mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

feat: improve crd migration helm hooks (#9481)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2024-01-22 15:13:29 +01:00 committed by GitHub
parent 0ee6933d71
commit 2f4b823030
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 223 additions and 279 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
Makefile
View file

@ -925,9 +925,9 @@ kind-install-kyverno: $(HELM) ## Install kyverno helm chart
--set backgroundController.image.registry=$(LOCAL_REGISTRY) \ --set backgroundController.image.registry=$(LOCAL_REGISTRY) \
--set backgroundController.image.repository=$(LOCAL_BACKGROUND_REPO) \ --set backgroundController.image.repository=$(LOCAL_BACKGROUND_REPO) \
--set backgroundController.image.tag=$(GIT_SHA) \ --set backgroundController.image.tag=$(GIT_SHA) \
--set crdsMigration.image.registry=$(LOCAL_REGISTRY) \ --set crds.migration.image.registry=$(LOCAL_REGISTRY) \
--set crdsMigration.image.repository=$(LOCAL_CLI_REPO) \ --set crds.migration.image.repository=$(LOCAL_CLI_REPO) \
--set crdsMigration.image.tag=$(GIT_SHA) \ --set crds.migration.image.tag=$(GIT_SHA) \
$(foreach CONFIG,$(subst $(COMMA), ,$(USE_CONFIG)),--values ./scripts/config/$(CONFIG)/kyverno.yaml) $(foreach CONFIG,$(subst $(COMMA), ,$(USE_CONFIG)),--values ./scripts/config/$(CONFIG)/kyverno.yaml)
.PHONY: kind-deploy-kyverno .PHONY: kind-deploy-kyverno

30
charts/kyverno/README.md
View file

@ -255,6 +255,21 @@ The chart values are organised per component.
| crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created | | crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created |
| crds.annotations | object | `{}` | Additional CRDs annotations | | crds.annotations | object | `{}` | Additional CRDs annotations |
| crds.customLabels | object | `{}` | Additional CRDs labels | | crds.customLabels | object | `{}` | Additional CRDs labels |
| crds.migration.enabled | bool | `true` | Enable CRDs migration using helm post upgrade hook |
| crds.migration.resources | list | `["cleanuppolicies.kyverno.io","clustercleanuppolicies.kyverno.io","policyexceptions.kyverno.io"]` | Resources to migrate |
| crds.migration.image.registry | string | `"ghcr.io"` | Image registry |
| crds.migration.image.repository | string | `"kyverno/kyverno-cli"` | Image repository |
| crds.migration.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
| crds.migration.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| crds.migration.imagePullSecrets | list | `[]` | Image pull secrets |
| crds.migration.podSecurityContext | object | `{}` | Security context for the pod |
| crds.migration.nodeSelector | object | `{}` | Node labels for pod assignment |
| crds.migration.tolerations | list | `[]` | List of node taints to tolerate |
| crds.migration.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
| crds.migration.podAffinity | object | `{}` | Pod affinity constraints. |
| crds.migration.podLabels | object | `{}` | Pod labels. |
| crds.migration.nodeAffinity | object | `{}` | Node affinity constraints. |
| crds.migration.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
### Config ### Config
@ -767,21 +782,6 @@ The chart values are organised per component.
| policyReportsCleanup.podLabels | object | `{}` | Pod labels. | | policyReportsCleanup.podLabels | object | `{}` | Pod labels. |
| policyReportsCleanup.nodeAffinity | object | `{}` | Node affinity constraints. | | policyReportsCleanup.nodeAffinity | object | `{}` | Node affinity constraints. |
| policyReportsCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | | policyReportsCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
| crdsMigration.exceptions | object | `{"enabled":true}` | Create a helm post-upgrade hook to migrate the existing policy exceptions to the stored version |
| crdsMigration.cleanuppolicies | object | `{"enabled":true}` | Create a helm post-upgrade hook to migrate the existing cleanup policies to the stored version |
| crdsMigration.image.registry | string | `"ghcr.io"` | Image registry |
| crdsMigration.image.repository | string | `"kyverno/kyverno-cli"` | Image repository |
| crdsMigration.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
| crdsMigration.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| crdsMigration.imagePullSecrets | list | `[]` | Image pull secrets |
| crdsMigration.podSecurityContext | object | `{}` | Security context for the pod |
| crdsMigration.nodeSelector | object | `{}` | Node labels for pod assignment |
| crdsMigration.tolerations | list | `[]` | List of node taints to tolerate |
| crdsMigration.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
| crdsMigration.podAffinity | object | `{}` | Pod affinity constraints. |
| crdsMigration.podLabels | object | `{}` | Pod labels. |
| crdsMigration.nodeAffinity | object | `{}` | Node affinity constraints. |
| crdsMigration.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
## TLS Configuration ## TLS Configuration

14
charts/kyverno/templates/admission-controller/clusterrole.yaml
View file

@ -98,20 +98,6 @@ rules:
- subjectaccessreviews - subjectaccessreviews
verbs: verbs:
- create - create
{{- if .Values.crdsMigration.exceptions.enabled }}
- apiGroups:
- kyverno.io
resources:
- policyexceptions
verbs:
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions/status
verbs:
- update
{{- end }}
- apiGroups: - apiGroups:
- '*' - '*'
resources: resources:

17
charts/kyverno/templates/cleanup-controller/clusterrole.yaml
View file

@ -45,9 +45,6 @@ rules:
verbs: verbs:
- list - list
- watch - watch
{{- if .Values.crdsMigration.cleanuppolicies.enabled }}
- update
{{- end }}
- apiGroups: - apiGroups:
- kyverno.io - kyverno.io
resources: resources:
@ -55,20 +52,6 @@ rules:
- cleanuppolicies/status - cleanuppolicies/status
verbs: verbs:
- update - update
{{- if .Values.crdsMigration.cleanuppolicies.enabled }}
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions/status
verbs:
- update
{{- end }}
- apiGroups: - apiGroups:
- '' - ''
resources: resources:

70
charts/kyverno/templates/hooks/crds-migration/cleanup-post-upgrade.yaml
View file

@ -1,70 +0,0 @@
{{- if .Values.cleanupController.enabled -}}
{{- if and .Values.crdsMigration.cleanuppolicies.enabled (not .Values.templating.enabled) -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kyverno.fullname" . }}-hook-post-upgrade-cleanuppolicies-migration
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
spec:
backoffLimit: 2
template:
metadata:
{{- with .Values.crdsMigration.podLabels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccount: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
{{- with .Values.crdsMigration.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
restartPolicy: Never
containers:
- name: kubectl
image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.crdsMigration.image "defaultTag" (default .Chart.AppVersion .Values.crdsMigration.image.tag))) | quote }}
imagePullPolicy: {{ .Values.crdsMigration.image.pullPolicy }}
args:
- migrate
- --resource
- cleanuppolicies.kyverno.io
- --resource
- clustercleanuppolicies.kyverno.io
{{- with .Values.crdsMigration.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.crdsMigration.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.crdsMigration.tolerations }}
tolerations:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.crdsMigration.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if or .Values.crdsMigration.podAntiAffinity .Values.crdsMigration.podAffinity .Values.crdsMigration.nodeAffinity }}
affinity:
{{- with .Values.crdsMigration.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.crdsMigration.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.crdsMigration.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}

66
charts/kyverno/templates/hooks/crds-migration/exceptions-post-upgrade.yaml
View file

@ -1,66 +0,0 @@
{{- if and .Values.crdsMigration.exceptions.enabled (not .Values.templating.enabled) -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kyverno.fullname" . }}-hook-post-upgrade-exceptions-migration
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
spec:
backoffLimit: 2
template:
metadata:
{{- with .Values.crdsMigration.podLabels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }}
{{- with .Values.crdsMigration.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
restartPolicy: Never
containers:
- name: kubectl
image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.crdsMigration.image "defaultTag" (default .Chart.AppVersion .Values.crdsMigration.image.tag))) | quote }}
imagePullPolicy: {{ .Values.crdsMigration.image.pullPolicy }}
args:
- migrate
- --resource
- policyexceptions.kyverno.io
{{- with .Values.crdsMigration.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.crdsMigration.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.crdsMigration.tolerations }}
tolerations:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.crdsMigration.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if or .Values.crdsMigration.podAntiAffinity .Values.crdsMigration.podAffinity .Values.crdsMigration.nodeAffinity }}
affinity:
{{- with .Values.crdsMigration.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.crdsMigration.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.crdsMigration.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- end -}}

10
charts/kyverno/templates/hooks/post-upgrade.yaml → charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml
View file

@ -1,15 +1,15 @@
{{- if .Values.policyReportsCleanup.enabled -}} {{- if .Values.policyReportsCleanup.enabled -}}
{{- if not .Values.templating.enabled -}} {{- if not .Values.templating.enabled -}}
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: {{ template "kyverno.fullname" . }}-hook-post-upgrade name: {{ template "kyverno.fullname" . }}-clean-reports
namespace: {{ template "kyverno.namespace" . }} namespace: {{ template "kyverno.namespace" . }}
labels: labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }} {{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations: annotations:
"helm.sh/hook": post-upgrade helm.sh/hook: post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
spec: spec:
backoffLimit: 2 backoffLimit: 2
template: template:
@ -86,5 +86,5 @@ spec:
{{- tpl (toYaml .) $ | nindent 10 }} {{- tpl (toYaml .) $ | nindent 10 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}

134
charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml Normal file
View file

