Recommanded Kubernetes labels and custom labels (#1873)

* Add: Recommanded Kubernetes labels Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Add: feature to add custom labels to resources metadata Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Add: manage labels with Kustomize Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Add: app label Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Add: app label for chart Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Update: make kustomize-crds Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Update: refactoring labels Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Fix: clean kustomize code Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Fix: typo Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Update: application version v1.3.6 Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com> * Update: version v1.3.6 Signed-off-by: Nicolas Lamirault <nicolas.lamirault@gmail.com>
2025-03-29 02:45:06 +00:00 · 2021-06-01 20:54:33 +02:00 · 2021-06-01 20:54:33 +02:00 · 62c4cd7e3d
commit 62c4cd7e3d
parent d8ad5ba8c8
32 changed files with 2837 additions and 673 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -68,6 +68,7 @@ The following table lists the configurable parameters of the kyverno chart and t
 | `createSelfSignedCert`             | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false.                                                                                             | `false`                                                                                                                                                                           |
 | `config.existingConfig`            | existing Kubernetes configmap to use for the resource filters configuration                                                                                                                                                                                  | `nil`                                                                                                                                                                             |
 | `config.resourceFilters`           | list of filter of resource types to be skipped by kyverno policy engine. See [documentation](https://github.com/kyverno/kyverno/blob/master/documentation/installation.md#filter-kubernetes-resources-that-admission-webhook-should-not-process) for details | `["[Event,*,*]","[*,kube-system,*]","[*,kube-public,*]","[*,kube-node-lease,*]","[Node,*,*]","[APIService,*,*]","[TokenReview,*,*]","[SubjectAccessReview,*,*]","[*,kyverno,*]"]` |
+| customLabels | object | `{}` | Additional labels |
 | `dnsPolicy`                        | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy)                | `ClusterFirst`                                                                                                                                                                    |
 | envVars                            | Extra environment variables to pass to kyverno                                                                                                                                                                                                               | {}                                                                                                                                                                                |
 | `extraArgs`                        | list of extra arguments to give the binary                                                                                                                                                                                                                   | `[]`                                                                                                                                                                              |
--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@ -30,10 +30,16 @@ If release name contains chart name it will be used as a full name.

 {{/* Helm required labels */}}
 {{- define "kyverno.labels" -}}
-app.kubernetes.io/name: {{ template "kyverno.name" . }}
-helm.sh/chart: {{ template "kyverno.chart" . }}
+app.kubernetes.io/component: kyverno
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/name: {{ template "kyverno.name" . }}
+app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
+app.kubernetes.io/version: "{{ .Chart.Version }}"
+helm.sh/chart: {{ template "kyverno.chart" . }}
+{{- if .Values.customLabels }}
+{{ toYaml .Values.customLabels | indent 4 }}
+{{- end }}
 {{- end -}}

 {{/* matchLabels */}}
--- a/charts/kyverno/templates/clusterrole.yaml
+++ b/charts/kyverno/templates/clusterrole.yaml
@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "kyverno.fullname" . }}:webhook
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 rules:
 # Dynamic creation of webhooks, events & certs
 - apiGroups:
@ -48,6 +50,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "kyverno.fullname" . }}:userinfo
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 rules:
 # get the roleRef for incoming api-request user
 - apiGroups:
@ -67,6 +71,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "kyverno.fullname" . }}:customresources
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 rules:
 # Kyverno CRs
 - apiGroups:
@ -105,6 +111,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "kyverno.fullname" . }}:policycontroller
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 rules:
 # background processing, identify all existing resources
 - apiGroups:
@ -121,6 +129,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: {{ template "kyverno.fullname" . }}:generatecontroller
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 rules:
 # process generate rules to generate resources
 - apiGroups:
@ -154,9 +164,10 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
  name: {{ template "kyverno.fullname" . }}:admin-policies
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    app: kyverno
 rules:
 - apiGroups:
  - kyverno.io
@ -169,8 +180,9 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels:
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    app: kyverno
  name: {{ template "kyverno.fullname" . }}:admin-policyreport
 rules:
  - apiGroups:
@ -184,8 +196,9 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels:
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    app: kyverno
  name: {{ template "kyverno.fullname" . }}:admin-reportchangerequest
 rules:
 - apiGroups:
@ -194,4 +207,4 @@ rules:
  - reportchangerequests
  - clusterreportchangerequests
  verbs:
-  - "*"
+  - "*"
--- a/charts/kyverno/templates/clusterrolebinding.yaml
+++ b/charts/kyverno/templates/clusterrolebinding.yaml
@ -3,6 +3,8 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ template "kyverno.fullname" . }}:webhook
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
@ -16,6 +18,8 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ template "kyverno.fullname" . }}:userinfo
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
@ -29,6 +33,8 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ template "kyverno.fullname" . }}:customresources
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
@ -42,6 +48,8 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ template "kyverno.fullname" . }}:policycontroller
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
@ -55,6 +63,8 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ template "kyverno.fullname" . }}:generatecontroller
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
--- a/charts/kyverno/templates/configmap.yaml
+++ b/charts/kyverno/templates/configmap.yaml
@ -3,6 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
  name: {{ template "kyverno.configMapName" . }}
  namespace: {{ template "kyverno.namespace" . }}
 data:
--- a/charts/kyverno/templates/deployment.yaml
+++ b/charts/kyverno/templates/deployment.yaml
@ -3,14 +3,17 @@ kind: Deployment
 metadata:
  name: {{ template "kyverno.fullname" . }}
  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
  namespace: {{ template "kyverno.namespace" . }}
 spec:
  selector:
    matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
+      app: kyverno
  replicas: {{ .Values.replicaCount }}
  template:
    metadata:
      labels: {{ include "kyverno.labels" . | nindent 8 }}
+        app: kyverno
        {{- range $key, $value := .Values.podLabels }}
        {{ $key }}: {{ $value }}
        {{- end }}
--- a/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml
@ -12,6 +12,8 @@ metadata:
    policies.kyverno.io/description: >-
      Capabilities permit privileged actions without giving full root access.
      Adding capabilities beyond the default set must not be allowed.
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
--- a/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml
@ -13,6 +13,8 @@ metadata:
      Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
      network namespace) allow access to shared information and can be used to elevate
      privileges. Pods should not be allowed access to host namespaces.
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
--- a/charts/kyverno/templates/policies/default/disallow-host-path.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-host-path.yaml
@ -13,6 +13,8 @@ metadata:
      HostPath volumes let pods use host directories and volumes in containers.
      Using host resources can be used to access shared data or escalate privileges
      and should not be allowed.
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
--- a/charts/kyverno/templates/policies/default/disallow-host-ports.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-host-ports.yaml
@ -12,6 +12,8 @@ metadata:
    policies.kyverno.io/description: >-
      Access to host ports allows potential snooping of network traffic and should not be
      allowed, or at minimum restricted to a known list.
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
--- a/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml
@ -11,6 +11,8 @@ metadata:
    {{- end }}
    policies.kyverno.io/description: >-
      Privileged mode disables most security mechanisms and must not be allowed.
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
--- a/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml
@ -11,6 +11,8 @@ metadata:
    {{- end }}
    policies.kyverno.io/description: >-
      The default /proc masks are set up to reduce attack surface and should be required.
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
--- a/charts/kyverno/templates/policies/default/disallow-selinux.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-selinux.yaml
@ -12,6 +12,8 @@ metadata:
    {{- end }}
    policies.kyverno.io/description: >-
      SELinux options can be used to escalate privileges and should not be allowed.
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
--- a/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml
+++ b/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml
@ -14,6 +14,8 @@ metadata:
      On supported hosts, the 'runtime/default' AppArmor profile is applied by default. 
      The default policy should prevent overriding or disabling the policy, or restrict 
      overrides to an allowed set of profiles.
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
--- a/charts/kyverno/templates/policies/default/restrict-sysctls.yaml
+++ b/charts/kyverno/templates/policies/default/restrict-sysctls.yaml
@ -14,6 +14,8 @@ metadata:
      host, and should be disallowed except for an allowed "safe" subset. A
      sysctl is considered safe if it is namespaced in the container or the
      Pod, and it is isolated from other Pods or processes on the same Node.
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  background: true
--- a/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml
+++ b/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml
@ -11,6 +11,8 @@ metadata:
    {{- end }}
    policies.kyverno.io/description: >-
      Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 spec:
  background: true
  validationFailureAction: {{ .Values.validationFailureAction }}
--- a/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
+++ b/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
@ -11,6 +11,8 @@ metadata:
    {{- end }}
    policies.kyverno.io/description: >-
      Containers should be forbidden from running with a root primary or supplementary GID.
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 spec:
  background: true
  validationFailureAction: {{ .Values.validationFailureAction }}
--- a/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml
+++ b/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml
@ -10,6 +10,8 @@ metadata:
    policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
    {{- end }}
    policies.kyverno.io/description: Containers must be required to run as non-root users.
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 spec:
  background: true
  validationFailureAction: {{ .Values.validationFailureAction }}
--- a/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml
+++ b/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml
@ -13,6 +13,8 @@ metadata:
    policies.kyverno.io/description: >-
      The runtime default seccomp profile must be required, or only specific
      additional profiles should be allowed.
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 spec:
  background: true
  validationFailureAction: {{ .Values.validationFailureAction }}
--- a/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml
+++ b/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml
@ -12,6 +12,8 @@ metadata:
    policies.kyverno.io/description: >-
      In addition to restricting HostPath volumes, the restricted pod security profile
      limits usage of non-core volume types to those defined through PersistentVolumes.
+  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 spec:
  background: true
  validationFailureAction: {{ .Values.validationFailureAction }}
--- a/charts/kyverno/templates/secret.yaml
+++ b/charts/kyverno/templates/secret.yaml
@ -6,6 +6,7 @@ kind: Secret
 metadata:
  name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
 data:
  rootCA.crt: {{ $ca.Cert | b64enc }}
 ---
@ -14,6 +15,7 @@ kind: Secret
 metadata:
  name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
  annotations:
    self-signed-cert: "true"
 type: kubernetes.io/tls
--- a/charts/kyverno/templates/service.yaml
+++ b/charts/kyverno/templates/service.yaml
@ -3,6 +3,7 @@ kind: Service
 metadata:
  name: {{ template "kyverno.serviceName" . }}
  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
  namespace: {{ template "kyverno.namespace" . }}
  {{- with .Values.service.annotations }}
  annotations: {{ tpl (toYaml .) $ | nindent 4 }}
@ -24,4 +25,5 @@ spec:
    nodePort: {{ .Values.service.metricsNodePort }}
    {{- end }}
  selector: {{ include "kyverno.matchLabels" . | nindent 4 }}
+    app: kyverno
  type: {{ .Values.service.type }}
--- a/charts/kyverno/templates/serviceaccount.yaml
+++ b/charts/kyverno/templates/serviceaccount.yaml
@ -4,6 +4,7 @@ kind: ServiceAccount
 metadata:
  name: {{ template "kyverno.serviceAccountName" . }}
  labels: {{ include "kyverno.labels" . | nindent 4 }}
+    app: kyverno
  {{- if .Values.rbac.serviceAccount.annotations }}
  annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
  {{- end }}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -12,6 +12,9 @@ podSecurityPolicies: []
 # For more info- https://kyverno.io/docs/writing-policies/validate/
 validationFailureAction: audit

+# -- Additional labels
+customLabels: {}
+
 rbac:
  create: true
  serviceAccount:
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
--- a/definitions/k8s-resource/clusterrolebindings.yaml
+++ b/definitions/k8s-resource/clusterrolebindings.yaml
@ -2,6 +2,8 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
+  labels:
+    app: kyverno
  name: kyverno:webhook
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -15,6 +17,8 @@ subjects:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
+  labels:
+    app: kyverno
  name: kyverno:userinfo
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -28,6 +32,8 @@ subjects:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
+  labels:
+    app: kyverno
  name: kyverno:customresources
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -41,6 +47,8 @@ subjects:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
+  labels:
+    app: kyverno
  name: kyverno:policycontroller
 roleRef:
  apiGroup: rbac.authorization.k8s.io
@ -54,6 +62,8 @@ subjects:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
+  labels:
+    app: kyverno
  name: kyverno:generatecontroller
 roleRef:
  apiGroup: rbac.authorization.k8s.io
--- a/definitions/k8s-resource/clusterroles.yaml
+++ b/definitions/k8s-resource/clusterroles.yaml
@ -2,16 +2,17 @@
 kind: Namespace
 apiVersion: v1
 metadata:
-    name: "kyverno"
+  labels:
+    app: kyverno
+  name: kyverno
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  namespace: kyverno
-  name: kyverno-svc
  labels:
    app: kyverno
-    app.kubernetes.io/name: kyverno
+  namespace: kyverno
+  name: kyverno-svc
 spec:
  ports:
  - port: 443
@ -22,17 +23,20 @@ spec:
    targetPort: metrics-port
  selector:
    app: kyverno
-    app.kubernetes.io/name: kyverno
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
+  labels:
+    app: kyverno
  name: kyverno-service-account
  namespace: kyverno
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: kyverno
  name: kyverno:webhook
 rules:
 # Dynamic creation of webhooks, events & certs
@ -78,6 +82,8 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: kyverno
  name: kyverno:userinfo
 rules:
 # get the roleRef for incoming api-request user
@ -97,6 +103,8 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: kyverno
  name: kyverno:customresources
 rules:
 # Kyverno CRs
@ -135,6 +143,8 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: kyverno
  name: kyverno:policycontroller
 rules:
 # background processing, identify all existing resources
@ -151,6 +161,8 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  labels:
+    app: kyverno
  name: kyverno:generatecontroller
 rules:
 # process generate rules to generate resources
@ -182,6 +194,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
+    app: kyverno
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
  name: kyverno:admin-policies
 rules:
@ -197,6 +210,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
+    app: kyverno
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
  name: kyverno:admin-policyreport
 rules:
@ -212,6 +226,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
+    app: kyverno
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
  name: kyverno:admin-reportchangerequest
 rules:
--- a/definitions/k8s-resource/configmap.yaml
+++ b/definitions/k8s-resource/configmap.yaml
@ -4,5 +4,7 @@ data:
  excludeGroupRole: 'system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler'
 kind: ConfigMap
 metadata:
+  labels:
+    app: kyverno
  name: init-config
  namespace: kyverno
--- a/definitions/kustomization.yaml
+++ b/definitions/kustomization.yaml
@ -1,10 +1,14 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

+transformers:
+  - labels.yaml
+
 resources:
 - ./crds/
 - ./manifest/
 - ./k8s-resource/
+
 images:
 - name: ghcr.io/kyverno/kyverno
  newName: ghcr.io/kyverno/kyverno
--- a/definitions/labels.yaml
+++ b/definitions/labels.yaml
@ -0,0 +1,18 @@
+---
+apiVersion: builtin
+kind: LabelTransformer
+metadata:
+  name: labelTransformer
+labels:
+  app.kubernetes.io/component: kyverno
+  app.kubernetes.io/instance: kyverno
+  app.kubernetes.io/managed-by: Kustomize
+  app.kubernetes.io/name: kyverno
+  app.kubernetes.io/part-of: kyverno
+  app.kubernetes.io/version: v1.3.6-rc1
+fieldSpecs:
+- path: metadata/labels
+  create: true
+- kind: Deployment
+  path: spec/template/metadata/labels
+  create: true
--- a/definitions/manifest/deployment.yaml
+++ b/definitions/manifest/deployment.yaml
@ -2,22 +2,19 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  namespace: kyverno
-  name: kyverno
  labels:
    app: kyverno
-    app.kubernetes.io/name: kyverno
+  namespace: kyverno
+  name: kyverno
 spec:
  selector:
    matchLabels:
      app: kyverno
-      app.kubernetes.io/name: kyverno
  replicas: 1
  template:
    metadata:
      labels:
        app: kyverno
-        app.kubernetes.io/name: kyverno
    spec:
      serviceAccountName: kyverno-service-account
      securityContext:
--- a/definitions/release/install.yaml
+++ b/definitions/release/install.yaml