mirror of
https://github.com/kyverno/kyverno.git
synced 2025-04-08 18:15:48 +00:00
fix: helm chart jobs (#9555)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
bf21328d39
commit
2f9951ed26
11 changed files with 33 additions and 41 deletions
|
|
@ -79,7 +79,7 @@ spec:
|
|||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
- name: kyverno-pre
|
||||
image: {{ include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.admissionController.container.image.tag)) | quote }}
|
||||
image: {{ include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.admissionController.container.image.tag)) | quote }}
|
||||
imagePullPolicy: {{ default .Values.admissionController.container.image.pullPolicy .Values.admissionController.initContainer.image.pullPolicy }}
|
||||
args:
|
||||
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.admissionController.featuresOverride)
|
||||
|
|
@ -125,7 +125,7 @@ spec:
|
|||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
- name: kyverno
|
||||
image: {{ include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.admissionController.container.image "defaultTag" .Chart.AppVersion) | quote }}
|
||||
image: {{ include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.admissionController.container.image "defaultTag" .Chart.AppVersion) | quote }}
|
||||
imagePullPolicy: {{ .Values.admissionController.container.image.pullPolicy }}
|
||||
args:
|
||||
- --caSecretName={{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ spec:
|
|||
serviceAccountName: {{ template "kyverno.background-controller.serviceAccountName" . }}
|
||||
containers:
|
||||
- name: controller
|
||||
image: {{ include "kyverno.background-controller.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.backgroundController.image "defaultTag" .Chart.AppVersion) | quote }}
|
||||
image: {{ include "kyverno.background-controller.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.backgroundController.image "defaultTag" .Chart.AppVersion) | quote }}
|
||||
imagePullPolicy: {{ .Values.backgroundController.image.pullPolicy }}
|
||||
ports:
|
||||
- containerPort: 9443
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ spec:
|
|||
serviceAccountName: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
|
||||
containers:
|
||||
- name: controller
|
||||
image: {{ include "kyverno.cleanup-controller.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.cleanupController.image "defaultTag" .Chart.AppVersion) | quote }}
|
||||
image: {{ include "kyverno.cleanup-controller.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupController.image "defaultTag" .Chart.AppVersion) | quote }}
|
||||
imagePullPolicy: {{ .Values.cleanupController.image.pullPolicy }}
|
||||
ports:
|
||||
- containerPort: 9443
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ spec:
|
|||
failedJobsHistoryLimit: {{ .Values.cleanupJobs.admissionReports.history.failure }}
|
||||
jobTemplate:
|
||||
spec:
|
||||
backoffLimit: 3
|
||||
template:
|
||||
metadata:
|
||||
{{- with .Values.cleanupJobs.admissionReports.podAnnotations }}
|
||||
|
|
@ -34,16 +35,17 @@ spec:
|
|||
{{- end }}
|
||||
containers:
|
||||
- name: cleanup
|
||||
image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.cleanupJobs.admissionReports.image)) | quote }}
|
||||
image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.admissionReports.image)) | quote }}
|
||||
imagePullPolicy: {{ .Values.cleanupJobs.admissionReports.image.pullPolicy }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |
|
||||
COUNT=$(kubectl get admissionreports.reports.kyverno.io -A | wc -l)
|
||||
set -euo pipefail
|
||||
COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l)
|
||||
if [ "$COUNT" -gt {{ .Values.cleanupJobs.admissionReports.threshold }} ]; then
|
||||
echo "too many reports found ($COUNT), cleaning up..."
|
||||
kubectl delete admissionreports.reports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
|
||||
kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
|
||||
else
|
||||
echo "($COUNT) reports found, no clean up needed"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ spec:
|
|||
failedJobsHistoryLimit: {{ .Values.cleanupJobs.clusterAdmissionReports.history.failure }}
|
||||
jobTemplate:
|
||||
spec:
|
||||
backoffLimit: 3
|
||||
template:
|
||||
metadata:
|
||||
{{- with .Values.cleanupJobs.clusterAdmissionReports.podAnnotations }}
|
||||
|
|
@ -34,16 +35,17 @@ spec:
|
|||
{{- end }}
|
||||
containers:
|
||||
- name: cleanup
|
||||
image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.cleanupJobs.clusterAdmissionReports.image)) | quote }}
|
||||
image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.clusterAdmissionReports.image)) | quote }}
|
||||
imagePullPolicy: {{ .Values.cleanupJobs.clusterAdmissionReports.image.pullPolicy }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |
|
||||
COUNT=$(kubectl get clusteradmissionreports.reports.kyverno.io -A | wc -l)
|
||||
set -euo pipefail
|
||||
COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l)
|
||||
if [ "$COUNT" -gt {{ .Values.cleanupJobs.clusterAdmissionReports.threshold }} ]; then
|
||||
echo "too many reports found ($COUNT), cleaning up..."
