feat: add updateRequestThreshold config option to kyverno helm chart (#10739)

Signed-off-by: Garry O'Donnell <garry.o'donnell@diamond.ac.uk> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-03-05 15:37:19 +00:00 · 2024-08-15 16:40:57 +01:00 · 2024-08-15 16:40:57 +01:00 · 5a60836279
commit 5a60836279
parent 3c63152f18
4 changed files with 8 additions and 0 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -295,6 +295,7 @@ The chart values are organised per component.
 | config.excludeClusterRoles | list | `[]` | Exclude roles |
 | config.generateSuccessEvents | bool | `false` | Generate success events. |
 | config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
 | config.updateRequestThreshold | int | `1000` | Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. |
 | config.webhooks | list | `[{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}}]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
 | config.webhookAnnotations | object | `{"admissions.enforcer/disabled":"true"}` | Defines annotations to set on webhook configurations. |
 | config.webhookLabels | object | `{}` | Defines labels to set on webhook configurations. |
--- a/charts/kyverno/templates/config/configmap.yaml
+++ b/charts/kyverno/templates/config/configmap.yaml
@ -35,6 +35,9 @@ data:
  resourceFilters: >-
    {{- include "kyverno.config.resourceFilters" . | trim | nindent 4 }}
  {{- end -}}
  {{- with .Values.config.updateRequestThreshold }}
  updateRequestThreshold: {{ . | quote }}
  {{- end -}}
  {{- if and .Values.config.webhooks .Values.config.excludeKyvernoNamespace }}
  webhooks: {{ include "kyverno.config.webhooks" . | quote }}
  {{- else if .Values.config.webhooks }}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -309,6 +309,9 @@ config:
    - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
    - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
  # -- Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies.
  updateRequestThreshold: 1000
  # -- Defines the `namespaceSelector` in the webhook configurations.
  # Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
  # will be forwarded to the webhook configurations.
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@ -172,6 +172,7 @@ data:
    [ServiceMonitor,kyverno,kyverno-reports-controller]
    [Secret,kyverno,kyverno-svc.kyverno.svc.*]
    [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]
  updateRequestThreshold: "1000"
  webhooks: "[{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\"]}],\"matchLabels\":null}}]"
  webhookAnnotations: "{\"admissions.enforcer/disabled\":\"true\"}"
 ---