Add security context and resource block to test (#4712)

* Add security context and resource block to test

Signed-off-by: aaz10 <6935594+AddilAfzal@users.noreply.github.com>
Signed-off-by: AddilAfzal <>

* Add comment to test security context

Signed-off-by: aaz10 <6935594+AddilAfzal@users.noreply.github.com>
Signed-off-by: AddilAfzal <>

* Add security context and resource block to other test container

Signed-off-by: aaz10 <6935594+AddilAfzal@users.noreply.github.com>
Signed-off-by: AddilAfzal <>

* fix: shutdown controllers workers gracefully (#4681)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Signed-off-by: AddilAfzal <>

* fix: split webhook handlers per failure policy (#4650)

* fix: split webhook handlers per failure policy

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix handlers

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* rolling update

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* better error message

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Signed-off-by: AddilAfzal <>

* refactor: use pod name as leader id (#4680)

* refactor: use pod name as leader id

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix manifests

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* makefile

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* leader client

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: AddilAfzal <>

* fix: missing client wrapper (#4703)

* fix: missing client wrapper

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* v1beta1

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* v1alpha2

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* policy report

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: AddilAfzal <>

* chore: refactor manifests related makefile targets (#4706)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: AddilAfzal <>

* fix: change key used in test (#4718)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: AddilAfzal <>

* Add changelog entry

Signed-off-by: AddilAfzal <6935594+AddilAfzal@users.noreply.github.com>

* Set user and group on test pod

Signed-off-by: AddilAfzal <6935594+AddilAfzal@users.noreply.github.com>

* fix docs

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* Move securityContext back to container level

Signed-off-by: AddilAfzal <6935594+AddilAfzal@users.noreply.github.com>

Signed-off-by: aaz10 <6935594+AddilAfzal@users.noreply.github.com>
Signed-off-by: AddilAfzal <>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: AddilAfzal <6935594+AddilAfzal@users.noreply.github.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: AddilAfzal <>

charts/kyverno/Chart.yaml

@@ -40,3 +40,5 @@ annotations:
       description: Self signed certificates not using SANs.
     - kind: added
       description: Extra args support for init container.
+    - kind: added
+      description: Allow overriding of test security context and resource block.

charts/kyverno/README.md

@@ -84,6 +84,7 @@ The command removes all the Kubernetes components associated with the chart and
 | podAnnotations | object | `{}` | Additional annotations to add to each pod |
 | podSecurityContext | object | `{}` | Security context for the pod |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
+| testSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers |
 | priorityClassName | string | `""` | Optional priority class to be used for kyverno pods |
 | antiAffinity.enable | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
 | podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
@@ -105,6 +106,8 @@ The command removes all the Kubernetes components associated with the chart and
 | resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
 | initResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
 | initResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
+| testResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
+| testResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
 | livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
 | readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
 | generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |

charts/kyverno/templates/_helpers.tpl

@@ -113,6 +113,14 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
 {{- end }}
 {{- end }}
 
+{{- define "kyverno.testSecurityContext" -}}
+{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
+{{ toYaml (omit .Values.testSecurityContext "seccompProfile") }}
+{{- else }}
+{{ toYaml .Values.testSecurityContext }}
+{{- end }}
+{{- end }}
+
 {{- define "kyverno.imagePullSecret" }}
 {{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
 {{- end }}

charts/kyverno/templates/tests/test.yaml

@@ -12,6 +12,12 @@ spec:
     - name: wget
       image: {{ .Values.testImage.repository | default "busybox" }}{{- if .Values.testImage.tag }}:{{ .Values.testImage.tag }}{{- end }}
       imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }}
+      {{- with .Values.testResources }}
+      resources: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- if .Values.testSecurityContext }}
+      securityContext: {{ include "kyverno.testSecurityContext" . | nindent 8 }}
+      {{- end }}
       command:
         - /bin/sh
         - -c
@@ -20,6 +26,12 @@ spec:
     - name: wget-metrics
       image: {{ .Values.testImage.repository | default "busybox" }}{{- if .Values.testImage.tag }}:{{ .Values.testImage.tag }}{{- end }}
       imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }}
+      {{- with .Values.testResources }}
+      resources: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- if .Values.testSecurityContext }}
+      securityContext: {{ include "kyverno.testSecurityContext" . | nindent 8 }}
+      {{- end }}
       command:
         - /bin/sh
         - -c

charts/kyverno/values.yaml

@@ -87,6 +87,20 @@ securityContext:
   seccompProfile:
     type: RuntimeDefault
 
+# -- Security context for the test containers
+testSecurityContext:
+  runAsUser: 65534
+  runAsGroup: 65534
+  runAsNonRoot: true
+  privileged: false
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
+  seccompProfile:
+    type: RuntimeDefault
+
 # -- Optional priority class to be used for kyverno pods
 priorityClassName: ''
 
@@ -197,6 +211,16 @@ initResources:
     cpu: 10m
     memory: 64Mi
 
+testResources:
+  # -- Pod resource limits
+  limits:
+    cpu: 100m
+    memory: 256Mi
+  # -- Pod resource requests
+  requests:
+    cpu: 10m
+    memory: 64Mi
+
 # -- Liveness probe.
 # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
 # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/

cmd/kyverno/main.go

@@ -218,7 +218,6 @@ func main() {
 		logger.Error(err, "Failed to create kubernetes leader client")
 		os.Exit(1)
 	}
-
 	// sanity checks
 	if !utils.CRDsInstalled(dynamicClient.Discovery()) {
 		logger.Error(fmt.Errorf("CRDs not installed"), "Failed to access Kyverno CRDs")