|
||||
kubectl delete clusteradmissionreports.reports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
|
||||
kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
|
||||
else
|
||||
echo "($COUNT) reports found, no clean up needed"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -14,12 +14,3 @@ rules:
|
|||
- list
|
||||
- deletecollection
|
||||
- delete
|
||||
- apiGroups:
|
||||
- reports.kyverno.io
|
||||
resources:
|
||||
- ephemeralreports
|
||||
- clusterephemeralreports
|
||||
verbs:
|
||||
- list
|
||||
- deletecollection
|
||||
- delete
|
||||
|
|
@ -27,12 +27,13 @@ spec:
|
|||
restartPolicy: Never
|
||||
containers:
|
||||
- name: kubectl
|
||||
image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.policyReportsCleanup.image "defaultTag" (default .Chart.AppVersion .Values.policyReportsCleanup.image.tag))) | quote }}
|
||||
image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.policyReportsCleanup.image "defaultTag" (default .Chart.AppVersion .Values.policyReportsCleanup.image.tag))) | quote }}
|
||||
imagePullPolicy: {{ .Values.policyReportsCleanup.image.pullPolicy }}
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |
|
||||
set -euo pipefail
|
||||
NAMESPACES=$(kubectl get namespaces --no-headers=true | awk '{print $1}')
|
||||
|
||||
for ns in ${NAMESPACES[@]};
|
||||
|
|
|
|||
|
|
@ -91,7 +91,7 @@ spec:
|
|||
restartPolicy: Never
|
||||
containers:
|
||||
- name: kubectl
|
||||
image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.crds.migration.image "defaultTag" (default .Chart.AppVersion .Values.crds.migration.image.tag))) | quote }}
|
||||
image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.crds.migration.image "defaultTag" (default .Chart.AppVersion .Values.crds.migration.image.tag))) | quote }}
|
||||
imagePullPolicy: {{ .Values.crds.migration.image.pullPolicy }}
|
||||
args:
|
||||
- migrate
|
||||
|
|
|
|||
|
|
@ -31,12 +31,13 @@ spec:
|
|||
{{- end }}
|
||||
containers:
|
||||
- name: kubectl
|
||||
image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.webhooksCleanup.image "defaultTag" (default .Chart.AppVersion .Values.webhooksCleanup.image.tag))) | quote }}
|
||||
image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.webhooksCleanup.image "defaultTag" (default .Chart.AppVersion .Values.webhooksCleanup.image.tag))) | quote }}
|
||||
imagePullPolicy: {{ .Values.webhooksCleanup.image.pullPolicy }}
|
||||
command:
|
||||
- sh
|
||||
- /bin/bash
|
||||
- '-c'
|
||||
- |-
|
||||
set -euo pipefail
|
||||
kubectl scale -n {{ template "kyverno.namespace" . }} deployment -l app.kubernetes.io/part-of={{ template "kyverno.fullname" . }} --replicas=0
|
||||
sleep 30
|
||||
kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ spec:
|
|||
serviceAccountName: {{ template "kyverno.reports-controller.serviceAccountName" . }}
|
||||
containers:
|
||||
- name: controller
|
||||
image: {{ include "kyverno.reports-controller.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.reportsController.image "defaultTag" .Chart.AppVersion) | quote }}
|
||||
image: {{ include "kyverno.reports-controller.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.reportsController.image "defaultTag" .Chart.AppVersion) | quote }}
|
||||
imagePullPolicy: {{ .Values.reportsController.image.pullPolicy }}
|
||||
ports:
|
||||
- containerPort: 9443
|
||||
|
|
|
|||
|
|
@ -50580,15 +50580,6 @@ rules:
|
|||
- list
|
||||
- deletecollection
|
||||
- delete
|
||||
- apiGroups:
|
||||
- reports.kyverno.io
|
||||
resources:
|
||||
- ephemeralreports
|
||||
- clusterephemeralreports
|
||||
verbs:
|
||||
- list
|
||||
- deletecollection
|
||||
- delete
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
|
|
@ -51976,6 +51967,7 @@ spec:
|
|||
failedJobsHistoryLimit: 1
|
||||
jobTemplate:
|
||||
spec:
|
||||
backoffLimit: 3
|
||||
template:
|
||||
metadata:
|
||||
spec:
|
||||
|
|
@ -51985,13 +51977,14 @@ spec:
|
|||
image: "bitnami/kubectl:1.28.5"
|
||||
imagePullPolicy:
|
||||
command:
|
||||
- /bin/sh
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |
|
||||
COUNT=$(kubectl get admissionreports.reports.kyverno.io -A | wc -l)
|
||||
set -euo pipefail
|
||||
COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l)
|
||||
if [ "$COUNT" -gt 10000 ]; then
|
||||
echo "too many reports found ($COUNT), cleaning up..."
|
||||
kubectl delete admissionreports.reports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
|
||||
kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
|
||||
else
|
||||
echo "($COUNT) reports found, no clean up needed"
|
||||
fi
|
||||
|
|
@ -52024,6 +52017,7 @@ spec:
|
|||
failedJobsHistoryLimit: 1
|
||||
jobTemplate:
|
||||
spec:
|
||||
backoffLimit: 3
|
||||
template:
|
||||
metadata:
|
||||
spec:
|
||||
|
|
@ -52033,13 +52027,14 @@ spec:
|
|||
image: "bitnami/kubectl:1.28.5"
|
||||
imagePullPolicy:
|
||||
command:
|
||||
- /bin/sh
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |
|
||||
COUNT=$(kubectl get clusteradmissionreports.reports.kyverno.io -A | wc -l)
|
||||
set -euo pipefail
|
||||
COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l)
|
||||
if [ "$COUNT" -gt 10000 ]; then
|
||||
echo "too many reports found ($COUNT), cleaning up..."
|
||||
kubectl delete clusteradmissionreports.reports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
|
||||
kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
|
||||
else
|
||||
echo "($COUNT) reports found, no clean up needed"
|
||||
fi
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue