diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 690393b3fa..4e9b697dd3 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -33,6 +33,8 @@ annotations: url: https://kyverno.io/docs # valid kinds are: added, changed, deprecated, removed, fixed and security artifacthub.io/changes: | + - kind: added + description: Add profiling support - kind: added description: Add global nodeSelector - kind: added diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 848cfba60f..75b7199d81 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -413,6 +413,10 @@ The chart values are organised per component. | admissionController.metering.port | int | `8000` | Prometheus endpoint port | | admissionController.metering.collector | string | `""` | Otel collector endpoint | | admissionController.metering.creds | string | `""` | Otel collector credentials | +| admissionController.profiling.enabled | bool | `false` | Enable profiling | +| admissionController.profiling.port | int | `6060` | Profiling endpoint port | +| admissionController.profiling.serviceType | string | `"ClusterIP"` | Service type. | +| admissionController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | ### Background controller @@ -481,6 +485,10 @@ The chart values are organised per component. | backgroundController.metering.port | int | `8000` | Prometheus endpoint port | | backgroundController.metering.collector | string | `""` | Otel collector endpoint | | backgroundController.metering.creds | string | `""` | Otel collector credentials | +| backgroundController.profiling.enabled | bool | `false` | Enable profiling | +| backgroundController.profiling.port | int | `6060` | Profiling endpoint port | +| backgroundController.profiling.serviceType | string | `"ClusterIP"` | Service type. | +| backgroundController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | ### Cleanup controller @@ -556,6 +564,10 @@ The chart values are organised per component. | cleanupController.metering.port | int | `8000` | Prometheus endpoint port | | cleanupController.metering.collector | string | `""` | Otel collector endpoint | | cleanupController.metering.creds | string | `""` | Otel collector credentials | +| cleanupController.profiling.enabled | bool | `false` | Enable profiling | +| cleanupController.profiling.port | int | `6060` | Profiling endpoint port | +| cleanupController.profiling.serviceType | string | `"ClusterIP"` | Service type. | +| cleanupController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | ### Reports controller @@ -627,6 +639,10 @@ The chart values are organised per component. | reportsController.metering.port | int | `8000` | Prometheus endpoint port | | reportsController.metering.collector | string | `nil` | Otel collector endpoint | | reportsController.metering.creds | string | `nil` | Otel collector credentials | +| reportsController.profiling.enabled | bool | `false` | Enable profiling | +| reportsController.profiling.port | int | `6060` | Profiling endpoint port | +| reportsController.profiling.serviceType | string | `"ClusterIP"` | Service type. | +| reportsController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | ### Grafana diff --git a/charts/kyverno/templates/admission-controller/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml index 7df984493c..a086e0b87d 100644 --- a/charts/kyverno/templates/admission-controller/deployment.yaml +++ b/charts/kyverno/templates/admission-controller/deployment.yaml @@ -175,6 +175,10 @@ spec: - --{{ $key }}={{ $value }} {{- end }} {{- end }} + {{ if .Values.admissionController.profiling.enabled }} + - --profile=true + - --profilePort={{ .Values.admissionController.profiling.port }} + {{- end }} {{- with .Values.admissionController.container.resources }} resources: {{- tpl (toYaml .) $ | nindent 12 }} @@ -190,6 +194,11 @@ spec: - containerPort: 8000 name: metrics-port protocol: TCP + {{ if .Values.admissionController.profiling.enabled }} + - containerPort: {{ .Values.admissionController.profiling.port }} + name: profiling-port + protocol: TCP + {{- end }} env: - name: INIT_CONFIG value: {{ template "kyverno.config.configMapName" . }} diff --git a/charts/kyverno/templates/admission-controller/service.yaml b/charts/kyverno/templates/admission-controller/service.yaml index 8e900205f6..dd1a7ebdda 100644 --- a/charts/kyverno/templates/admission-controller/service.yaml +++ b/charts/kyverno/templates/admission-controller/service.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Service metadata: @@ -20,8 +21,8 @@ spec: selector: {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }} type: {{ .Values.admissionController.service.type }} ---- {{- if .Values.admissionController.metricsService.create }} +--- apiVersion: v1 kind: Service metadata: @@ -45,3 +46,25 @@ spec: {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }} type: {{ .Values.admissionController.metricsService.type }} {{- end -}} +{{- if .Values.admissionController.profiling.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.admission-controller.serviceName" . }}-profiling + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +spec: + ports: + - port: {{ .Values.admissionController.profiling.port }} + targetPort: {{ .Values.admissionController.profiling.port }} + protocol: TCP + name: profiling-port + {{- if and (eq .Values.admissionController.profiling.serviceType "NodePort") (not (empty .Values.admissionController.profiling.nodePort)) }} + nodePort: {{ .Values.admissionController.profiling.nodePort }} + {{- end }} + selector: + {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.admissionController.profiling.serviceType }} +{{- end -}} diff --git a/charts/kyverno/templates/background-controller/deployment.yaml b/charts/kyverno/templates/background-controller/deployment.yaml index f127b5a383..655da0711e 100644 --- a/charts/kyverno/templates/background-controller/deployment.yaml +++ b/charts/kyverno/templates/background-controller/deployment.yaml @@ -29,7 +29,7 @@ spec: {{- end }} spec: {{- with .Values.backgroundController.imagePullSecrets }} - imagePullSecrets: + imagePullSecrets: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} {{- with .Values.backgroundController.podSecurityContext }} @@ -86,6 +86,11 @@ spec: - containerPort: 8000 name: metrics protocol: TCP + {{ if .Values.backgroundController.profiling.enabled }} + - containerPort: {{ .Values.backgroundController.profiling.port }} + name: profiling-port + protocol: TCP + {{- end }} args: {{- if .Values.backgroundController.tracing.enabled }} - --enableTracing @@ -121,6 +126,10 @@ spec: - --{{ $key }}={{ $value }} {{- end }} {{- end }} + {{ if .Values.backgroundController.profiling.enabled }} + - --profile=true + - --profilePort={{ .Values.backgroundController.profiling.port }} + {{- end }} env: - name: KYVERNO_SERVICEACCOUNT_NAME value: {{ template "kyverno.background-controller.serviceAccountName" . }} diff --git a/charts/kyverno/templates/background-controller/service.yaml b/charts/kyverno/templates/background-controller/service.yaml index ad84fdfd39..0041234dee 100644 --- a/charts/kyverno/templates/background-controller/service.yaml +++ b/charts/kyverno/templates/background-controller/service.yaml @@ -1,5 +1,6 @@ {{- if .Values.backgroundController.enabled -}} {{- if .Values.backgroundController.metricsService.create -}} +--- apiVersion: v1 kind: Service metadata: @@ -25,3 +26,25 @@ spec: type: {{ .Values.backgroundController.metricsService.type }} {{- end -}} {{- end -}} +{{- if .Values.backgroundController.profiling.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.background-controller.name" . }}-profiling + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} +spec: + ports: + - port: {{ .Values.backgroundController.profiling.port }} + targetPort: {{ .Values.backgroundController.profiling.port }} + protocol: TCP + name: profiling-port + {{- if and (eq .Values.backgroundController.profiling.serviceType "NodePort") (not (empty .Values.backgroundController.profiling.nodePort)) }} + nodePort: {{ .Values.backgroundController.profiling.nodePort }} + {{- end }} + selector: + {{- include "kyverno.background-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.backgroundController.profiling.serviceType }} +{{- end -}} diff --git a/charts/kyverno/templates/cleanup-controller/deployment.yaml b/charts/kyverno/templates/cleanup-controller/deployment.yaml index 51796d1c4e..b4a79accdb 100644 --- a/charts/kyverno/templates/cleanup-controller/deployment.yaml +++ b/charts/kyverno/templates/cleanup-controller/deployment.yaml @@ -29,7 +29,7 @@ spec: {{- end }} spec: {{- with .Values.cleanupController.imagePullSecrets }} - imagePullSecrets: + imagePullSecrets: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} {{- with .Values.cleanupController.podSecurityContext }} @@ -86,6 +86,11 @@ spec: - containerPort: 8000 name: metrics protocol: TCP + {{ if .Values.cleanupController.profiling.enabled }} + - containerPort: {{ .Values.cleanupController.profiling.port }} + name: profiling-port + protocol: TCP + {{- end }} args: - --caSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca - --tlsSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair @@ -122,6 +127,10 @@ spec: - --{{ $key }}={{ $value }} {{- end }} {{- end }} + {{ if .Values.cleanupController.profiling.enabled }} + - --profile=true + - --profilePort={{ .Values.cleanupController.profiling.port }} + {{- end }} env: - name: KYVERNO_DEPLOYMENT value: {{ template "kyverno.cleanup-controller.name" . }} diff --git a/charts/kyverno/templates/cleanup-controller/service.yaml b/charts/kyverno/templates/cleanup-controller/service.yaml index 65b76735ea..94981d5c56 100644 --- a/charts/kyverno/templates/cleanup-controller/service.yaml +++ b/charts/kyverno/templates/cleanup-controller/service.yaml @@ -1,4 +1,5 @@ {{- if .Values.cleanupController.enabled -}} +--- apiVersion: v1 kind: Service metadata: @@ -48,4 +49,26 @@ spec: {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 4 }} type: {{ .Values.cleanupController.metricsService.type }} {{- end -}} +{{- if .Values.cleanupController.profiling.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.cleanup-controller.name" . }}-profiling + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} +spec: + ports: + - port: {{ .Values.cleanupController.profiling.port }} + targetPort: {{ .Values.cleanupController.profiling.port }} + protocol: TCP + name: profiling-port + {{- if and (eq .Values.cleanupController.profiling.serviceType "NodePort") (not (empty .Values.cleanupController.profiling.nodePort)) }} + nodePort: {{ .Values.cleanupController.profiling.nodePort }} + {{- end }} + selector: + {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.cleanupController.profiling.serviceType }} +{{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/reports-controller/deployment.yaml b/charts/kyverno/templates/reports-controller/deployment.yaml index 97a39bfc8e..a7b55b1ea9 100644 --- a/charts/kyverno/templates/reports-controller/deployment.yaml +++ b/charts/kyverno/templates/reports-controller/deployment.yaml @@ -29,7 +29,7 @@ spec: {{- end }} spec: {{- with .Values.reportsController.imagePullSecrets }} - imagePullSecrets: + imagePullSecrets: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} {{- with .Values.reportsController.podSecurityContext }} @@ -86,6 +86,11 @@ spec: - containerPort: 8000 name: metrics protocol: TCP + {{ if .Values.reportsController.profiling.enabled }} + - containerPort: {{ .Values.reportsController.profiling.port }} + name: profiling-port + protocol: TCP + {{- end }} args: {{- if .Values.reportsController.tracing.enabled }} - --enableTracing @@ -129,6 +134,10 @@ spec: - --{{ $key }}={{ $value }} {{- end }} {{- end }} + {{ if .Values.reportsController.profiling.enabled }} + - --profile=true + - --profilePort={{ .Values.reportsController.profiling.port }} + {{- end }} env: - name: KYVERNO_SERVICEACCOUNT_NAME value: {{ template "kyverno.reports-controller.serviceAccountName" . }} diff --git a/charts/kyverno/templates/reports-controller/service.yaml b/charts/kyverno/templates/reports-controller/service.yaml index 6eee2170d1..794b9fa25f 100644 --- a/charts/kyverno/templates/reports-controller/service.yaml +++ b/charts/kyverno/templates/reports-controller/service.yaml @@ -1,5 +1,6 @@ {{- if .Values.reportsController.enabled -}} {{- if .Values.reportsController.metricsService.create -}} +--- apiVersion: v1 kind: Service metadata: @@ -25,3 +26,25 @@ spec: type: {{ .Values.reportsController.metricsService.type }} {{- end -}} {{- end -}} +{{- if .Values.reportsController.profiling.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.reports-controller.name" . }}-profiling + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} +spec: + ports: + - port: {{ .Values.reportsController.profiling.port }} + targetPort: {{ .Values.reportsController.profiling.port }} + protocol: TCP + name: profiling-port + {{- if and (eq .Values.reportsController.profiling.serviceType "NodePort") (not (empty .Values.reportsController.profiling.nodePort)) }} + nodePort: {{ .Values.reportsController.profiling.nodePort }} + {{- end }} + selector: + {{- include "kyverno.reports-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.reportsController.profiling.serviceType }} +{{- end -}} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index f61cded78d..96d71360c2 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -1166,6 +1166,17 @@ admissionController: # -- Otel collector credentials creds: '' + profiling: + # -- Enable profiling + enabled: false + # -- Profiling endpoint port + port: 6060 + # -- Service type. + serviceType: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + # Background controller configuration backgroundController: @@ -1454,6 +1465,17 @@ backgroundController: # -- Otel collector credentials creds: '' + profiling: + # -- Enable profiling + enabled: false + # -- Profiling endpoint port + port: 6060 + # -- Service type. + serviceType: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + # Cleanup controller configuration cleanupController: @@ -1749,6 +1771,17 @@ cleanupController: # -- Otel collector credentials creds: '' + profiling: + # -- Enable profiling + enabled: false + # -- Profiling endpoint port + port: 6060 + # -- Service type. + serviceType: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: + # Reports controller configuration reportsController: @@ -2010,3 +2043,14 @@ reportsController: collector: ~ # -- (string) Otel collector credentials creds: ~ + + profiling: + # -- Enable profiling + enabled: false + # -- Profiling endpoint port + port: 6060 + # -- Service type. + serviceType: ClusterIP + # -- Service node port. + # Only used if `type` is `NodePort`. + nodePort: diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 2668268d80..686cef8ace 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -50323,6 +50323,7 @@ spec: - --protectManagedResources=false - --allowInsecureRegistry=false - --registryCredentialHelpers=default,google,amazon,azure,github + resources: limits: memory: 384Mi @@ -50346,6 +50347,7 @@ spec: - containerPort: 8000 name: metrics-port protocol: TCP + env: - name: INIT_CONFIG value: kyverno @@ -50458,6 +50460,7 @@ spec: - containerPort: 8000 name: metrics protocol: TCP + args: - --disableMetrics=false - --otelConfig=prometheus @@ -50467,6 +50470,7 @@ spec: - --loggingFormat=text - --v=2 - --enablePolicyException=true + env: - name: KYVERNO_SERVICEACCOUNT_NAME value: kyverno-background-controller @@ -50557,6 +50561,7 @@ spec: - containerPort: 8000 name: metrics protocol: TCP + args: - --caSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca - --tlsSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair @@ -50571,6 +50576,7 @@ spec: - --loggingFormat=text - --v=2 - --ttlReconciliationInterval=1m + env: - name: KYVERNO_DEPLOYMENT value: kyverno-cleanup-controller @@ -50691,6 +50697,7 @@ spec: - containerPort: 8000 name: metrics protocol: TCP + args: - --disableMetrics=false - --otelConfig=prometheus @@ -50711,6 +50718,7 @@ spec: - --reportsChunkSize=1000 - --allowInsecureRegistry=false - --registryCredentialHelpers=default,google,amazon,azure,github + env: - name: KYVERNO_SERVICEACCOUNT_NAME value: kyverno-reports-controller