- with .Values.crdsMigration.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.crdsMigration.imagePullSecrets }} - imagePullSecrets: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - {{- with .Values.crdsMigration.tolerations }} - tolerations: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - {{- with .Values.crdsMigration.nodeSelector | default .Values.global.nodeSelector }} - nodeSelector: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - {{- if or .Values.crdsMigration.podAntiAffinity .Values.crdsMigration.podAffinity .Values.crdsMigration.nodeAffinity }} - affinity: - {{- with .Values.crdsMigration.podAntiAffinity }} - podAntiAffinity: - {{- tpl (toYaml .) $ | nindent 10 }} - {{- end }} - {{- with .Values.crdsMigration.podAffinity }} - podAffinity: - {{- tpl (toYaml .) $ | nindent 10 }} - {{- end }} - {{- with .Values.crdsMigration.nodeAffinity }} - nodeAffinity: - {{- tpl (toYaml .) $ | nindent 10 }} - {{- end }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/charts/kyverno/templates/hooks/crds-migration/exceptions-post-upgrade.yaml b/charts/kyverno/templates/hooks/crds-migration/exceptions-post-upgrade.yaml deleted file mode 100644 index 213a7e382c..0000000000 --- a/charts/kyverno/templates/hooks/crds-migration/exceptions-post-upgrade.yaml +++ /dev/null @@ -1,66 +0,0 @@ -{{- if and .Values.crdsMigration.exceptions.enabled (not .Values.templating.enabled) -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "kyverno.fullname" . }}-hook-post-upgrade-exceptions-migration - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.hooks.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded,hook-failed -spec: - backoffLimit: 2 - template: - metadata: - {{- with .Values.crdsMigration.podLabels }} - labels: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }} - {{- with .Values.crdsMigration.podSecurityContext }} - securityContext: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - restartPolicy: Never - containers: - - name: kubectl - image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.crdsMigration.image "defaultTag" (default .Chart.AppVersion .Values.crdsMigration.image.tag))) | quote }} - imagePullPolicy: {{ .Values.crdsMigration.image.pullPolicy }} - args: - - migrate - - --resource - - policyexceptions.kyverno.io - {{- with .Values.crdsMigration.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.crdsMigration.imagePullSecrets }} - imagePullSecrets: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - {{- with .Values.crdsMigration.tolerations }} - tolerations: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - {{- with .Values.crdsMigration.nodeSelector | default .Values.global.nodeSelector }} - nodeSelector: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - {{- if or .Values.crdsMigration.podAntiAffinity .Values.crdsMigration.podAffinity .Values.crdsMigration.nodeAffinity }} - affinity: - {{- with .Values.crdsMigration.podAntiAffinity }} - podAntiAffinity: - {{- tpl (toYaml .) $ | nindent 10 }} - {{- end }} - {{- with .Values.crdsMigration.podAffinity }} - podAffinity: - {{- tpl (toYaml .) $ | nindent 10 }} - {{- end }} - {{- with .Values.crdsMigration.nodeAffinity }} - nodeAffinity: - {{- tpl (toYaml .) $ | nindent 10 }} - {{- end }} - {{- end }} -{{- end -}} diff --git a/charts/kyverno/templates/hooks/post-upgrade.yaml b/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml similarity index 94% rename from charts/kyverno/templates/hooks/post-upgrade.yaml rename to charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml index 3cbd056c33..3be18e4cd4 100644 --- a/charts/kyverno/templates/hooks/post-upgrade.yaml +++ b/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml @@ -1,15 +1,15 @@ {{- if .Values.policyReportsCleanup.enabled -}} - {{- if not .Values.templating.enabled -}} +{{- if not .Values.templating.enabled -}} apiVersion: batch/v1 kind: Job metadata: - name: {{ template "kyverno.fullname" . }}-hook-post-upgrade + name: {{ template "kyverno.fullname" . }}-clean-reports namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.hooks.labels" . | nindent 4 }} annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed spec: backoffLimit: 2 template: @@ -86,5 +86,5 @@ spec: {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} {{- end }} - {{- end -}} +{{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml b/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml new file mode 100644 index 0000000000..8b56afc65b --- /dev/null +++ b/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml @@ -0,0 +1,134 @@ +{{- if .Values.crds.migration.enabled -}} +{{- if not .Values.templating.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.fullname" . }}:migrate-resources + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "100" +rules: + - apiGroups: + - kyverno.io + resources: + - '*' + verbs: + - get + - list + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions/status + verbs: + - update +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.fullname" . }}:migrate-resources + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "100" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kyverno.fullname" . }}:migrate-resources +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.fullname" . }}-migrate-resources + namespace: {{ template "kyverno.namespace" . }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kyverno.fullname" . }}-migrate-resources + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + helm.sh/hook-weight: "100" +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kyverno.fullname" . }}-migrate-resources + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "200" +spec: + backoffLimit: 2 + template: + metadata: + {{- with .Values.crds.migration.podLabels }} + labels: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccount: {{ template "kyverno.fullname" . }}-migrate-resources + {{- with .Values.crds.migration.podSecurityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: kubectl + image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.crds.migration.image "defaultTag" (default .Chart.AppVersion .Values.crds.migration.image.tag))) | quote }} + imagePullPolicy: {{ .Values.crds.migration.image.pullPolicy }} + args: + - migrate + {{- range .Values.crds.migration.resources }} + - --resource + - {{ . }} + {{- end }} + {{- with .Values.crds.migration.