refactor: supress usage of kustomize in build (#5691)

* refactor: supress usage of kustomize in build (part 1) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * e2e Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * e2e Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * e2e Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * clean Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * labels Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * simplify templating flags Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2022-12-19 16:26:07 +01:00 · 2022-12-19 16:26:07 +01:00 · 41fd4fb252
commit 41fd4fb252
parent 14d82cbf6d
58 changed files with 15413 additions and 66540 deletions
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@ -32,23 +32,18 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
-
      - name: Unshallow
        run: git fetch --prune --unshallow
-
      - name: Set up Go 
        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
        with:
          go-version: ~1.18.6
-
      - name: Set up Helm
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
        with:
          version: v3.5.0
-
      - name: Set up chart-testing
        uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec # v2.3.1
-
      - name: Cache Go modules
        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # pin@v3
        with:
@ -58,22 +53,23 @@ jobs:
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
-
-      - name: Create dev images, kind cluster and setup kustomize
+      - name: Create kind cluster
        run: |
          export KIND_IMAGE=kindest/node:${{ matrix.k8s-version }}
-          make create-e2e-infrastructure
-
-      - name: e2e testing
+          make kind-create-cluster
+      - name: Build and load dev images in kind cluster
+        run: make kind-load-all
+      - name: Run e2e tests
        run: |
          echo ">>> Install Kyverno"
-          cat ${GITHUB_WORKSPACE}/config/install.yaml | \
-          sed -e 's/imagePullPolicy:.*$/imagePullPolicy: IfNotPresent/g' | \
-          kubectl create -f -
-          kubectl apply -f ${GITHUB_WORKSPACE}/config/github/rbac.yaml
+          make codegen-manifest-e2e
+          cat ${GITHUB_WORKSPACE}/.manifest/e2e.yaml \
+            | sed -e 's/imagePullPolicy:.*$/imagePullPolicy: IfNotPresent/g' \
+            | kubectl apply --server-side -f -
+          kubectl apply -f ${GITHUB_WORKSPACE}/config/e2e/rbac.yaml
+          echo ">>> Check kyverno"
          chmod a+x ${GITHUB_WORKSPACE}/scripts/verify-deployment.sh
          sleep 50
-          echo ">>> Check kyverno"
          kubectl get pods -n kyverno
          ${GITHUB_WORKSPACE}/scripts/verify-deployment.sh -n kyverno  kyverno
          sleep 20
@ -81,8 +77,8 @@ jobs:
          kubectl port-forward svc/kyverno-svc-metrics -n kyverno 8000:8000 &
          echo ">>> Run Kyverno e2e test"
          make test-e2e
-          kubectl delete -f ${GITHUB_WORKSPACE}/config/install.yaml
-
+          echo ">>> Cleanup"
+          kubectl delete -f ${GITHUB_WORKSPACE}/.manifest/e2e.yaml
      - name: Debug failure
        if: failure()
        run: |
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -135,13 +135,13 @@ jobs:
          cosign-release: 'v1.13.0'

      - name: Build yaml manifest
-        run: make codegen-release
+        run: make codegen-manifest-release

      - name: Upload yaml manifest
        uses: svenstaro/upload-release-action@133984371c30d34e38222a64855679a414cb7575 # pin@v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: config/.release/install.yaml
+          file: .manifest/release.yaml
          asset_name: install.yaml
          tag: ${{ github.ref }}

@ -158,7 +158,7 @@ jobs:
        run: |
          set -e
          mkdir -p config/.release-manifests
-          cp config/.release/install.yaml config/.release-manifests/install.yaml
+          cp .manifest/release.yaml config/.release-manifests/install.yaml
          cd config/.release-manifests/ && \
          flux push artifact oci://ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ steps.version.outputs.version }} \
            --path="." \
--- a/.gitignore
+++ b/.gitignore
@ -15,3 +15,4 @@ cmd/cleanup-controller/cleanup-controller
 /config/.helm
 /config/.release
 .dist
+.manifest
--- a/147
+++ b/147
@ -50,8 +50,6 @@ GEN_CRD_API_REFERENCE_DOCS         := $(TOOLS_DIR)/gen-crd-api-reference-docs
 GEN_CRD_API_REFERENCE_DOCS_VERSION := latest
 GO_ACC                             := $(TOOLS_DIR)/go-acc
 GO_ACC_VERSION                     := latest
-KUSTOMIZE                          := $(TOOLS_DIR)/kustomize
-KUSTOMIZE_VERSION                  := latest
 GOIMPORTS                          := $(TOOLS_DIR)/goimports
 GOIMPORTS_VERSION                  := latest
 HELM                               := $(TOOLS_DIR)/helm
@ -62,7 +60,7 @@ KO                                 := $(TOOLS_DIR)/ko
 KO_VERSION                         := main #e93dbee8540f28c45ec9a2b8aec5ef8e43123966
 KUTTL                              := $(TOOLS_DIR)/kubectl-kuttl
 KUTTL_VERSION                      := v0.14.0
-TOOLS                              := $(KIND) $(CONTROLLER_GEN) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GO_ACC) $(KUSTOMIZE) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO) $(KUTTL)
+TOOLS                              := $(KIND) $(CONTROLLER_GEN) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GO_ACC) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO) $(KUTTL)
 ifeq ($(GOOS), darwin)
 SED                                := gsed
 else
@ -101,10 +99,6 @@ $(GO_ACC):
 	@echo Install go-acc... >&2
 	@GOBIN=$(TOOLS_DIR) go install github.com/ory/go-acc@$(GO_ACC_VERSION)

-$(KUSTOMIZE):
-	@echo Install kustomize... >&2
-	@GOBIN=$(TOOLS_DIR) go install sigs.k8s.io/kustomize/kustomize/v4@$(KUSTOMIZE_VERSION)
-
 $(GOIMPORTS):
 	@echo Install goimports... >&2
 	@GOBIN=$(TOOLS_DIR) go install golang.org/x/tools/cmd/goimports@$(GOIMPORTS_VERSION)
@ -315,6 +309,7 @@ INPUT_DIRS         := $(PACKAGE)/api/kyverno/v1,$(PACKAGE)/api/kyverno/v1alpha2,
 CLIENTSET_PACKAGE  := $(OUT_PACKAGE)/clientset
 LISTERS_PACKAGE    := $(OUT_PACKAGE)/listers
 INFORMERS_PACKAGE  := $(OUT_PACKAGE)/informers
+CRDS_PATH          := ${PWD}/config/crds

 $(GOPATH_SHIM):
 	@echo Create gopath shim... >&2
@ -353,12 +348,12 @@ codegen-client-all: codegen-client-clientset codegen-client-listers codegen-clie
 .PHONY: codegen-crds-kyverno
 codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs
 	@echo Generate kyverno crds... >&2
-	@$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=./config/crds
+	@$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)

 .PHONY: codegen-crds-report
 codegen-crds-report: $(CONTROLLER_GEN) ## Generate policy reports CRDs
 	@echo Generate policy reports crds... >&2
-	@$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=./config/crds
+	@$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)

 .PHONY: codegen-crds-all
 codegen-crds-all: codegen-crds-kyverno codegen-crds-report ## Generate all CRDs
@ -381,10 +376,10 @@ codegen-api-docs: $(PACKAGE_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) ## Generate API
 	@echo Generate api docs... >&2
 	@rm -rf docs/user/crd && mkdir -p docs/user/crd
 	@GOPATH=$(GOPATH_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) -v 4 \
-			-api-dir github.com/kyverno/kyverno/api \
-			-config docs/user/config.json \
-			-template-dir docs/user/template \
-			-out-file docs/user/crd/index.html
+		-api-dir github.com/kyverno/kyverno/api \
+		-config docs/user/config.json \
+		-template-dir docs/user/template \
+		-out-file docs/user/crd/index.html

 .PHONY: codegen-helm-docs
 codegen-helm-docs: ## Generate helm docs
@ -392,41 +387,84 @@ codegen-helm-docs: ## Generate helm docs
 	@docker run -v ${PWD}/charts:/work -w /work jnorwood/helm-docs:v1.11.0 -s file

 .PHONY: codegen-helm-crds
-codegen-helm-crds: $(KUSTOMIZE) codegen-crds-all ## Generate helm CRDs
-	@echo Create temp folder for kustomization... >&2
-	@mkdir -p config/.helm
-	@echo Create kustomization... >&2
-	@VERSION='"{{.Chart.AppVersion}}"' TOP_PATH=".." envsubst < config/templates/helm-labels.yaml.envsubst > config/.helm/labels.yaml
-	@VERSION=dummy TOP_PATH=".." envsubst < config/templates/kustomization.yaml.envsubst > config/.helm/kustomization.yaml
+codegen-helm-crds: codegen-crds-all ## Generate helm CRDs
 	@echo Generate helm crds... >&2
-	@$(KUSTOMIZE) build ./config/.helm | $(KUSTOMIZE) cfg grep kind=CustomResourceDefinition | $(SED) -e "1i{{- if .Values.installCRDs }}" -e '$$a{{- end }}' -e '/^  creationTimestamp: null/i \ \ \ \ {{- with .Values.crds.annotations }}{{ toYaml . | nindent 4 }}{{ end }}' > ./charts/kyverno/templates/crds.yaml
+	@cat $(CRDS_PATH)/* \
+		| $(SED) -e '1i{{- if .Values.installCRDs }}' \
+		| $(SED) -e '$$a{{- end }}' \
+ 		| $(SED) -e '/^  creationTimestamp: null/i \ \ \ \ {{- with .Values.crds.annotations }}' \
+ 		| $(SED) -e '/^  creationTimestamp: null/i \ \ \ \ {{- toYaml . | nindent 4 }}' \
+ 		| $(SED) -e '/^  creationTimestamp: null/i \ \ \ \ {{- end }}' \
+ 		| $(SED) -e '/^  creationTimestamp: null/a \ \ \ \ {{- include "kyverno.crdLabels" . | nindent 4 }}' \
+ 		| $(SED) -e '/^  creationTimestamp: null/a \ \ labels:' \
+ 		| $(SED) -e '/^  creationTimestamp: null/d' \
+ 		> ./charts/kyverno/templates/crds.yaml

 .PHONY: codegen-helm-all
 codegen-helm-all: codegen-helm-crds codegen-helm-docs ## Generate helm docs and CRDs

-.PHONY: codegen-install
-codegen-install: $(KUSTOMIZE) ## Create install maifests
-	@echo Create kustomization... >&2
-	@VERSION=latest TOP_PATH="." envsubst < config/templates/labels.yaml.envsubst > config/labels.yaml
-	@VERSION=latest TOP_PATH="." envsubst < config/templates/kustomization.yaml.envsubst > config/kustomization.yaml
-	@echo Generate install.yaml... >&2
-	@$(KUSTOMIZE) build ./config > ./config/install.yaml
-	@echo Generate install_debug.yaml... >&2
-	@$(KUSTOMIZE) build ./config/debug > ./config/install_debug.yaml
+.PHONY: codegen-manifest-install
+codegen-manifest-install: $(HELM) ## Create install manifest
+	@echo Generate install manifest... >&2
+	@mkdir -p ./.manifest
+	@$(HELM) template kyverno --namespace kyverno --skip-tests ./charts/kyverno \
+		--set templating.enabled=true \
+		--set templating.version=latest \
+		--set cleanupController.image.tag=latest \
+		--set image.tag=latest \
+		--set initImage.tag=latest \
+ 		| $(SED) -e '/^#.*/d' \
+		> ./.manifest/install.yaml
+
+.PHONY: codegen-manifest-debug
+codegen-manifest-debug: $(HELM) ## Create debug manifest
+	@echo Generate debug manifest... >&2
+	@mkdir -p ./.manifest
+	@$(HELM) template kyverno --namespace kyverno --skip-tests ./charts/kyverno \
+		--set templating.enabled=true \
+		--set templating.version=latest \
+		--set templating.debug=true \
+		--set cleanupController.image.tag=latest \
+		--set image.tag=latest \
+		--set initImage.tag=latest \
+ 		| $(SED) -e '/^#.*/d' \
+		> ./.manifest/debug.yaml

 # guidance https://github.com/kyverno/kyverno/wiki/Generate-a-Release
-.PHONY: codegen-release
-codegen-release: codegen-install $(KUSTOMIZE) ## Create release maifests
-	@echo Create release folder... >&2
-	@mkdir -p config/.release
-	@echo Create kustomization... >&2
-	@VERSION=$(GIT_VERSION) TOP_PATH=".." envsubst < config/templates/labels.yaml.envsubst > config/.release/labels.yaml
-	@VERSION=$(GIT_VERSION) TOP_PATH=".." envsubst < config/templates/kustomization.yaml.envsubst > config/.release/kustomization.yaml
-	@echo Generate release manifests... >&2
-	@$(KUSTOMIZE) build ./config/.release > ./config/.release/install.yaml
+.PHONY: codegen-manifest-release
+codegen-manifest-release: $(HELM) ## Create release manifest
+	@echo Generate release manifest... >&2
+	@mkdir -p ./.manifest
+	@$(HELM) template kyverno --namespace kyverno --skip-tests ./charts/kyverno \
+		--set templating.enabled=true \
+		--set templating.version=$(GIT_VERSION) \
+		--set cleanupController.image.tag=$(GIT_VERSION) \
+		--set image.tag=$(GIT_VERSION) \
+		--set initImage.tag=$(GIT_VERSION) \
+ 		| $(SED) -e '/^#.*/d' \
+		> ./.manifest/release.yaml
+
+.PHONY: codegen-manifest-e2e
+codegen-manifest-e2e: $(HELM) ## Create e2e manifest
+	@echo Create e2e manifest... >&2
+	@mkdir -p ./.manifest
+	@$(HELM) template kyverno --namespace kyverno --skip-tests ./charts/kyverno \
+		--set templating.enabled=true \
+		--set templating.version=$(IMAGE_TAG_DEV) \
+		--set cleanupController.image.repository=$(LOCAL_CLEANUP_IMAGE) \
+		--set cleanupController.image.tag=$(IMAGE_TAG_DEV) \
+		--set image.repository=$(LOCAL_KYVERNO_IMAGE) \
+		--set image.tag=$(IMAGE_TAG_DEV) \
+		--set initImage.repository=$(LOCAL_KYVERNOPRE_IMAGE) \
+		--set initImage.tag=$(IMAGE_TAG_DEV) \
+ 		| $(SED) -e '/^#.*/d' \
+		> ./.manifest/e2e.yaml
+
+.PHONY: codegen-manifest-all
+codegen-manifest-all: codegen-manifest-install codegen-manifest-debug codegen-manifest-release codegen-manifest-e2e ## Create all manifests

 .PHONY: codegen-quick
-codegen-quick: codegen-deepcopy-all codegen-crds-all codegen-api-docs codegen-helm-all codegen-install codegen-release ## Generate all generated code except client
+codegen-quick: codegen-deepcopy-all codegen-crds-all codegen-api-docs codegen-helm-all codegen-manifest-all ## Generate all generated code except client

 .PHONY: codegen-slow
 codegen-slow: codegen-client-all ## Generate client code
@ -450,10 +488,10 @@ codegen-all: codegen-quick codegen-slow ## Generate all generated code
 .PHONY: verify-crds
 verify-crds: codegen-crds-all ## Check CRDs are up to date
 	@echo Checking crds are up to date... >&2
-	@git --no-pager diff config
+	@git --no-pager diff $(CRDS_PATH)
 	@echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-crds-all".' >&2
 	@echo 'To correct this, locally run "make codegen-crds-all", commit the changes, and re-run tests.' >&2
-	@git diff --quiet --exit-code config
+	@git diff --quiet --exit-code $(CRDS_PATH)

 .PHONY: verify-client
 verify-client: codegen-client-all ## Check client is up to date
@ -578,33 +616,6 @@ test-cli-test-case-selector-flag: $(CLI_BIN)
 test-cli-registry: $(CLI_BIN)
 	@$(CLI_BIN) test ./test/cli/registry --registry

-##################################
-# Create e2e Infrastructure
-##################################
-
-.PHONY: kind-e2e-cluster
-kind-e2e-cluster: $(KIND) ## Create kind cluster for e2e tests
-	$(KIND) create cluster --image=$(KIND_IMAGE)
-
-# TODO(eddycharly): $(REPO) is wrong, it is always ghcr.io/kyverno in the source
-.PHONY: e2e-kustomize
-e2e-kustomize: $(KUSTOMIZE) ## Build kustomize manifests for e2e tests
-	cd config && \
-	$(KUSTOMIZE) edit set image $(REPO_KYVERNOPRE)=$(LOCAL_KYVERNOPRE_IMAGE):$(IMAGE_TAG_DEV) && \
-	$(KUSTOMIZE) edit set image $(REPO_KYVERNO)=$(LOCAL_KYVERNO_IMAGE):$(IMAGE_TAG_DEV)
-	$(KUSTOMIZE) build config/ -o config/install.yaml
-
-.PHONY: e2e-init-container
-e2e-init-container: kind-e2e-cluster | image-build-kyvernopre
-	$(KIND) load docker-image $(LOCAL_KYVERNOPRE_IMAGE):$(IMAGE_TAG_DEV)
-
-.PHONY: e2e-kyverno-container
-e2e-kyverno-container: kind-e2e-cluster | image-build-kyverno
-	$(KIND) load docker-image $(LOCAL_KYVERNO_IMAGE):$(IMAGE_TAG_DEV)
-
-.PHONY: create-e2e-infrastructure
-create-e2e-infrastructure: e2e-init-container e2e-kyverno-container e2e-kustomize | ## Setup infrastructure for e2e tests
-
 ##################################
 # Testing & Code-Coverage
 ##################################
--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@ -28,14 +28,51 @@ If release name contains chart name it will be used as a full name.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

+{{/* Helm labels */}}
+{{- define "kyverno.helmLabels" -}}
+{{- if not .Values.templating.enabled -}}
+helm.sh/chart: {{ template "kyverno.chart" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- end -}}
+
+{{/* Version labels */}}
+{{- define "kyverno.versionLabels" -}}
+{{- if .Values.templating.enabled -}}
+app.kubernetes.io/version: {{ required "templating.version is required when templating.enabled is true" .Values.templating.version | replace "+" "_" }}
+{{- else -}}
+app.kubernetes.io/version: {{ .Chart.Version | replace "+" "_" }}
+{{- end -}}
+{{- end -}}
+
+{{/* CRD labels */}}
+{{- define "kyverno.crdLabels" -}}
+app.kubernetes.io/component: kyverno
+{{- with (include "kyverno.helmLabels" .) }}
+{{ . }}
+{{- end }}
+{{- with (include "kyverno.matchLabels" .) }}
+{{ . }}
+{{- end }}
+app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
+{{- with (include "kyverno.versionLabels" .) }}
+{{ . }}
+{{- end }}
+{{- end -}}
+
 {{/* Helm required labels */}}
 {{- define "kyverno.labels" -}}
-helm.sh/chart: {{ template "kyverno.chart" . }}
-{{ include "kyverno.matchLabels" . }}
 app.kubernetes.io/component: kyverno
-app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with (include "kyverno.helmLabels" .) }}
+{{ . }}
+{{- end }}
+{{- with (include "kyverno.matchLabels" .) }}
+{{ . }}
+{{- end }}
 app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
-app.kubernetes.io/version: "{{ .Chart.Version | replace "+" "_" }}"
+{{- with (include "kyverno.versionLabels" .) }}
+{{ . }}
+{{- end }}
 {{- if .Values.customLabels }}
 {{ toYaml .Values.customLabels }}
 {{- end }}
@ -43,19 +80,24 @@ app.kubernetes.io/version: "{{ .Chart.Version | replace "+" "_" }}"

 {{/* Helm required labels */}}
 {{- define "kyverno.test-labels" -}}
+{{- with (include "kyverno.helmLabels" .) }}
+{{ . }}
+{{- end }}
+app: kyverno
 app.kubernetes.io/component: kyverno
 app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/name: {{ template "kyverno.name" . }}-test
 app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
 app.kubernetes.io/version: "{{ .Chart.Version | replace "+" "_" }}"
-helm.sh/chart: {{ template "kyverno.chart" . }}
 {{- end -}}

 {{/* matchLabels */}}
 {{- define "kyverno.matchLabels" -}}
+app: kyverno
 app.kubernetes.io/name: {{ template "kyverno.name" . }}
+{{- if not .Values.templating.enabled }}
 app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
 {{- end -}}

 {{/* Get the config map name. */}}
--- a/charts/kyverno/templates/aggregateroles.yaml
+++ b/charts/kyverno/templates/aggregateroles.yaml
@ -3,9 +3,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "kyverno.fullname" . }}:admin-policies
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
+  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    app: kyverno
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
  - kyverno.io
@ -24,10 +24,10 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    app: kyverno
  name: {{ template "kyverno.fullname" . }}:admin-policyreport
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
  - apiGroups:
      - wgpolicyk8s.io
@ -46,10 +46,10 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    app: kyverno
  name: {{ template "kyverno.fullname" . }}:admin-reports
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
    - kyverno.io
@ -70,10 +70,10 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    app: kyverno
  name: {{ template "kyverno.fullname" . }}:admin-generaterequest
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
  - kyverno.io
@ -91,10 +91,10 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    app: kyverno
  name: {{ template "kyverno.fullname" . }}:admin-updaterequest
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
  - kyverno.io
--- a/charts/kyverno/templates/cleanup-controller/_helpers.tpl
+++ b/charts/kyverno/templates/cleanup-controller/_helpers.tpl
@ -5,11 +5,16 @@
 {{- end -}}

 {{- define "kyverno.cleanup-controller.labels" -}}
-{{- include "kyverno.cleanup-controller.matchLabels" . }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
-app.kubernetes.io/version: "{{ .Chart.Version | replace "+" "_" }}"
-helm.sh/chart: {{ template "kyverno.chart" . }}
+{{- with (include "kyverno.helmLabels" .) }}
+{{ . }}
+{{- end }}
+{{- with (include "kyverno.versionLabels" .) }}
+{{ . }}
+{{- end }}
+{{- with (include "kyverno.cleanup-controller.matchLabels" .) }}
+{{ . }}
+{{- end }}
 {{- end -}}

 {{- define "kyverno.cleanup-controller.matchLabels" -}}
--- a/charts/kyverno/templates/cleanup-controller/deployment.yaml
+++ b/charts/kyverno/templates/cleanup-controller/deployment.yaml
@ -1,4 +1,5 @@
 {{- if .Values.cleanupController.enabled -}}
+{{- if not .Values.templating.debug -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -7,7 +8,9 @@ metadata:
    {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
  namespace: {{ template "kyverno.namespace" . }}
 spec:
-  replicas: {{ .Values.cleanupController.replicas }}
+  {{- with .Values.cleanupController.replicas }}
+  replicas: {{ . }}
+  {{- end }}
  {{- with .Values.cleanupController.updateStrategy }}
  strategy:
    {{- toYaml . | nindent 4 }}
@ -133,3 +136,4 @@ spec:
            {{- tpl (toYaml .) $ | nindent 12 }}
          {{- end }}
 {{- end -}}
+{{- end -}}
--- a/charts/kyverno/templates/clusterrole.yaml
+++ b/charts/kyverno/templates/clusterrole.yaml
@ -3,8 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "kyverno.fullname" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
 aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
@ -14,26 +14,26 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "kyverno.fullname" . }}:userinfo
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
-  - "rbac.authorization.k8s.io"
+    - rbac.authorization.k8s.io
  resources:
-  - roles
-  - clusterroles
-  - rolebindings
-  - clusterrolebindings
+    - roles
+    - clusterroles
+    - rolebindings
+    - clusterrolebindings
  verbs:
-  - watch
-  - list
+    - watch
+    - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "kyverno.fullname" . }}:policies
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
    - kyverno.io
@ -60,29 +60,28 @@ rules:
    - watch
    - deletecollection
 - apiGroups:
-  - wgpolicyk8s.io
+    - wgpolicyk8s.io
  resources:
-  - policyreports
-  - policyreports/status
-  - clusterpolicyreports
-  - clusterpolicyreports/status
+    - policyreports
+    - policyreports/status
+    - clusterpolicyreports
+    - clusterpolicyreports/status
  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-  - deletecollection
-
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+    - deletecollection
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "kyverno.fullname" . }}:view
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
  - '*'
@ -97,8 +96,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "kyverno.fullname" . }}:generate
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
  - apiGroups:
      - networking.k8s.io
@ -112,7 +111,7 @@ rules:
      - patch
      - delete
  - apiGroups:
-      - ""
+      - ''
    resources:
      - namespaces
      - configmaps
@ -136,7 +135,7 @@ rules:
      - delete
  {{- if .Values.generatecontrollerExtraResources }}
  - apiGroups:
-      - "*"
+      - '*'
    resources:
    {{- range .Values.generatecontrollerExtraResources }}
      - {{ . }}
@ -151,11 +150,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "kyverno.fullname" . }}:events
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
-  - "*"
+  - ''
+  - events.k8s.io
  resources:
  - events
  verbs:
@ -168,11 +168,11 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "kyverno.fullname" . }}:webhook
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
-  - 'admissionregistration.k8s.io'
+  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
@ -184,5 +184,4 @@ rules:
  - patch
  - update
  - watch
-
 {{- end }}
--- a/charts/kyverno/templates/clusterrolebinding.yaml
+++ b/charts/kyverno/templates/clusterrolebinding.yaml
@ -3,8 +3,8 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ template "kyverno.fullname" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
--- a/charts/kyverno/templates/configmap.yaml
+++ b/charts/kyverno/templates/configmap.yaml
@ -2,8 +2,8 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
  {{- with .Values.config.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
--- a/charts/kyverno/templates/crds.yaml
+++ b/charts/kyverno/templates/crds.yaml
--- a/charts/kyverno/templates/deployment.yaml
+++ b/charts/kyverno/templates/deployment.yaml
@ -1,22 +1,26 @@
+{{- if not .Values.templating.debug -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ template "kyverno.fullname" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
  namespace: {{ template "kyverno.namespace" . }}
 spec:
-  replicas: {{ .Values.replicaCount }}
+  {{- with .Values.replicaCount }}
+  replicas: {{ . }}
+  {{- end }}
  selector:
-    matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
+    matchLabels:
+      {{- include "kyverno.matchLabels" . | nindent 6 }}
  {{- if .Values.updateStrategy }}
  strategy:
    {{ toYaml .Values.updateStrategy | nindent 4 | trim }}
  {{- end }}
  template:
    metadata:
-      labels: {{ include "kyverno.labels" . | nindent 8 }}
-        app: kyverno
+      labels:
+        {{- include "kyverno.labels" . | nindent 8 }}
        {{- range $key, $value := .Values.podLabels }}
        {{ $key }}: {{ $value }}
        {{- end }}
@ -167,3 +171,4 @@ spec:
      volumes:
      - name: sigstore
        emptyDir: {}
+{{- end -}}
--- a/charts/kyverno/templates/helm-pre-delete-hook.yaml
+++ b/charts/kyverno/templates/helm-pre-delete-hook.yaml
@ -3,8 +3,8 @@ apiVersion: batch/v1
 kind: Job
 metadata:
  name: {{ template "kyverno.fullname" . }}-hook-pre-delete
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": pre-delete
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
--- a/charts/kyverno/templates/imagepullsecret.yaml
+++ b/charts/kyverno/templates/imagepullsecret.yaml
@ -3,10 +3,10 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  labels: {{ include "kyverno.labels" $ | nindent 4 }}
-    app: kyverno
  name: {{ $name }}
  namespace: {{ template "kyverno.namespace" $ }}
+  labels:
+    {{- include "kyverno.labels" $ | nindent 4 }}
 type: kubernetes.io/dockerconfigjson
 data:
  .dockerconfigjson: {{ template "kyverno.imagePullSecret" $secret }}
--- a/charts/kyverno/templates/metricsconfigmap.yaml
+++ b/charts/kyverno/templates/metricsconfigmap.yaml
@ -2,8 +2,8 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
  {{- with .Values.config.metricsConfig.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
--- a/charts/kyverno/templates/namespace.yaml
+++ b/charts/kyverno/templates/namespace.yaml
@ -0,0 +1,8 @@
+{{- if .Values.templating.enabled -}}
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
+  name: {{ template "kyverno.fullname" . }}
+{{- end -}}
--- a/charts/kyverno/templates/networkpolicy.yaml
+++ b/charts/kyverno/templates/networkpolicy.yaml
@ -2,14 +2,14 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
  name: {{ template "kyverno.fullname" . }}
  namespace: {{ template "kyverno.namespace" . }}
 spec:
  podSelector:
    matchLabels:
-      app: kyverno
+      {{- include "kyverno.matchLabels" . | nindent 6 }}
  policyTypes:
  - Ingress
  {{- if .Values.networkPolicy.ingressFrom }}
--- a/charts/kyverno/templates/poddisruptionbudget.yaml
+++ b/charts/kyverno/templates/poddisruptionbudget.yaml
@ -9,11 +9,10 @@ metadata:
  name: {{ template "kyverno.fullname" . }}
  labels:
    {{- include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
  namespace: {{ template "kyverno.namespace" . }}
 spec:
  {{- include "kyverno.podDisruptionBudget.spec" . | indent 2 }}
  selector:
-    matchLabels:  {{ include "kyverno.matchLabels" . | nindent 6 }}
-      app: kyverno
+    matchLabels:
+      {{- include "kyverno.matchLabels" . | nindent 6 }}
 {{- end }}
--- a/charts/kyverno/templates/role.yaml
+++ b/charts/kyverno/templates/role.yaml
@ -4,19 +4,19 @@ kind: Role
 metadata:
  name: {{ template "kyverno.fullname" . }}:leaderelection
  namespace: {{ template "kyverno.namespace" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
 rules:
 - apiGroups:
-  - coordination.k8s.io
+    - coordination.k8s.io
  resources:
-  - leases
+    - leases
  verbs:
-  - create
-  - delete
-  - get
-  - patch
-  - update
+    - create
+    - delete
+    - get
+    - patch
+    - update
 # Allow update of Kyverno deployment annotations
 - apiGroups:
    - apps
--- a/charts/kyverno/templates/rolebinding.yaml
+++ b/charts/kyverno/templates/rolebinding.yaml
@ -4,8 +4,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ template "kyverno.fullname" . }}:leaderelection
  namespace: {{ template "kyverno.namespace" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
--- a/charts/kyverno/templates/secret.yaml
+++ b/charts/kyverno/templates/secret.yaml
@ -7,8 +7,8 @@ kind: Secret
 metadata:
  name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
  namespace: {{ template "kyverno.namespace" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
 type: kubernetes.io/tls
 data:
  tls.key: {{ $ca.Key | b64enc }}
@ -19,8 +19,8 @@ kind: Secret
 metadata:
  name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
  namespace: {{ template "kyverno.namespace" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
  annotations:
    self-signed-cert: "true"
 type: kubernetes.io/tls
--- a/charts/kyverno/templates/service.yaml
+++ b/charts/kyverno/templates/service.yaml
@ -2,8 +2,8 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "kyverno.serviceName" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
  namespace: {{ template "kyverno.namespace" . }}
  {{- with .Values.service.annotations }}
  annotations: {{ tpl (toYaml .) $ | nindent 4 }}
@ -17,8 +17,8 @@ spec:
    {{- if and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)) }}
    nodePort: {{ .Values.service.nodePort }}
    {{- end }}
-  selector: {{ include "kyverno.matchLabels" . | nindent 4 }}
-    app: kyverno
+  selector:
+    {{- include "kyverno.matchLabels" . | nindent 4 }}
  type: {{ .Values.service.type }}
 ---
 {{- if .Values.metricsService.create }}
@ -26,8 +26,8 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "kyverno.serviceName" . }}-metrics
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
  namespace: {{ template "kyverno.namespace" . }}
  {{- with .Values.metricsService.annotations }}
  annotations: {{ tpl (toYaml .) $ | nindent 4 }}
@ -41,7 +41,7 @@ spec:
    {{- if and (eq .Values.metricsService.type "NodePort") (not (empty .Values.metricsService.nodePort)) }}
    nodePort: {{ .Values.metricsService.nodePort }}
    {{- end }}
-  selector: {{ include "kyverno.matchLabels" . | nindent 4 }}
-    app: kyverno
+  selector:
+    {{- include "kyverno.matchLabels" . | nindent 4 }}
  type: {{ .Values.metricsService.type }}
-  {{- end -}}
+{{- end -}}
--- a/charts/kyverno/templates/serviceaccount.yaml
+++ b/charts/kyverno/templates/serviceaccount.yaml
@ -3,8 +3,8 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ template "kyverno.serviceAccountName" . }}
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
  {{- if .Values.rbac.serviceAccount.annotations }}
  annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
  {{- end }}
--- a/charts/kyverno/templates/servicemonitor.yaml
+++ b/charts/kyverno/templates/servicemonitor.yaml
@ -2,8 +2,8 @@
 apiVersion: "monitoring.coreos.com/v1"
 kind: ServiceMonitor
 metadata:
-  labels: {{ include "kyverno.labels" . | nindent 4 }}
-    app: kyverno
+  labels:
+    {{- include "kyverno.labels" . | nindent 4 }}
 {{- if .Values.serviceMonitor.additionalLabels }}
 {{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
 {{- end }}
@ -15,8 +15,8 @@ metadata:
 {{- end }}
 spec:
  selector:
-    matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
-      app: kyverno
+    matchLabels:
+      {{- include "kyverno.matchLabels" . | nindent 6 }}
  namespaceSelector:
    matchNames:
    - {{ template "kyverno.namespace" . }}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -1,3 +1,10 @@
+# -- Internal settings used with `helm template` to generate install manifest
+# @ignored
+templating:
+  enabled: false
+  debug: false
+  version:
+
 # -- Override the name of the chart
 nameOverride:

--- a/config/bundle/kustomization.yaml
+++ b/config/bundle/kustomization.yaml
@ -1,13 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: kyverno
-
-transformers:
-  - labels.yaml
-
-resources:
- ../crds/
- ../manifest/
- ../k8s-resource/
- namespace.yaml
--- a/config/bundle/labels.yaml
+++ b/config/bundle/labels.yaml
@ -1,16 +0,0 @@
---
-apiVersion: builtin
-kind: LabelTransformer
-metadata:
-  name: labelTransformer
-labels:
-  app.kubernetes.io/component: kyverno
-  app.kubernetes.io/instance: kyverno
-  app.kubernetes.io/name: kyverno
-  app.kubernetes.io/part-of: kyverno
-fieldSpecs:
- path: metadata/labels
-  create: true
- kind: Deployment
-  path: spec/template/metadata/labels
-  create: true
--- a/config/bundle/namespace.yaml
+++ b/config/bundle/namespace.yaml
@ -1,7 +0,0 @@
---
-kind: Namespace
-apiVersion: v1
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno
--- a/config/crds/kustomization.yaml
+++ b/config/crds/kustomization.yaml
@ -1,17 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
- ./kyverno.io_admissionreports.yaml
- ./kyverno.io_backgroundscanreports.yaml
- ./kyverno.io_cleanuppolicies.yaml
- ./kyverno.io_clusteradmissionreports.yaml
- ./kyverno.io_clusterbackgroundscanreports.yaml
- ./kyverno.io_clustercleanuppolicies.yaml
- ./kyverno.io_clusterpolicies.yaml
- ./kyverno.io_generaterequests.yaml
- ./kyverno.io_policies.yaml
- ./kyverno.io_policyexceptions.yaml
- ./kyverno.io_updaterequests.yaml
- ./wgpolicyk8s.io_clusterpolicyreports.yaml
- ./wgpolicyk8s.io_policyreports.yaml
--- a/config/debug/kustomization.yaml
+++ b/config/debug/kustomization.yaml
@ -1,12 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: kyverno
-
-transformers:
-  - labels.yaml
-  
-resources:
- ../crds/
- ../k8s-resource/
- namespace.yaml
--- a/config/debug/labels.yaml
+++ b/config/debug/labels.yaml
@ -1,16 +0,0 @@
---
-apiVersion: builtin
-kind: LabelTransformer
-metadata:
-  name: labelTransformer
-labels:
-  app.kubernetes.io/component: kyverno
-  app.kubernetes.io/instance: kyverno
-  app.kubernetes.io/name: kyverno
-  app.kubernetes.io/part-of: kyverno
-fieldSpecs:
- path: metadata/labels
-  create: true
- kind: Deployment
-  path: spec/template/metadata/labels
-  create: true
--- a/config/debug/namespace.yaml
+++ b/config/debug/namespace.yaml
@ -1,7 +0,0 @@
---
-kind: Namespace
-apiVersion: v1
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno
--- a/config/dryrun/dryrun_config.yaml
+++ b/config/dryrun/dryrun_config.yaml
@ -1,87 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    app: kyverno
-    app.kubernetes.io/component: kyverno
-    app.kubernetes.io/instance: kyverno
-    app.kubernetes.io/name: kyverno
-    app.kubernetes.io/part-of: kyverno
-    app.kubernetes.io/version: latest
-  name: kyverno-dryrun
---
-# Additional permission is required to enable DryRun.
-# If using DryRun to validate yaml, please deploy this Role/RoleBinding.
-# If validating custom resources with DryRun, please add the resources to the role.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: manifest-verify-dry-run
-  namespace: kyverno-dryrun
-rules:
- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - roles
-  - rolebindings
-  verbs:
-  - create
- apiGroups:
-  - ""
-  resources:
-  - bindings
-  - configmaps
-  - limitranges
-  - persistentvolumeclaims
-  - pods
-  - podtemplates
-  - replicationcontrollers
-  - resourcequotas
-  - secrets
-  - serviceaccounts
-  - services
-  verbs:
-  - create
- apiGroups:
-  - apps
-  resources:
-  - controllerrevisions
-  - daemonsets
-  - deployments
-  - replicasets
-  - statefulsets
-  verbs:
-  - create 
- apiGroups:
-  - networking.k8s.io
-  resources:
-  - networkpolicies
-  - ingresses
-  verbs:
-  - create
- apiGroups:
-  - policy
-  resources:
-  - poddisruptionbudgets
-  verbs:
-  - create
- apiGroups:
-  - storage.k8s.io
-  resources:
-  - csistoragecapacities
-  verbs:
-  - create
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: manifest-verify-dry-run
-  namespace: kyverno-dryrun
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: manifest-verify-dry-run
-subjects:
- kind: ServiceAccount
-  name: kyverno-service-account
-  namespace: kyverno
--- a/config/github/rbac.yaml
+++ b/config/github/rbac.yaml
@ -4,9 +4,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: kyverno:test-e2e
+  labels:
+    app: kyverno
+    app.kubernetes.io/name: kyverno
 rules:
  - apiGroups:
-      - "*"
+      - '*'
    resources:
      - clusterroles
      - rolebindings
@ -22,19 +25,3 @@ rules:
      - patch
      - update
      - watch
---
-# This role binding is required for e2e tests that generate and update a ClusterRole.
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno:test-e2e
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kyverno:test-e2e
-subjects:
-  - kind: ServiceAccount
-    name: kyverno-service-account
-    namespace: kyverno
--- a/config/install.yaml
+++ b/config/install.yaml
--- a/config/install_debug.yaml
+++ b/config/install_debug.yaml
--- a/config/k8s-resource/aggregateroles.yaml
+++ b/config/k8s-resource/aggregateroles.yaml
@ -1,110 +0,0 @@
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-  name: kyverno:admin-policies
-rules:
- apiGroups:
-  - kyverno.io
-  resources:
-  - policies
-  - clusterpolicies
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-  name: kyverno:admin-policyreport
-rules:
-  - apiGroups:
-      - wgpolicyk8s.io
-    resources:
-      - policyreports
-      - clusterpolicyreports
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-  name: kyverno:admin-reports
-rules:
- apiGroups:
-    - kyverno.io
-  resources:
-    - admissionreports
-    - clusteradmissionreports
-    - backgroundscanreports
-    - clusterbackgroundscanreports
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-  name: kyverno:admin-generaterequest
-rules:
- apiGroups:
-  - kyverno.io
-  resources:
-  - generaterequests
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-  name: kyverno:admin-updaterequest
-rules:
- apiGroups:
-  - kyverno.io
-  resources:
-  - updaterequests
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
--- a/config/k8s-resource/clusterrolebindings.yaml
+++ b/config/k8s-resource/clusterrolebindings.yaml
@ -1,14 +0,0 @@
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kyverno
-subjects:
- kind: ServiceAccount
-  name: kyverno-service-account
--- a/config/k8s-resource/clusterroles.yaml
+++ b/config/k8s-resource/clusterroles.yaml
@ -1,174 +0,0 @@
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kyverno
-  labels:
-    app: kyverno
-aggregationRule:
-  clusterRoleSelectors:
-  - matchLabels:
-      app: kyverno
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno:policies
-rules:
- apiGroups:
-  - kyverno.io
-  resources:
-  - policies
-  - policies/status
-  - clusterpolicies
-  - clusterpolicies/status
-  - generaterequests
-  - generaterequests/status
-  - updaterequests
-  - updaterequests/status
-  - admissionreports
-  - clusteradmissionreports
-  - backgroundscanreports
-  - clusterbackgroundscanreports
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-  - deletecollection
- apiGroups:
-  - wgpolicyk8s.io
-  resources:
-  - policyreports
-  - policyreports/status
-  - clusterpolicyreports
-  - clusterpolicyreports/status
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-  - deletecollection
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno:view
-rules:
- apiGroups:
-  - '*'
-  resources:
-  - '*'
-  verbs:
-  - get
-  - list
-  - watch
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno:generate
-rules:
- apiGroups:
-  - networking.k8s.io
-  resources:
-  - ingresses
-  - ingressclasses
-  - networkpolicies
-  verbs:
-  - create
-  - update
-  - patch
-  - delete
- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  - configmaps
-  - secrets
-  - resourcequotas
-  - limitranges
-  verbs:
-  - create
-  - update
-  - patch
-  - delete
- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - rolebindings
-  - roles
-  verbs:
-  - create
-  - update
-  - patch
-  - delete
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno:events
-rules:
- apiGroups:
-  - ""
-  - events.k8s.io
-  resources:
-  - events
-  verbs:
-  - create
-  - update
-  - patch 
-  - delete
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno:userinfo
-rules:
- apiGroups:
-  - "rbac.authorization.k8s.io"
-  resources:
-  - roles
-  - clusterroles
-  - rolebindings
-  - clusterrolebindings
-  verbs:
-  - watch
-  - list
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno:webhook
-rules:
- apiGroups:
-  - 'admissionregistration.k8s.io'
-  resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
--- a/config/k8s-resource/configmap.yaml
+++ b/config/k8s-resource/configmap.yaml
@ -1,30 +0,0 @@
-apiVersion: v1
-data:
-  resourceFilters: >
-    [Event,*,*]
-    [*,kube-system,*]
-    [*,kube-public,*]
-    [*,kube-node-lease,*]
-    [*,kyverno,*]
-    [Node,*,*]
-    [APIService,*,*]
-    [TokenReview,*,*]
-    [SubjectAccessReview,*,*]
-    [SelfSubjectAccessReview,*,*]
-    [*,kyverno,kyverno*]
-    [Binding,*,*]
-    [ReplicaSet,*,*]
-    [AdmissionReport,*,*]
-    [ClusterAdmissionReport,*,*]
-    [BackgroundScanReport,*,*]
-    [ClusterBackgroundScanReport,*,*]
-    [PolicyReport,*,*]
-    [ClusterPolicyReport,*,*]
-  webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]'
-  excludeGroupRole: 'system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler'
-  generateSuccessEvents: 'false'
-kind: ConfigMap
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno
--- a/config/k8s-resource/kustomization.yaml
+++ b/config/k8s-resource/kustomization.yaml
@ -1,13 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
- ./clusterroles.yaml
- ./clusterrolebindings.yaml
- ./roles.yaml
- ./rolebindings.yaml
- ./aggregateroles.yaml
- ./configmap.yaml
- ./metricsconfigmap.yaml
- ./service.yaml
- ./serviceaccount.yaml
--- a/config/k8s-resource/metricsconfigmap.yaml
+++ b/config/k8s-resource/metricsconfigmap.yaml
@ -1,10 +0,0 @@
-apiVersion: v1
-data:
-  metricsRefreshInterval: 24h
-  namespaces: '{"exclude":[],"include":[]}'
-kind: ConfigMap
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno-metrics
-  namespace: kyverno
--- a/config/k8s-resource/poddisruptionbudget.yaml
+++ b/config/k8s-resource/poddisruptionbudget.yaml
@ -1,13 +0,0 @@
-apiVersion: policy/v1
-kind: PodDisruptionBudget
-metadata:
-  name: kyverno
-  labels:
-    app: kyverno
-spec:  
-  minAvailable: 0
-  selector:
-    matchLabels:  
-      app: kyverno
-      # do not remove
-      app.kubernetes.io/name: kyverno
--- a/config/k8s-resource/rolebindings.yaml
+++ b/config/k8s-resource/rolebindings.yaml
@ -1,14 +0,0 @@
---
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kyverno:leaderelection
-  labels:
-    app: kyverno
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: kyverno:leaderelection
-subjects:
- kind: ServiceAccount
-  name: kyverno-service-account
--- a/config/k8s-resource/roles.yaml
+++ b/config/k8s-resource/roles.yaml
@ -1,30 +0,0 @@
---
-# Dynamic management of leader election leases
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: kyverno:leaderelection
-  labels:
-    app: kyverno
-rules:
- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
-  - delete
-  - get
-  - patch
-  - update
-# Allow update of Kyverno deployment annotations
- apiGroups:
-    - apps
-  resources:
-    - deployments
-  verbs:
-    - get
-    - list
-    - patch
-    - update
-    - watch
--- a/config/k8s-resource/service.yaml
+++ b/config/k8s-resource/service.yaml
@ -1,32 +0,0 @@
---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno-svc
-spec:
-  ports:
-  - port: 443
-    name: https
-    targetPort: https
-  selector:
-    app: kyverno
-    # do not remove
-    app.kubernetes.io/name: kyverno
---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno-svc-metrics
-spec:
-  ports:
-  - port: 8000
-    name: metrics-port
-    targetPort: metrics-port
-  selector:
-    app: kyverno
-    # do not remove
-    app.kubernetes.io/name: kyverno
--- a/config/k8s-resource/serviceaccount.yaml
+++ b/config/k8s-resource/serviceaccount.yaml
@ -1,7 +0,0 @@
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app: kyverno
-  name: kyverno-service-account
--- a/config/kustomization.yaml
+++ b/config/kustomization.yaml
@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
- ./bundle/
-
-transformers:
- labels.yaml
-
-images:
- name: ghcr.io/kyverno/kyverno
-  newTag: latest
- name: ghcr.io/kyverno/kyvernopre
-  newTag: latest
--- a/config/labels.yaml
+++ b/config/labels.yaml
@ -1,13 +0,0 @@
---
-apiVersion: builtin
-kind: LabelTransformer
-metadata:
-  name: labelTransformer
-labels:
-  app.kubernetes.io/version: latest
-fieldSpecs:
- path: metadata/labels
-  create: true
- kind: Deployment
-  path: spec/template/metadata/labels
-  create: true
--- a/config/manifest/deployment.yaml
+++ b/config/manifest/deployment.yaml
@ -1,162 +0,0 @@
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: kyverno
-    # do not remove
-    app.kubernetes.io/name: kyverno
-  name: kyverno
-spec:
-  selector:
-    matchLabels:
-      app: kyverno
-      # do not remove
-      app.kubernetes.io/name: kyverno
-  replicas: 1
-  template:
-    metadata:
-      labels:
-        app: kyverno
-        # do not remove
-        app.kubernetes.io/name: kyverno
-    spec:
-      volumes:
-        - name: sigstore
-          emptyDir: {}
-      affinity:
-        podAntiAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 1
-            podAffinityTerm:
-              labelSelector:
-                matchExpressions:
-                - key: app.kubernetes.io/name
-                  operator: In
-                  values:
-                  - kyverno
-              topologyKey: "kubernetes.io/hostname"
-      serviceAccountName: kyverno-service-account
-      securityContext:
-        runAsNonRoot: true
-      initContainers:
-        - name: kyverno-pre
-          image: ghcr.io/kyverno/kyvernopre:latest
-          imagePullPolicy: Always
-          resources:
-            limits:
-              cpu: 100m
-              memory: 256Mi
-            requests:
-              cpu: 10m
-              memory: 64Mi
-          securityContext:
-            runAsNonRoot: true
-            privileged: false
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop:
-                - ALL
-            seccompProfile:
-              type: RuntimeDefault
-          env:
-            - name: METRICS_CONFIG
-              value: kyverno-metrics
-            - name: KYVERNO_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: KYVERNO_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-      containers:
-        - name: kyverno
-          image: ghcr.io/kyverno/kyverno:latest
-          imagePullPolicy: Always
-          args:
-          # customize webhook timeout
-          #- "--webhookTimeout=4"
-          # enable profiling
-          # - "--profile"
-          # configure the workers for generate controller
-          # - --genWorkers=20
-          - "-v=2"
-          ports:
-            - containerPort: 9443
-              name: https
-              protocol: TCP
-            - containerPort: 8000
-              name: metrics-port
-              protocol: TCP
-          env:
-            - name: INIT_CONFIG
-              value: kyverno
-            - name: METRICS_CONFIG
-              value: kyverno-metrics
-            - name: KYVERNO_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: KYVERNO_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: KYVERNO_SVC
-              value: kyverno-svc
-            - name: TUF_ROOT
-              value: /.sigstore
-          securityContext:
-            runAsNonRoot: true
-            privileged: false
-            allowPrivilegeEscalation: false
-            readOnlyRootFilesystem: true
-            capabilities:
-              drop:
-                - ALL
-            seccompProfile:
-              type: RuntimeDefault
-          resources:
-            requests:
-              memory: 128Mi
-              cpu: 100m
-            limits:
-              memory: 384Mi
-          startupProbe:
-            httpGet:
-              path: /health/liveness
-              port: 9443
-              scheme: HTTPS
-            failureThreshold: 20
-            initialDelaySeconds: 2
-            periodSeconds: 6
-          livenessProbe:
-            httpGet:
-              path: /health/liveness
-              port: 9443
-              scheme: HTTPS
-            initialDelaySeconds: 15
-            periodSeconds: 30
-            timeoutSeconds: 5
-            failureThreshold: 2
-            successThreshold: 1
-          readinessProbe:
-            httpGet:
-              path: /health/readiness
-              port: 9443
-              scheme: HTTPS
-            initialDelaySeconds: 5
-            periodSeconds: 10
-            timeoutSeconds: 5
-            failureThreshold: 4
-            successThreshold: 1
-          # Failing to provide a writable $TUF_ROOT can cause TUF client initialization to panic
-          volumeMounts:
-          - mountPath: /.sigstore
-            name: sigstore
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 40%
-      maxSurge: 1
--- a/config/manifest/kustomization.yaml
+++ b/config/manifest/kustomization.yaml
@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
- ./deployment.yaml
--- a/config/templates/helm-labels.yaml.envsubst
+++ b/config/templates/helm-labels.yaml.envsubst
@ -1,14 +0,0 @@
---
-apiVersion: builtin
-kind: LabelTransformer
-metadata:
-  name: labelTransformer
-labels:
-  app.kubernetes.io/instance: '{{ .Release.Name }}'
-  app.kubernetes.io/name: '{{ template "kyverno.name" . }}'
-  app.kubernetes.io/part-of: '{{ template "kyverno.name" . }}'
-  app.kubernetes.io/version: $VERSION
-fieldSpecs:
- kind: CustomResourceDefinition
-  path: metadata/labels
-  create: true
--- a/config/templates/kustomization.yaml.envsubst
+++ b/config/templates/kustomization.yaml.envsubst
@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
- $TOP_PATH/bundle/
-
-transformers:
- labels.yaml
-
-images:
- name: ghcr.io/kyverno/kyverno
-  newTag: $VERSION
- name: ghcr.io/kyverno/kyvernopre
-  newTag: $VERSION
--- a/config/templates/labels.yaml.envsubst
+++ b/config/templates/labels.yaml.envsubst
@ -1,13 +0,0 @@
---
-apiVersion: builtin
-kind: LabelTransformer
-metadata:
-  name: labelTransformer
-labels:
-  app.kubernetes.io/version: $VERSION
-fieldSpecs:
- path: metadata/labels
-  create: true
- kind: Deployment
-  path: spec/template/metadata/labels
-  create: true
--- a/pkg/policy/generate/validate.go
+++ b/pkg/policy/generate/validate.go
@ -85,7 +85,7 @@ func (g *Generate) Validate() (string, error) {
 	}

 	// Kyverno generate-controller create/update/deletes the resources specified in generate rule of policy
-	// kyverno uses SA 'kyverno-service-account' and has default ClusterRoles and ClusterRoleBindings
+	// kyverno uses SA 'kyverno' and has default ClusterRoles and ClusterRoleBindings
 	// instructions to modify the RBAC for kyverno are mentioned at https://github.com/kyverno/kyverno/blob/master/documentation/installation.md
 	// - operations required: create/update/delete/get
 	// If kind and namespace contain variables, then we cannot resolve then so we skip the processing
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/01-manifests.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/01-manifests.yaml
@ -25,6 +25,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
+    app: kyverno
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/name: kyverno
  name: kyverno:modify-nodes
--- a/test/e2e/generate/resources.go
+++ b/test/e2e/generate/resources.go
@ -170,7 +170,7 @@ spec:
            name: ns-cluster-role
          subjects:
          - kind: ServiceAccount
-            name: "kyverno-service-account"
+            name: "kyverno"
            namespace: "{{request.object.metadata.name}}"
 `)

@ -211,7 +211,7 @@ roleRef:
  name: base-cluster-role
 subjects:
 - kind: ServiceAccount
-  name: kyverno-service-account
+  name: kyverno
  namespace: kyverno
 `)