@ -0,0 +1,134 @@
{{- if .Values.crds.migration.enabled -}}
{{- if not .Values.templating.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:migrate-resources
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "100"
rules:
- apiGroups:
- kyverno.io
resources:
- '*'
verbs:
- get
- list
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions/status
verbs:
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:migrate-resources
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "100"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:migrate-resources
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.fullname" . }}-migrate-resources
namespace: {{ template "kyverno.namespace" . }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kyverno.fullname" . }}-migrate-resources
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "100"
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kyverno.fullname" . }}-migrate-resources
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: "200"
spec:
backoffLimit: 2
template:
metadata:
{{- with .Values.crds.migration.podLabels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccount: {{ template "kyverno.fullname" . }}-migrate-resources
{{- with .Values.crds.migration.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
restartPolicy: Never
containers:
- name: kubectl
image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.crds.migration.image "defaultTag" (default .Chart.AppVersion .Values.crds.migration.image.tag))) | quote }}
imagePullPolicy: {{ .Values.crds.migration.image.pullPolicy }}
args:
- migrate
{{- range .Values.crds.migration.resources }}
- --resource
- {{ . }}
{{- end }}
{{- with .Values.crds.migration.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.crds.migration.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.crds.migration.tolerations }}
tolerations:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.crds.migration.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if or .Values.crds.migration.podAntiAffinity .Values.crds.migration.podAffinity .Values.crds.migration.nodeAffinity }}
affinity:
{{- with .Values.crds.migration.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.crds.migration.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.crds.migration.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}

10
charts/kyverno/templates/hooks/pre-delete.yaml → charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml
View file

@ -1,15 +1,15 @@
{{- if .Values.webhooksCleanup.enabled -}} {{- if .Values.webhooksCleanup.enabled -}}
{{- if not .Values.templating.enabled -}} {{- if not .Values.templating.enabled -}}
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
name: {{ template "kyverno.fullname" . }}-hook-pre-delete name: {{ template "kyverno.fullname" . }}-scale-to-zero
namespace: {{ template "kyverno.namespace" . }} namespace: {{ template "kyverno.namespace" . }}
labels: labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }} {{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations: annotations:
"helm.sh/hook": pre-delete helm.sh/hook: pre-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
spec: spec:
backoffLimit: 2 backoffLimit: 2
template: template:
@ -68,5 +68,5 @@ spec:
{{- tpl (toYaml .) $ | nindent 10 }} {{- tpl (toYaml .) $ | nindent 10 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}

120
charts/kyverno/values.yaml
View file

@ -69,6 +69,67 @@ crds:
# -- Additional CRDs labels # -- Additional CRDs labels
customLabels: {} customLabels: {}
migration:
# -- Enable CRDs migration using helm post upgrade hook
enabled: true
# -- Resources to migrate
resources:
- cleanuppolicies.kyverno.io
- clustercleanuppolicies.kyverno.io
- policyexceptions.kyverno.io
image:
# -- (string) Image registry
registry: ghcr.io
# -- (string) Image repository
repository: kyverno/kyverno-cli
# -- (string) Image tag
# Defaults to appVersion in Chart.yaml if omitted
tag: ~
# -- (string) Image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets
imagePullSecrets: []
# - name: secretName
# -- Security context for the pod
podSecurityContext: {}
# -- Node labels for pod assignment
nodeSelector: {}
# -- List of node taints to tolerate
tolerations: []
# -- Pod anti affinity constraints.
podAntiAffinity: {}
# -- Pod affinity constraints.
podAffinity: {}
# -- Pod labels.
podLabels: {}
# -- Node affinity constraints.
nodeAffinity: {}
# -- Security context for the hook containers
securityContext:
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# Configuration # Configuration
config: config:
@ -467,65 +528,6 @@ policyReportsCleanup:
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
crdsMigration:
# -- Create a helm post-upgrade hook to migrate the existing policy exceptions to the stored version
exceptions:
enabled: true
# -- Create a helm post-upgrade hook to migrate the existing cleanup policies to the stored version
cleanuppolicies:
enabled: true
image:
# -- (string) Image registry
registry: ghcr.io
# -- (string) Image repository
repository: kyverno/kyverno-cli
# -- (string) Image tag
# Defaults to appVersion in Chart.yaml if omitted
tag: ~
# -- (string) Image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets
imagePullSecrets: []
# - name: secretName
# -- Security context for the pod
podSecurityContext: {}
# -- Node labels for pod assignment
nodeSelector: {}
# -- List of node taints to tolerate
tolerations: []
# -- Pod anti affinity constraints.
podAntiAffinity: {}
# -- Pod affinity constraints.
podAffinity: {}
# -- Pod labels.
podLabels: {}
# -- Node affinity constraints.
nodeAffinity: {}
# -- Security context for the hook containers
securityContext:
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
grafana: grafana:
# -- Enable grafana dashboard creation. # -- Enable grafana dashboard creation.
enabled: false enabled: false

25
config/install-latest-testing.yaml
View file

@ -49217,18 +49217,6 @@ rules:
- subjectaccessreviews - subjectaccessreviews
verbs: verbs:
- create - create
- apiGroups:
- kyverno.io
resources:
- policyexceptions
verbs:
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions/status
verbs:
- update
- apiGroups: - apiGroups:
- '*' - '*'
resources: resources:
@ -49397,7 +49385,6 @@ rules:
verbs: verbs:
- list - list
- watch - watch
- update
- apiGroups: - apiGroups:
- kyverno.io - kyverno.io
resources: resources:
@ -49405,18 +49392,6 @@ rules:
- cleanuppolicies/status - cleanuppolicies/status
verbs: verbs:
- update - update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions/status
verbs:
- update
- apiGroups: - apiGroups:
- '' - ''
resources: resources: