mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
refactor: helm admission controller config (#6457)
* refactor: helm admission controller config Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * pdb Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: helm admission controller config Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * certs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
6b8ac1cf5a
commit
5c9273de84
5 changed files with 120 additions and 107 deletions
|
@ -130,6 +130,15 @@ In `v3` chart values changed significantly, please read the instructions below t
|
||||||
- `tolerations` has been replaced with `admissionController.tolerations`
|
- `tolerations` has been replaced with `admissionController.tolerations`
|
||||||
- `topologySpreadConstraints` has been replaced with `admissionController.topologySpreadConstraints`
|
- `topologySpreadConstraints` has been replaced with `admissionController.topologySpreadConstraints`
|
||||||
- `podDisruptionBudget` has been replaced with `admissionController.podDisruptionBudget`
|
- `podDisruptionBudget` has been replaced with `admissionController.podDisruptionBudget`
|
||||||
|
- `antiAffinity` has been replaced with `admissionController.antiAffinity`
|
||||||
|
- `antiAffinity.enable` has been replaced with `admissionController.antiAffinity.enabled`
|
||||||
|
- `podAntiAffinity` has been replaced with `admissionController.podAntiAffinity`
|
||||||
|
- `podAffinity` has been replaced with `admissionController.podAffinity`
|
||||||
|
- `nodeAffinity` has been replaced with `admissionController.nodeAffinity`
|
||||||
|
- `startupProbe` has been replaced with `admissionController.startupProbe`
|
||||||
|
- `livenessProbe` has been replaced with `admissionController.livenessProbe`
|
||||||
|
- `readinessProbe` has been replaced with `admissionController.readinessProbe`
|
||||||
|
- `createSelfSignedCert` has been replaced with `admissionController.createSelfSignedCert`
|
||||||
|
|
||||||
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
|
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
|
||||||
|
|
||||||
|
@ -200,10 +209,6 @@ The command removes all the Kubernetes components associated with the chart and
|
||||||
| podAnnotations | object | `{}` | Additional annotations to add to each pod |
|
| podAnnotations | object | `{}` | Additional annotations to add to each pod |
|
||||||
| podSecurityContext | object | `{}` | Security context for the pod |
|
| podSecurityContext | object | `{}` | Security context for the pod |
|
||||||
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
|
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
|
||||||
| antiAffinity.enable | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
|
|
||||||
| podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
|
|
||||||
| podAffinity | object | `{}` | Pod affinity constraints. |
|
|
||||||
| nodeAffinity | object | `{}` | Node affinity constraints. |
|
|
||||||
| envVarsInit | object | `{}` | Env variables for initContainers. |
|
| envVarsInit | object | `{}` | Env variables for initContainers. |
|
||||||
| envVars | object | `{}` | Env variables for containers. |
|
| envVars | object | `{}` | Env variables for containers. |
|
||||||
| extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the binary. |
|
| extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the binary. |
|
||||||
|
@ -213,9 +218,6 @@ The command removes all the Kubernetes components associated with the chart and
|
||||||
| resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
|
| resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
|
||||||
| initResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
|
| initResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
|
||||||
| initResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
|
| initResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
|
||||||
| startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
|
|
||||||
| livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
|
|
||||||
| readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
|
|
||||||
| generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |
|
| generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |
|
||||||
| excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
|
| excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
|
||||||
| resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
|
| resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
|
||||||
|
@ -235,7 +237,6 @@ The command removes all the Kubernetes components associated with the chart and
|
||||||
| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
|
| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
|
||||||
| serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
|
| serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
|
||||||
| serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
|
| serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
|
||||||
| createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert. In this case, you will need to create a certificate with a specific name and data structure. As long as you follow the naming scheme, it will be automatically picked up. kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt) kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false |
|
|
||||||
| networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
|
| networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
|
||||||
| networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
|
| networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
|
||||||
| webhooksCleanup.enabled | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
|
| webhooksCleanup.enabled | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
|
||||||
|
@ -246,13 +247,21 @@ The command removes all the Kubernetes components associated with the chart and
|
||||||
| grafana.configMapName | string | `"{{ include \"kyverno.fullname\" . }}-grafana"` | Configmap name template. |
|
| grafana.configMapName | string | `"{{ include \"kyverno.fullname\" . }}-grafana"` | Configmap name template. |
|
||||||
| grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. |
|
| grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. |
|
||||||
| grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. |
|
| grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. |
|
||||||
|
| admissionController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. |
|
||||||
| admissionController.replicas | int | `nil` | Desired number of pods |
|
| admissionController.replicas | int | `nil` | Desired number of pods |
|
||||||
| admissionController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
|
| admissionController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
|
||||||
| admissionController.priorityClassName | string | `""` | Optional priority class |
|
| admissionController.priorityClassName | string | `""` | Optional priority class |
|
||||||
| admissionController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
|
| admissionController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
|
||||||
| admissionController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
|
| admissionController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
|
||||||
|
| admissionController.startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
|
||||||
|
| admissionController.livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
|
||||||
|
| admissionController.readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
|
||||||
| admissionController.nodeSelector | object | `{}` | Node labels for pod assignment |
|
| admissionController.nodeSelector | object | `{}` | Node labels for pod assignment |
|
||||||
| admissionController.tolerations | list | `[]` | List of node taints to tolerate |
|
| admissionController.tolerations | list | `[]` | List of node taints to tolerate |
|
||||||
|
| admissionController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
|
||||||
|
| admissionController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
|
||||||
|
| admissionController.podAffinity | object | `{}` | Pod affinity constraints. |
|
||||||
|
| admissionController.nodeAffinity | object | `{}` | Node affinity constraints. |
|
||||||
| admissionController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
|
| admissionController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
|
||||||
| admissionController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
|
| admissionController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
|
||||||
| admissionController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
|
| admissionController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
|
||||||
|
@ -417,9 +426,9 @@ The command removes all the Kubernetes components associated with the chart and
|
||||||
|
|
||||||
## TLS Configuration
|
## TLS Configuration
|
||||||
|
|
||||||
If `createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate)
|
If `admissionController.createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate)
|
||||||
|
|
||||||
If `createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
|
If `admissionController.createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
|
||||||
|
|
||||||
## Default resource filters
|
## Default resource filters
|
||||||
|
|
||||||
|
|
|
@ -130,6 +130,15 @@ In `v3` chart values changed significantly, please read the instructions below t
|
||||||
- `tolerations` has been replaced with `admissionController.tolerations`
|
- `tolerations` has been replaced with `admissionController.tolerations`
|
||||||
- `topologySpreadConstraints` has been replaced with `admissionController.topologySpreadConstraints`
|
- `topologySpreadConstraints` has been replaced with `admissionController.topologySpreadConstraints`
|
||||||
- `podDisruptionBudget` has been replaced with `admissionController.podDisruptionBudget`
|
- `podDisruptionBudget` has been replaced with `admissionController.podDisruptionBudget`
|
||||||
|
- `antiAffinity` has been replaced with `admissionController.antiAffinity`
|
||||||
|
- `antiAffinity.enable` has been replaced with `admissionController.antiAffinity.enabled`
|
||||||
|
- `podAntiAffinity` has been replaced with `admissionController.podAntiAffinity`
|
||||||
|
- `podAffinity` has been replaced with `admissionController.podAffinity`
|
||||||
|
- `nodeAffinity` has been replaced with `admissionController.nodeAffinity`
|
||||||
|
- `startupProbe` has been replaced with `admissionController.startupProbe`
|
||||||
|
- `livenessProbe` has been replaced with `admissionController.livenessProbe`
|
||||||
|
- `readinessProbe` has been replaced with `admissionController.readinessProbe`
|
||||||
|
- `createSelfSignedCert` has been replaced with `admissionController.createSelfSignedCert`
|
||||||
|
|
||||||
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
|
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
|
||||||
|
|
||||||
|
@ -151,9 +160,9 @@ The command removes all the Kubernetes components associated with the chart and
|
||||||
|
|
||||||
## TLS Configuration
|
## TLS Configuration
|
||||||
|
|
||||||
If `createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate)
|
If `admissionController.createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate)
|
||||||
|
|
||||||
If `createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
|
If `admissionController.createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
|
||||||
|
|
||||||
## Default resource filters
|
## Default resource filters
|
||||||
|
|
||||||
|
|
|
@ -55,19 +55,19 @@ spec:
|
||||||
{{- with .Values.admissionController.dnsPolicy }}
|
{{- with .Values.admissionController.dnsPolicy }}
|
||||||
dnsPolicy: {{ . }}
|
dnsPolicy: {{ . }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if or .Values.antiAffinity.enable .Values.podAffinity .Values.nodeAffinity }}
|
{{- if or .Values.admissionController.antiAffinity.enable .Values.admissionController.podAffinity .Values.admissionController.nodeAffinity }}
|
||||||
affinity:
|
affinity:
|
||||||
{{- if .Values.antiAffinity.enable }}
|
{{- if .Values.admissionController.antiAffinity.enabled }}
|
||||||
{{- with .Values.podAntiAffinity }}
|
{{- with .Values.admissionController.podAntiAffinity }}
|
||||||
podAntiAffinity:
|
podAntiAffinity:
|
||||||
{{- tpl (toYaml .) $ | nindent 10 }}
|
{{- tpl (toYaml .) $ | nindent 10 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- with .Values.podAffinity }}
|
{{- with .Values.admissionController.podAffinity }}
|
||||||
podAffinity:
|
podAffinity:
|
||||||
{{- tpl (toYaml .) $ | nindent 10 }}
|
{{- tpl (toYaml .) $ | nindent 10 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- with .Values.nodeAffinity }}
|
{{- with .Values.admissionController.nodeAffinity }}
|
||||||
nodeAffinity:
|
nodeAffinity:
|
||||||
{{- tpl (toYaml .) $ | nindent 10 }}
|
{{- tpl (toYaml .) $ | nindent 10 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -162,15 +162,18 @@ spec:
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: KYVERNO_DEPLOYMENT
|
- name: KYVERNO_DEPLOYMENT
|
||||||
value: {{ template "kyverno.fullname" . }}
|
value: {{ template "kyverno.fullname" . }}
|
||||||
{{- with .Values.startupProbe }}
|
{{- with .Values.admissionController.startupProbe }}
|
||||||
startupProbe: {{ tpl (toYaml .) $ | nindent 12 }}
|
startupProbe:
|
||||||
{{- end }}
|
{{- tpl (toYaml .) $ | nindent 12 }}
|
||||||
{{- with .Values.livenessProbe }}
|
{{- end }}
|
||||||
livenessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
|
{{- with .Values.admissionController.livenessProbe }}
|
||||||
{{- end }}
|
livenessProbe:
|
||||||
{{- with .Values.readinessProbe }}
|
{{- tpl (toYaml .) $ | nindent 12 }}
|
||||||
readinessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- with .Values.admissionController.readinessProbe }}
|
||||||
|
readinessProbe:
|
||||||
|
{{- tpl (toYaml .) $ | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- mountPath: {{ .Values.tufRootMountPath }}
|
- mountPath: {{ .Values.tufRootMountPath }}
|
||||||
name: sigstore
|
name: sigstore
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{{- if .Values.createSelfSignedCert -}}
|
{{- if .Values.admissionController.createSelfSignedCert -}}
|
||||||
{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}}
|
{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}}
|
||||||
{{- $svcName := (printf "%s.%s.svc" (include "kyverno.admission-controller.serviceName" .) (include "kyverno.namespace" .)) -}}
|
{{- $svcName := (printf "%s.%s.svc" (include "kyverno.admission-controller.serviceName" .) (include "kyverno.namespace" .)) -}}
|
||||||
{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}}
|
{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}}
|
||||||
|
|
|
@ -257,31 +257,6 @@ securityContext:
|
||||||
seccompProfile:
|
seccompProfile:
|
||||||
type: RuntimeDefault
|
type: RuntimeDefault
|
||||||
|
|
||||||
antiAffinity:
|
|
||||||
# -- Pod antiAffinities toggle.
|
|
||||||
# Enabled by default but can be disabled if you want to schedule pods to the same node.
|
|
||||||
enable: true
|
|
||||||
|
|
||||||
# -- Pod anti affinity constraints.
|
|
||||||
# @default -- See [values.yaml](values.yaml)
|
|
||||||
podAntiAffinity:
|
|
||||||
preferredDuringSchedulingIgnoredDuringExecution:
|
|
||||||
- weight: 1
|
|
||||||
podAffinityTerm:
|
|
||||||
labelSelector:
|
|
||||||
matchExpressions:
|
|
||||||
- key: app.kubernetes.io/name
|
|
||||||
operator: In
|
|
||||||
values:
|
|
||||||
- '{{ template "kyverno.name" . }}'
|
|
||||||
topologyKey: kubernetes.io/hostname
|
|
||||||
|
|
||||||
# -- Pod affinity constraints.
|
|
||||||
podAffinity: {}
|
|
||||||
|
|
||||||
# -- Node affinity constraints.
|
|
||||||
nodeAffinity: {}
|
|
||||||
|
|
||||||
# -- Env variables for initContainers.
|
# -- Env variables for initContainers.
|
||||||
envVarsInit: {}
|
envVarsInit: {}
|
||||||
|
|
||||||
|
@ -325,49 +300,6 @@ initResources:
|
||||||
cpu: 10m
|
cpu: 10m
|
||||||
memory: 64Mi
|
memory: 64Mi
|
||||||
|
|
||||||
# -- Startup probe.
|
|
||||||
# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
|
|
||||||
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
|
|
||||||
# @default -- See [values.yaml](values.yaml)
|
|
||||||
startupProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /health/liveness
|
|
||||||
port: 9443
|
|
||||||
scheme: HTTPS
|
|
||||||
failureThreshold: 20
|
|
||||||
initialDelaySeconds: 2
|
|
||||||
periodSeconds: 6
|
|
||||||
|
|
||||||
# -- Liveness probe.
|
|
||||||
# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
|
|
||||||
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
|
|
||||||
# @default -- See [values.yaml](values.yaml)
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /health/liveness
|
|
||||||
port: 9443
|
|
||||||
scheme: HTTPS
|
|
||||||
initialDelaySeconds: 15
|
|
||||||
periodSeconds: 30
|
|
||||||
timeoutSeconds: 5
|
|
||||||
failureThreshold: 2
|
|
||||||
successThreshold: 1
|
|
||||||
|
|
||||||
# -- Readiness Probe.
|
|
||||||
# The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
|
|
||||||
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
|
|
||||||
# @default -- See [values.yaml](values.yaml)
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /health/readiness
|
|
||||||
port: 9443
|
|
||||||
scheme: HTTPS
|
|
||||||
initialDelaySeconds: 5
|
|
||||||
periodSeconds: 10
|
|
||||||
timeoutSeconds: 5
|
|
||||||
failureThreshold: 6
|
|
||||||
successThreshold: 1
|
|
||||||
|
|
||||||
# -- Additional resources to be added to controller RBAC permissions.
|
# -- Additional resources to be added to controller RBAC permissions.
|
||||||
generatecontrollerExtraResources: []
|
generatecontrollerExtraResources: []
|
||||||
# - ResourceA
|
# - ResourceA
|
||||||
|
@ -423,18 +355,6 @@ serviceMonitor:
|
||||||
# -- TLS Configuration for endpoint
|
# -- TLS Configuration for endpoint
|
||||||
tlsConfig: {}
|
tlsConfig: {}
|
||||||
|
|
||||||
# -- Kyverno requires a certificate key pair and corresponding certificate authority
|
|
||||||
# to properly register its webhooks. This can be done in one of 3 ways:
|
|
||||||
# 1) Use kube-controller-manager to generate a CA-signed certificate (preferred)
|
|
||||||
# 2) Provide your own CA and cert.
|
|
||||||
# In this case, you will need to create a certificate with a specific name and data structure.
|
|
||||||
# As long as you follow the naming scheme, it will be automatically picked up.
|
|
||||||
# kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt)
|
|
||||||
# kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt)
|
|
||||||
# 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true
|
|
||||||
# If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
|
|
||||||
createSelfSignedCert: false
|
|
||||||
|
|
||||||
networkPolicy:
|
networkPolicy:
|
||||||
# -- When true, use a NetworkPolicy to allow ingress to the webhook
|
# -- When true, use a NetworkPolicy to allow ingress to the webhook
|
||||||
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
|
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
|
||||||
|
@ -472,6 +392,10 @@ grafana:
|
||||||
# Admission controller configuration
|
# Admission controller configuration
|
||||||
admissionController:
|
admissionController:
|
||||||
|
|
||||||
|
# -- Create self-signed certificates at deployment time.
|
||||||
|
# The certificates won't be automatically renewed if this is set to `true`.
|
||||||
|
createSelfSignedCert: false
|
||||||
|
|
||||||
# -- (int) Desired number of pods
|
# -- (int) Desired number of pods
|
||||||
replicas: ~
|
replicas: ~
|
||||||
|
|
||||||
|
@ -497,12 +421,80 @@ admissionController:
|
||||||
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
|
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
|
||||||
dnsPolicy: ClusterFirst
|
dnsPolicy: ClusterFirst
|
||||||
|
|
||||||
|
# -- Startup probe.
|
||||||
|
# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
|
||||||
|
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
|
||||||
|
# @default -- See [values.yaml](values.yaml)
|
||||||
|
startupProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /health/liveness
|
||||||
|
port: 9443
|
||||||
|
scheme: HTTPS
|
||||||
|
failureThreshold: 20
|
||||||
|
initialDelaySeconds: 2
|
||||||
|
periodSeconds: 6
|
||||||
|
|
||||||
|
# -- Liveness probe.
|
||||||
|
# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
|
||||||
|
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
|
||||||
|
# @default -- See [values.yaml](values.yaml)
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /health/liveness
|
||||||
|
port: 9443
|
||||||
|
scheme: HTTPS
|
||||||
|
initialDelaySeconds: 15
|
||||||
|
periodSeconds: 30
|
||||||
|
timeoutSeconds: 5
|
||||||
|
failureThreshold: 2
|
||||||
|
successThreshold: 1
|
||||||
|
|
||||||
|
# -- Readiness Probe.
|
||||||
|
# The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
|
||||||
|
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
|
||||||
|
# @default -- See [values.yaml](values.yaml)
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /health/readiness
|
||||||
|
port: 9443
|
||||||
|
scheme: HTTPS
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
timeoutSeconds: 5
|
||||||
|
failureThreshold: 6
|
||||||
|
successThreshold: 1
|
||||||
|
|
||||||
# -- Node labels for pod assignment
|
# -- Node labels for pod assignment
|
||||||
nodeSelector: {}
|
nodeSelector: {}
|
||||||
|
|
||||||
# -- List of node taints to tolerate
|
# -- List of node taints to tolerate
|
||||||
tolerations: []
|
tolerations: []
|
||||||
|
|
||||||
|
antiAffinity:
|
||||||
|
# -- Pod antiAffinities toggle.
|
||||||
|
# Enabled by default but can be disabled if you want to schedule pods to the same node.
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
# -- Pod anti affinity constraints.
|
||||||
|
# @default -- See [values.yaml](values.yaml)
|
||||||
|
podAntiAffinity:
|
||||||
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- weight: 1
|
||||||
|
podAffinityTerm:
|
||||||
|
labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: app.kubernetes.io/component
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- admission-controller
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
|
||||||
|
# -- Pod affinity constraints.
|
||||||
|
podAffinity: {}
|
||||||
|
|
||||||
|
# -- Node affinity constraints.
|
||||||
|
nodeAffinity: {}
|
||||||
|
|
||||||
# -- Topology spread constraints.
|
# -- Topology spread constraints.
|
||||||
topologySpreadConstraints: []
|
topologySpreadConstraints: []
|
||||||
|
|
||||||
|
|
Loading…
Add table
Reference in a new issue