From 60653eb6204b1dc6f128dc6351afc56466b9333f Mon Sep 17 00:00:00 2001 From: Adam Kosmin Date: Tue, 16 Mar 2021 17:11:04 -0400 Subject: [PATCH] support envVars with sane default (#1715) Co-authored-by: windowsrefund --- charts/kyverno/README.md | 98 ++++++++++++------------ charts/kyverno/templates/deployment.yaml | 4 + charts/kyverno/values.yaml | 2 + 3 files changed, 56 insertions(+), 48 deletions(-) diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 07fb94d74e..4d73304eb8 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -2,11 +2,11 @@ [Kyverno](https://kyverno.io) is a Kubernetes Native Policy Management engine. It allows you to: -* Manage policies as Kubernetes resources (no new language required.) -* Validate, mutate, and generate resource configurations. -* Select resources based on labels and wildcards. -* View policy enforcement as events. -* Scan existing resources for violations. +- Manage policies as Kubernetes resources (no new language required.) +- Validate, mutate, and generate resource configurations. +- Select resources based on labels and wildcards. +- View policy enforcement as events. +- Scan existing resources for violations. Access the complete user documentation and guides at: https://kyverno.io. @@ -62,48 +62,49 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the kyverno chart and their default values. -Parameter | Description | Default ---- | --- | --- -`affinity` | node/pod affinities | `nil` -`createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` -`config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` -`config.resourceFilters` | list of filter of resource types to be skipped by kyverno policy engine. See [documentation](https://github.com/kyverno/kyverno/blob/master/documentation/installation.md#filter-kubernetes-resources-that-admission-webhook-should-not-process) for details | `["[Event,*,*]","[*,kube-system,*]","[*,kube-public,*]","[*,kube-node-lease,*]","[Node,*,*]","[APIService,*,*]","[TokenReview,*,*]","[SubjectAccessReview,*,*]","[*,kyverno,*]"]` -`dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` -`extraArgs` | list of extra arguments to give the binary | `[]` -`fullnameOverride` | override the expanded name of the chart | `nil` -`generatecontrollerExtraResources` | extra resource type Kyverno is allowed to generate | `[]` -`hostNetwork` | Use the host network's namespace. Set it to `true` when dealing with a custom CNI over Amazon EKS | `false` -`image.pullPolicy` | Image pull policy | `IfNotPresent` -`image.pullSecrets` | Specify image pull secrets | `[]` (does not add image pull secrets to deployed pods) -`image.repository` | Image repository | `ghcr.io/kyverno/kyverno` -`image.tag` | Image tag | `nil` -`initImage.pullPolicy` | Init image pull policy | `nil` -`initImage.repository` | Init image repository | `ghcr.io/kyverno/kyvernopre` -`initImage.tag` | Init image tag | `nil` -`livenessProbe` | liveness probe configuration | `{}` -`nameOverride` | override the name of the chart | `nil` -`namespace` | namespace the chart deploy to | `nil` -`nodeSelector` | node labels for pod assignment | `{}` -`podAnnotations` | annotations to add to each pod | `{}` -`podLabels` | additional labels to add to each pod | `{}` -`podSecurityContext` | security context for the pod | `{}` -`priorityClassName` | priorityClassName | `nil` -`rbac.create` | create cluster roles, cluster role bindings, and service account | `true` -`rbac.serviceAccount.create` | create a service account | `true` -`rbac.serviceAccount.name` | the service account name | `nil` -`rbac.serviceAccount.annotations` | annotations for the service account | `{}` -`readinessProbe` | readiness probe configuration | `{}` -`replicaCount` | desired number of pods | `1` -`resources` | pod resource requests & limits | `{}` -`service.annotations` | annotations to add to the service | `{}` -`service.nodePort` | node port | `nil` -`service.port` | port for the service | `443` -`service.type` | type of service | `ClusterIP` -`tolerations` | list of node taints to tolerate | `[]` -`securityContext` | security context configuration | `{}` -`podSecurityStandard` | set desired pod security level `privileged`, `default`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `default` -`podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]` -`validationFailureAction` | set to get response in failed validation check. Supported values- `audit`, `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` +| Parameter | Description | Default | +| ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `affinity` | node/pod affinities | `nil` | +| `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` | +| `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` | +| `config.resourceFilters` | list of filter of resource types to be skipped by kyverno policy engine. See [documentation](https://github.com/kyverno/kyverno/blob/master/documentation/installation.md#filter-kubernetes-resources-that-admission-webhook-should-not-process) for details | `["[Event,*,*]","[*,kube-system,*]","[*,kube-public,*]","[*,kube-node-lease,*]","[Node,*,*]","[APIService,*,*]","[TokenReview,*,*]","[SubjectAccessReview,*,*]","[*,kyverno,*]"]` | +| `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` | +| envVars | Extra environment variables to pass to kyverno | {} | +| `extraArgs` | list of extra arguments to give the binary | `[]` | +| `fullnameOverride` | override the expanded name of the chart | `nil` | +| `generatecontrollerExtraResources` | extra resource type Kyverno is allowed to generate | `[]` | +| `hostNetwork` | Use the host network's namespace. Set it to `true` when dealing with a custom CNI over Amazon EKS | `false` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify image pull secrets | `[]` (does not add image pull secrets to deployed pods) | +| `image.repository` | Image repository | `ghcr.io/kyverno/kyverno` | +| `image.tag` | Image tag | `nil` | +| `initImage.pullPolicy` | Init image pull policy | `nil` | +| `initImage.repository` | Init image repository | `ghcr.io/kyverno/kyvernopre` | +| `initImage.tag` | Init image tag | `nil` | +| `livenessProbe` | liveness probe configuration | `{}` | +| `nameOverride` | override the name of the chart | `nil` | +| `namespace` | namespace the chart deploy to | `nil` | +| `nodeSelector` | node labels for pod assignment | `{}` | +| `podAnnotations` | annotations to add to each pod | `{}` | +| `podLabels` | additional labels to add to each pod | `{}` | +| `podSecurityContext` | security context for the pod | `{}` | +| `priorityClassName` | priorityClassName | `nil` | +| `rbac.create` | create cluster roles, cluster role bindings, and service account | `true` | +| `rbac.serviceAccount.create` | create a service account | `true` | +| `rbac.serviceAccount.name` | the service account name | `nil` | +| `rbac.serviceAccount.annotations` | annotations for the service account | `{}` | +| `readinessProbe` | readiness probe configuration | `{}` | +| `replicaCount` | desired number of pods | `1` | +| `resources` | pod resource requests & limits | `{}` | +| `service.annotations` | annotations to add to the service | `{}` | +| `service.nodePort` | node port | `nil` | +| `service.port` | port for the service | `443` | +| `service.type` | type of service | `ClusterIP` | +| `tolerations` | list of node taints to tolerate | `[]` | +| `securityContext` | security context configuration | `{}` | +| `podSecurityStandard` | set desired pod security level `privileged`, `default`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `default` | +| `podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]` | +| `validationFailureAction` | set to get response in failed validation check. Supported values- `audit`, `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, @@ -128,4 +129,5 @@ If `createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and ## Kyverno CLI -See: https://kyverno.io/docs/kyverno-cli/ \ No newline at end of file +See: https://kyverno.io/docs/kyverno-cli/ + diff --git a/charts/kyverno/templates/deployment.yaml b/charts/kyverno/templates/deployment.yaml index 1afcfbdc02..5c09dc2c5d 100644 --- a/charts/kyverno/templates/deployment.yaml +++ b/charts/kyverno/templates/deployment.yaml @@ -61,6 +61,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + {{- with .Values.envVars }} + env: + {{- toYaml . | nindent 14 }} + {{- end }} containers: - name: kyverno image: {{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index a868132b48..5cc596a478 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -57,6 +57,8 @@ hostNetwork: false # for further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: "ClusterFirst" +envVars: {} + extraArgs: [] # - --webhooktimeout=4