fix: improve reports controller default values and workers (#6522)

* fix: improve reports controller default values and worker

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* nits

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

charts/kyverno/README.md

@@ -359,7 +359,7 @@ The command removes all the Kubernetes components associated with the chart and
 | reportsController.priorityClassName | string | `""` | Optional priority class |
 | reportsController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
 | reportsController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
-| reportsController.extraArgs | list | `[]` | Extra arguments passed to the container on the command line |
+| reportsController.extraArgs | object | `{"clientRateLimitBurst":100,"clientRateLimitQPS":300}` | Extra arguments passed to the container on the command line |
 | reportsController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
 | reportsController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
 | reportsController.nodeSelector | object | `{}` | Node labels for pod assignment |
@@ -376,7 +376,7 @@ The command removes all the Kubernetes components associated with the chart and
 | reportsController.metricsService.create | bool | `true` | Create service. |
 | reportsController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. |
 | reportsController.metricsService.type | string | `"ClusterIP"` | Service type. |
-| reportsController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
+| reportsController.metricsService.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
 | reportsController.metricsService.annotations | object | `{}` | Service annotations. |
 | reportsController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
 | reportsController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
@@ -388,13 +388,13 @@ The command removes all the Kubernetes components associated with the chart and
 | reportsController.tracing.enabled | bool | `false` | Enable tracing |
 | reportsController.tracing.address | string | `nil` | Traces receiver address |
 | reportsController.tracing.port | string | `nil` | Traces receiver port |
-| reportsController.tracing.creds | string | `""` | Traces receiver credentials |
+| reportsController.tracing.creds | string | `nil` | Traces receiver credentials |
 | reportsController.logging.format | string | `"text"` | Logging format |
 | reportsController.metering.disabled | bool | `false` | Disable metrics export |
 | reportsController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` |
 | reportsController.metering.port | int | `8000` | Prometheus endpoint port |
-| reportsController.metering.collector | string | `""` | Otel collector endpoint |
-| reportsController.metering.creds | string | `""` | Otel collector credentials |
+| reportsController.metering.collector | string | `nil` | Otel collector endpoint |
+| reportsController.metering.creds | string | `nil` | Otel collector credentials |
 | backgroundController.enabled | bool | `true` | Enable background controller. |
 | backgroundController.rbac.create | bool | `true` | Create RBAC resources |
 | backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name |

charts/kyverno/templates/reports-controller/deployment.yaml

@@ -99,8 +99,10 @@ spec:
             - --transportCreds={{ . }}
             {{- end }}
             {{- end }}
-            {{- range .Values.reportsController.extraArgs }}
-            - {{ . }}
+            {{- range $key, $value := .Values.reportsController.extraArgs }}
+            {{- if $value }}
+            - --{{ $key }}={{ $value }}
+            {{- end }}
             {{- end }}
           env:
           - name: METRICS_CONFIG

charts/kyverno/values.yaml

@@ -825,7 +825,9 @@ reportsController:
   dnsPolicy: ClusterFirst
 
   # -- Extra arguments passed to the container on the command line
-  extraArgs: []
+  extraArgs:
+    clientRateLimitQPS: 300
+    clientRateLimitBurst: 100
 
   resources:
     # -- Pod resource limits
@@ -945,9 +947,9 @@ reportsController:
     port: 8000
     # -- Service type.
     type: ClusterIP
-    # -- Service node port.
-    # Only used if `metricsService.type` is `NodePort`.
-    nodePort:
+    # -- (string) Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort: ~
     # -- Service annotations.
     annotations: {}
 
@@ -958,7 +960,7 @@ reportsController:
     additionalLabels: {}
     # -- (string) Override namespace
     namespace: ~
-    # --  Interval to scrape metrics
+    # -- Interval to scrape metrics
     interval: 30s
     # -- Timeout if metrics can't be retrieved in given time interval
     scrapeTimeout: 25s
@@ -970,12 +972,12 @@ reportsController:
   tracing:
     # -- Enable tracing
     enabled: false
-    # -- Traces receiver address
-    address:
-    # -- Traces receiver port
-    port:
-    # -- Traces receiver credentials
-    creds: ''
+    # -- (string) Traces receiver address
+    address: ~
+    # -- (string) Traces receiver port
+    port: ~
+    # -- (string) Traces receiver credentials
+    creds: ~
 
   logging:
     # -- Logging format
@@ -988,10 +990,10 @@ reportsController:
     config: prometheus
     # -- Prometheus endpoint port
     port: 8000
-    # -- Otel collector endpoint
-    collector: ''
-    # -- Otel collector credentials
-    creds: ''
+    # -- (string) Otel collector endpoint
+    collector: ~
+    # -- (string) Otel collector credentials
+    creds: ~
 
 # Background controller configuration
 backgroundController:

pkg/controllers/report/admission/controller.go

@@ -26,7 +26,7 @@ import (
 
 const (
 	// Workers is the number of workers for this controller
-	Workers        = 2
+	Workers        = 10
 	ControllerName = "admission-report-controller"
 	maxRetries     = 10
 	deletionGrace  = time.Minute * 2
@@ -241,6 +241,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _,
 	if !found {
 		return c.cleanupReports(ctx, "", "", reports...)
 	}
+	quit := false
 	// set orphan reports an owner
 	for _, report := range reports {
 		if len(report.GetOwnerReferences()) == 0 {
@@ -249,10 +250,16 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _,
 				return err
 			}
 			controllerutils.SetOwner(report, gvk.GroupVersion().String(), gvk.Kind, resource.Name, uid)
-			_, err = reportutils.UpdateReport(ctx, report, c.client)
-			return err
+			if _, err = reportutils.UpdateReport(ctx, report, c.client); err != nil {
+				return err
+			}
+			quit = true
 		}
 	}
+	// if one report was updated we can quit, reconcile will be triggered again because uid was queued
+	if quit {
+		return nil
+	}
 	// build an aggregated report
 	return c.aggregateReports(ctx, uid, gvk, resource, reports...)
 }

scripts/config/standard/kyverno.yaml

@@ -20,7 +20,7 @@ cleanupController:
 
 reportsController:
   extraArgs:
-    - --enablePolicyException
+    enablePolicyException: true
 
 backgroundController:
   rbac: