From 5a60836279b75b25ef8a5ddd771f6c8ff1e0ee4f Mon Sep 17 00:00:00 2001
From: Garry O'Donnell <garry.euan.odonnell@ntlworld.com>
Date: Thu, 15 Aug 2024 16:40:57 +0100
Subject: [PATCH] feat: add updateRequestThreshold config option to kyverno
 helm chart (#10739)

Signed-off-by: Garry O'Donnell <garry.o'donnell@diamond.ac.uk>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
---
 charts/kyverno/README.md                       | 1 +
 charts/kyverno/templates/config/configmap.yaml | 3 +++
 charts/kyverno/values.yaml                     | 3 +++
 config/install-latest-testing.yaml             | 1 +
 4 files changed, 8 insertions(+)

diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index 48ed8b51d0..ed1b01e1a8 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -295,6 +295,7 @@ The chart values are organised per component.
 | config.excludeClusterRoles | list | `[]` | Exclude roles |
 | config.generateSuccessEvents | bool | `false` | Generate success events. |
 | config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
+| config.updateRequestThreshold | int | `1000` | Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. |
 | config.webhooks | list | `[{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}}]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
 | config.webhookAnnotations | object | `{"admissions.enforcer/disabled":"true"}` | Defines annotations to set on webhook configurations. |
 | config.webhookLabels | object | `{}` | Defines labels to set on webhook configurations. |
diff --git a/charts/kyverno/templates/config/configmap.yaml b/charts/kyverno/templates/config/configmap.yaml
index 7d6a91678c..d10a74d5dd 100644
--- a/charts/kyverno/templates/config/configmap.yaml
+++ b/charts/kyverno/templates/config/configmap.yaml
@@ -35,6 +35,9 @@ data:
   resourceFilters: >-
     {{- include "kyverno.config.resourceFilters" . | trim | nindent 4 }}
   {{- end -}}
+  {{- with .Values.config.updateRequestThreshold }}
+  updateRequestThreshold: {{ . | quote }}
+  {{- end -}}
   {{- if and .Values.config.webhooks .Values.config.excludeKyvernoNamespace }}
   webhooks: {{ include "kyverno.config.webhooks" . | quote }}
   {{- else if .Values.config.webhooks }}
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index 052b8c32d5..2f8cf434dc 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -309,6 +309,9 @@ config:
     - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
     - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
 
+  # -- Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies.
+  updateRequestThreshold: 1000
+
   # -- Defines the `namespaceSelector` in the webhook configurations.
   # Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
   # will be forwarded to the webhook configurations.
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index 574b544507..8e6a37856d 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -172,6 +172,7 @@ data:
     [ServiceMonitor,kyverno,kyverno-reports-controller]
     [Secret,kyverno,kyverno-svc.kyverno.svc.*]
     [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]
+  updateRequestThreshold: "1000"
   webhooks: "[{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\"]}],\"matchLabels\":null}}]"
   webhookAnnotations: "{\"admissions.enforcer/disabled\":\"true\"}"
 ---