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.crds.migration.imagePullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.crds.migration.tolerations }} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.crds.migration.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if or .Values.crds.migration.podAntiAffinity .Values.crds.migration.podAffinity .Values.crds.migration.nodeAffinity }} + affinity: + {{- with .Values.crds.migration.podAntiAffinity }} + podAntiAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.crds.migration.podAffinity }} + podAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.crds.migration.nodeAffinity }} + nodeAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno/templates/hooks/pre-delete.yaml b/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml similarity index 92% rename from charts/kyverno/templates/hooks/pre-delete.yaml rename to charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml index f848f7dcf3..1d571ae1ae 100644 --- a/charts/kyverno/templates/hooks/pre-delete.yaml +++ b/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml @@ -1,15 +1,15 @@ {{- if .Values.webhooksCleanup.enabled -}} - {{- if not .Values.templating.enabled -}} +{{- if not .Values.templating.enabled -}} apiVersion: batch/v1 kind: Job metadata: - name: {{ template "kyverno.fullname" . }}-hook-pre-delete + name: {{ template "kyverno.fullname" . }}-scale-to-zero namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.hooks.labels" . | nindent 4 }} annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-delete-policy": hook-succeeded,hook-failed + helm.sh/hook: pre-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed spec: backoffLimit: 2 template: @@ -68,5 +68,5 @@ spec: {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} {{- end }} - {{- end -}} +{{- end -}} {{- end -}} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 728e263ab8..1fb37273ee 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -69,6 +69,67 @@ crds: # -- Additional CRDs labels customLabels: {} + migration: + + # -- Enable CRDs migration using helm post upgrade hook + enabled: true + + # -- Resources to migrate + resources: + - cleanuppolicies.kyverno.io + - clustercleanuppolicies.kyverno.io + - policyexceptions.kyverno.io + + image: + # -- (string) Image registry + registry: ghcr.io + # -- (string) Image repository + repository: kyverno/kyverno-cli + # -- (string) Image tag + # Defaults to appVersion in Chart.yaml if omitted + tag: ~ + # -- (string) Image pull policy + pullPolicy: IfNotPresent + + # -- Image pull secrets + imagePullSecrets: [] + # - name: secretName + + # -- Security context for the pod + podSecurityContext: {} + + # -- Node labels for pod assignment + nodeSelector: {} + + # -- List of node taints to tolerate + tolerations: [] + + # -- Pod anti affinity constraints. + podAntiAffinity: {} + + # -- Pod affinity constraints. + podAffinity: {} + + # -- Pod labels. + podLabels: {} + + # -- Node affinity constraints. + nodeAffinity: {} + + # -- Security context for the hook containers + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + # Configuration config: @@ -467,65 +528,6 @@ policyReportsCleanup: seccompProfile: type: RuntimeDefault -crdsMigration: - # -- Create a helm post-upgrade hook to migrate the existing policy exceptions to the stored version - exceptions: - enabled: true - - # -- Create a helm post-upgrade hook to migrate the existing cleanup policies to the stored version - cleanuppolicies: - enabled: true - - image: - # -- (string) Image registry - registry: ghcr.io - # -- (string) Image repository - repository: kyverno/kyverno-cli - # -- (string) Image tag - # Defaults to appVersion in Chart.yaml if omitted - tag: ~ - # -- (string) Image pull policy - pullPolicy: IfNotPresent - - # -- Image pull secrets - imagePullSecrets: [] - # - name: secretName - - # -- Security context for the pod - podSecurityContext: {} - - # -- Node labels for pod assignment - nodeSelector: {} - - # -- List of node taints to tolerate - tolerations: [] - - # -- Pod anti affinity constraints. - podAntiAffinity: {} - - # -- Pod affinity constraints. - podAffinity: {} - - # -- Pod labels. - podLabels: {} - - # -- Node affinity constraints. - nodeAffinity: {} - - # -- Security context for the hook containers - securityContext: - runAsUser: 65534 - runAsGroup: 65534 - runAsNonRoot: true - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - grafana: # -- Enable grafana dashboard creation. enabled: false diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index f941d6dc97..341dfd4718 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -49217,18 +49217,6 @@ rules: - subjectaccessreviews verbs: - create - - apiGroups: - - kyverno.io - resources: - - policyexceptions - verbs: - - update - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions/status - verbs: - - update - apiGroups: - '*' resources: @@ -49397,7 +49385,6 @@ rules: verbs: - list - watch - - update - apiGroups: - kyverno.io resources: @@ -49405,18 +49392,6 @@ rules: - cleanuppolicies/status verbs: - update - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions/status - verbs: - - update - apiGroups: - '' resources: