diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 25dbe344b1..48ed8b51d0 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -728,72 +728,6 @@ The chart values are organised per component. | Key | Type | Default | Description | |-----|------|---------|-------------| -| cleanupJobs.updateRequests.enabled | bool | `false` | Enable cleanup cronjob | -| cleanupJobs.updateRequests.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. | -| cleanupJobs.updateRequests.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted | -| cleanupJobs.updateRequests.image.registry | string | `nil` | Image registry | -| cleanupJobs.updateRequests.image.repository | string | `"bitnami/kubectl"` | Image repository | -| cleanupJobs.updateRequests.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted | -| cleanupJobs.updateRequests.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | -| cleanupJobs.updateRequests.imagePullSecrets | list | `[]` | Image pull secrets | -| cleanupJobs.updateRequests.schedule | string | `"*/10 * * * *"` | Cronjob schedule | -| cleanupJobs.updateRequests.threshold | int | `10000` | Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them | -| cleanupJobs.updateRequests.history | object | `{"failure":1,"success":1}` | Cronjob history | -| cleanupJobs.updateRequests.podSecurityContext | object | `{}` | Security context for the pod | -| cleanupJobs.updateRequests.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | -| cleanupJobs.updateRequests.priorityClassName | string | `""` | Pod PriorityClassName | -| cleanupJobs.updateRequests.resources | object | `{}` | Job resources | -| cleanupJobs.updateRequests.tolerations | list | `[]` | List of node taints to tolerate | -| cleanupJobs.updateRequests.nodeSelector | object | `{}` | Node labels for pod assignment | -| cleanupJobs.updateRequests.podAnnotations | object | `{}` | Pod Annotations | -| cleanupJobs.updateRequests.podLabels | object | `{}` | Pod labels | -| cleanupJobs.updateRequests.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | -| cleanupJobs.updateRequests.podAffinity | object | `{}` | Pod affinity constraints. | -| cleanupJobs.updateRequests.nodeAffinity | object | `{}` | Node affinity constraints. | -| cleanupJobs.ephemeralReports.enabled | bool | `false` | Enable cleanup cronjob | -| cleanupJobs.ephemeralReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. | -| cleanupJobs.ephemeralReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted | -| cleanupJobs.ephemeralReports.image.registry | string | `nil` | Image registry | -| cleanupJobs.ephemeralReports.image.repository | string | `"bitnami/kubectl"` | Image repository | -| cleanupJobs.ephemeralReports.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted | -| cleanupJobs.ephemeralReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | -| cleanupJobs.ephemeralReports.imagePullSecrets | list | `[]` | Image pull secrets | -| cleanupJobs.ephemeralReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule | -| cleanupJobs.ephemeralReports.threshold | int | `10000` | Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them | -| cleanupJobs.ephemeralReports.history | object | `{"failure":1,"success":1}` | Cronjob history | -| cleanupJobs.ephemeralReports.podSecurityContext | object | `{}` | Security context for the pod | -| cleanupJobs.ephemeralReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | -| cleanupJobs.ephemeralReports.priorityClassName | string | `""` | Pod PriorityClassName | -| cleanupJobs.ephemeralReports.resources | object | `{}` | Job resources | -| cleanupJobs.ephemeralReports.tolerations | list | `[]` | List of node taints to tolerate | -| cleanupJobs.ephemeralReports.nodeSelector | object | `{}` | Node labels for pod assignment | -| cleanupJobs.ephemeralReports.podAnnotations | object | `{}` | Pod Annotations | -| cleanupJobs.ephemeralReports.podLabels | object | `{}` | Pod labels | -| cleanupJobs.ephemeralReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | -| cleanupJobs.ephemeralReports.podAffinity | object | `{}` | Pod affinity constraints. | -| cleanupJobs.ephemeralReports.nodeAffinity | object | `{}` | Node affinity constraints. | -| cleanupJobs.clusterEphemeralReports.enabled | bool | `false` | Enable cleanup cronjob | -| cleanupJobs.clusterEphemeralReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. | -| cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted | -| cleanupJobs.clusterEphemeralReports.image.registry | string | `nil` | Image registry | -| cleanupJobs.clusterEphemeralReports.image.repository | string | `"bitnami/kubectl"` | Image repository | -| cleanupJobs.clusterEphemeralReports.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted | -| cleanupJobs.clusterEphemeralReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | -| cleanupJobs.clusterEphemeralReports.imagePullSecrets | list | `[]` | Image pull secrets | -| cleanupJobs.clusterEphemeralReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule | -| cleanupJobs.clusterEphemeralReports.threshold | int | `10000` | Reports threshold, if number of reports are above this value the cronjob will start deleting them | -| cleanupJobs.clusterEphemeralReports.history | object | `{"failure":1,"success":1}` | Cronjob history | -| cleanupJobs.clusterEphemeralReports.podSecurityContext | object | `{}` | Security context for the pod | -| cleanupJobs.clusterEphemeralReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | -| cleanupJobs.clusterEphemeralReports.priorityClassName | string | `""` | Pod PriorityClassName | -| cleanupJobs.clusterEphemeralReports.resources | object | `{}` | Job resources | -| cleanupJobs.clusterEphemeralReports.tolerations | list | `[]` | List of node taints to tolerate | -| cleanupJobs.clusterEphemeralReports.nodeSelector | object | `{}` | Node labels for pod assignment | -| cleanupJobs.clusterEphemeralReports.podAnnotations | object | `{}` | Pod Annotations | -| cleanupJobs.clusterEphemeralReports.podLabels | object | `{}` | Pod Labels | -| cleanupJobs.clusterEphemeralReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | -| cleanupJobs.clusterEphemeralReports.podAffinity | object | `{}` | Pod affinity constraints. | -| cleanupJobs.clusterEphemeralReports.nodeAffinity | object | `{}` | Node affinity constraints. | ### Other diff --git a/charts/kyverno/ci/cleanupJobs-values.yaml b/charts/kyverno/ci/cleanupJobs-values.yaml deleted file mode 100644 index 6490a11c1d..0000000000 --- a/charts/kyverno/ci/cleanupJobs-values.yaml +++ /dev/null @@ -1,31 +0,0 @@ -cleanupJobs: - ephemeralReports: - enabled: true - nodeSelector: - kubernetes.io/os: linux - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - cleanup - topologyKey: kubernetes.io/hostname - clusterEphemeralReports: - enabled: true - nodeSelector: - kubernetes.io/os: linux - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - cleanup - topologyKey: kubernetes.io/hostname diff --git a/charts/kyverno/templates/cleanup/_helpers.tpl b/charts/kyverno/templates/cleanup/_helpers.tpl deleted file mode 100644 index a1b70cb339..0000000000 --- a/charts/kyverno/templates/cleanup/_helpers.tpl +++ /dev/null @@ -1,9 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{- define "kyverno.cleanup.labels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.labels.common" .) - (include "kyverno.matchLabels.common" .) - (include "kyverno.labels.component" "cleanup") -) -}} -{{- end -}} diff --git a/charts/kyverno/templates/cleanup/cleanup-cluster-ephemeral-reports.yaml b/charts/kyverno/templates/cleanup/cleanup-cluster-ephemeral-reports.yaml deleted file mode 100644 index 1b8ab312e7..0000000000 --- a/charts/kyverno/templates/cleanup/cleanup-cluster-ephemeral-reports.yaml +++ /dev/null @@ -1,91 +0,0 @@ -{{- if .Values.cleanupJobs.clusterEphemeralReports.enabled -}} -apiVersion: batch/v1 -kind: CronJob -metadata: - name: {{ template "kyverno.name" . }}-cleanup-cluster-ephemeral-reports - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.cleanup.labels" . | nindent 4 }} -spec: - schedule: {{ .Values.cleanupJobs.clusterEphemeralReports.schedule | quote }} - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: {{ .Values.cleanupJobs.clusterEphemeralReports.history.success }} - failedJobsHistoryLimit: {{ .Values.cleanupJobs.clusterEphemeralReports.history.failure }} - jobTemplate: - spec: - backoffLimit: {{ .Values.cleanupJobs.clusterEphemeralReports.backoffLimit }} - {{- if .Values.cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished }} - {{- end }} - template: - metadata: - {{- with .Values.cleanupJobs.clusterEphemeralReports.podAnnotations }} - annotations: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterEphemeralReports.podLabels }} - labels: - {{- toYaml . | nindent 12 }} - {{- end }} - spec: - serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs - {{- with .Values.cleanupJobs.clusterEphemeralReports.podSecurityContext }} - securityContext: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterEphemeralReports.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} - containers: - - name: cleanup - image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.clusterEphemeralReports.image)) | quote }} - imagePullPolicy: {{ .Values.cleanupJobs.clusterEphemeralReports.image.pullPolicy }} - command: - - /bin/bash - - -c - - | - set -euo pipefail - COUNT=$(kubectl get clusterephemeralreports.reports.kyverno.io -A | wc -l) - if [ "$COUNT" -gt {{ .Values.cleanupJobs.clusterEphemeralReports.threshold }} ]; then - echo "too many clusterephemeralreports found ($COUNT), cleaning up..." - kubectl delete clusterephemeralreports.reports.kyverno.io -A --all - else - echo "($COUNT) reports found, no clean up needed" - fi - {{- with .Values.cleanupJobs.clusterEphemeralReports.securityContext }} - securityContext: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterEphemeralReports.resources }} - resources: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterEphemeralReports.imagePullSecrets }} - imagePullSecrets: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - restartPolicy: OnFailure - {{- with .Values.cleanupJobs.clusterEphemeralReports.tolerations | default .Values.global.tolerations}} - tolerations: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterEphemeralReports.nodeSelector | default .Values.global.nodeSelector }} - nodeSelector: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- if or .Values.cleanupJobs.clusterEphemeralReports.podAntiAffinity .Values.cleanupJobs.clusterEphemeralReports.podAffinity .Values.cleanupJobs.clusterEphemeralReports.nodeAffinity }} - affinity: - {{- with .Values.cleanupJobs.clusterEphemeralReports.podAntiAffinity }} - podAntiAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterEphemeralReports.podAffinity }} - podAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterEphemeralReports.nodeAffinity }} - nodeAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- end }} -{{- end -}} diff --git a/charts/kyverno/templates/cleanup/cleanup-ephemeral-reports.yaml b/charts/kyverno/templates/cleanup/cleanup-ephemeral-reports.yaml deleted file mode 100644 index 33a7c5ead1..0000000000 --- a/charts/kyverno/templates/cleanup/cleanup-ephemeral-reports.yaml +++ /dev/null @@ -1,91 +0,0 @@ -{{- if .Values.cleanupJobs.ephemeralReports.enabled -}} -apiVersion: batch/v1 -kind: CronJob -metadata: - name: {{ template "kyverno.name" . }}-cleanup-ephemeral-reports - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.cleanup.labels" . | nindent 4 }} -spec: - schedule: {{ .Values.cleanupJobs.ephemeralReports.schedule | quote }} - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: {{ .Values.cleanupJobs.ephemeralReports.history.success }} - failedJobsHistoryLimit: {{ .Values.cleanupJobs.ephemeralReports.history.failure }} - jobTemplate: - spec: - backoffLimit: {{ .Values.cleanupJobs.ephemeralReports.backoffLimit }} - {{- if .Values.cleanupJobs.ephemeralReports.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.cleanupJobs.ephemeralReports.ttlSecondsAfterFinished }} - {{- end }} - template: - metadata: - {{- with .Values.cleanupJobs.ephemeralReports.podAnnotations }} - annotations: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.ephemeralReports.podLabels }} - labels: - {{- toYaml . | nindent 12 }} - {{- end }} - spec: - serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs - {{- with .Values.cleanupJobs.ephemeralReports.podSecurityContext }} - securityContext: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.ephemeralReports.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} - containers: - - name: cleanup - image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.ephemeralReports.image)) | quote }} - imagePullPolicy: {{ .Values.cleanupJobs.ephemeralReports.image.pullPolicy }} - command: - - /bin/bash - - -c - - | - set -euo pipefail - COUNT=$(kubectl get ephemeralreports.reports.kyverno.io -A | wc -l) - if [ "$COUNT" -gt {{ .Values.cleanupJobs.ephemeralReports.threshold }} ]; then - echo "too many ephemeralreports found ($COUNT), cleaning up..." - kubectl delete ephemeralreports.reports.kyverno.io -A --all - else - echo "($COUNT) reports found, no clean up needed" - fi - {{- with .Values.cleanupJobs.ephemeralReports.securityContext }} - securityContext: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.ephemeralReports.resources }} - resources: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.ephemeralReports.imagePullSecrets }} - imagePullSecrets: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - restartPolicy: OnFailure - {{- with .Values.cleanupJobs.ephemeralReports.tolerations | default .Values.global.tolerations}} - tolerations: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.ephemeralReports.nodeSelector | default .Values.global.nodeSelector }} - nodeSelector: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- if or .Values.cleanupJobs.ephemeralReports.podAntiAffinity .Values.cleanupJobs.ephemeralReports.podAffinity .Values.cleanupJobs.ephemeralReports.nodeAffinity }} - affinity: - {{- with .Values.cleanupJobs.ephemeralReports.podAntiAffinity }} - podAntiAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.ephemeralReports.podAffinity }} - podAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.ephemeralReports.nodeAffinity }} - nodeAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- end }} -{{- end -}} diff --git a/charts/kyverno/templates/cleanup/cleanup-update-requests.yaml b/charts/kyverno/templates/cleanup/cleanup-update-requests.yaml deleted file mode 100644 index 9344354fae..0000000000 --- a/charts/kyverno/templates/cleanup/cleanup-update-requests.yaml +++ /dev/null @@ -1,91 +0,0 @@ -{{- if .Values.cleanupJobs.updateRequests.enabled -}} -apiVersion: batch/v1 -kind: CronJob -metadata: - name: {{ template "kyverno.name" . }}-cleanup-update-requests - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.cleanup.labels" . | nindent 4 }} -spec: - schedule: {{ .Values.cleanupJobs.updateRequests.schedule | quote }} - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: {{ .Values.cleanupJobs.updateRequests.history.success }} - failedJobsHistoryLimit: {{ .Values.cleanupJobs.updateRequests.history.failure }} - jobTemplate: - spec: - backoffLimit: {{ .Values.cleanupJobs.updateRequests.backoffLimit }} - {{- if .Values.cleanupJobs.updateRequests.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.cleanupJobs.updateRequests.ttlSecondsAfterFinished }} - {{- end }} - template: - metadata: - {{- with .Values.cleanupJobs.updateRequests.podAnnotations }} - annotations: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.updateRequests.podLabels }} - labels: - {{- toYaml . | nindent 12 }} - {{- end }} - spec: - serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs - {{- with .Values.cleanupJobs.updateRequests.podSecurityContext }} - securityContext: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.updateRequests.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} - containers: - - name: cleanup - image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.updateRequests.image)) | quote }} - imagePullPolicy: {{ .Values.cleanupJobs.updateRequests.image.pullPolicy }} - command: - - /bin/bash - - -c - - | - set -euo pipefail - COUNT=$(kubectl get updaterequests.kyverno.io -A | wc -l) - if [ "$COUNT" -gt {{ .Values.cleanupJobs.updateRequests.threshold }} ]; then - echo "too many updaterequests found ($COUNT), cleaning up..." - kubectl delete updaterequests.kyverno.io --all -n kyverno - else - echo "($COUNT) reports found, no clean up needed" - fi - {{- with .Values.cleanupJobs.updateRequests.securityContext }} - securityContext: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.updateRequests.resources }} - resources: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.updateRequests.imagePullSecrets }} - imagePullSecrets: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - restartPolicy: OnFailure - {{- with .Values.cleanupJobs.updateRequests.tolerations | default .Values.global.tolerations}} - tolerations: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.updateRequests.nodeSelector | default .Values.global.nodeSelector }} - nodeSelector: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- if or .Values.cleanupJobs.updateRequests.podAntiAffinity .Values.cleanupJobs.updateRequests.podAffinity .Values.cleanupJobs.updateRequests.nodeAffinity }} - affinity: - {{- with .Values.cleanupJobs.updateRequests.podAntiAffinity }} - podAntiAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.updateRequests.podAffinity }} - podAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.updateRequests.nodeAffinity }} - nodeAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- end }} -{{- end -}} diff --git a/charts/kyverno/templates/cleanup/clusterrole.yaml b/charts/kyverno/templates/cleanup/clusterrole.yaml deleted file mode 100644 index 094328dbc2..0000000000 --- a/charts/kyverno/templates/cleanup/clusterrole.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.name" . }}:cleanup-jobs - labels: - {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }} -rules: - - apiGroups: - - kyverno.io - resources: - - updaterequests - verbs: - - list - - deletecollection - - delete - - apiGroups: - - reports.kyverno.io - resources: - - ephemeralreports - - clusterephemeralreports - verbs: - - list - - deletecollection - - delete diff --git a/charts/kyverno/templates/cleanup/clusterrolebinding.yaml b/charts/kyverno/templates/cleanup/clusterrolebinding.yaml deleted file mode 100644 index a3cbb11e4a..0000000000 --- a/charts/kyverno/templates/cleanup/clusterrolebinding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.name" . }}:cleanup-jobs - labels: - {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kyverno.name" . }}:cleanup-jobs -subjects: - - kind: ServiceAccount - name: {{ template "kyverno.name" . }}-cleanup-jobs - namespace: {{ template "kyverno.namespace" . }} diff --git a/charts/kyverno/templates/cleanup/serviceaccount.yaml b/charts/kyverno/templates/cleanup/serviceaccount.yaml deleted file mode 100644 index f93bdc2e6e..0000000000 --- a/charts/kyverno/templates/cleanup/serviceaccount.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "kyverno.name" . }}-cleanup-jobs - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 02de664dfe..052b8c32d5 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -681,249 +681,6 @@ features: # -- (string) Tuf mirror mirror: ~ -# Cleanup cronjobs to prevent internal resources from stacking up in the cluster -cleanupJobs: - - updateRequests: - - # -- Enable cleanup cronjob - enabled: false - - # -- Maximum number of retries before considering a Job as failed. Defaults to 3. - backoffLimit: 3 - - # -- Time until the pod from the cronjob is deleted - ttlSecondsAfterFinished: "" - - image: - # -- (string) Image registry - registry: ~ - # -- Image repository - repository: bitnami/kubectl - # -- Image tag - # Defaults to `latest` if omitted - tag: '1.30.2' - # -- (string) Image pull policy - # Defaults to image.pullPolicy if omitted - pullPolicy: ~ - - # -- Image pull secrets - imagePullSecrets: [] - # - name: secretName - - # -- Cronjob schedule - schedule: '*/10 * * * *' - - # -- Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them - threshold: 10000 - - # -- Cronjob history - history: - success: 1 - failure: 1 - - # -- Security context for the pod - podSecurityContext: {} - - # -- Security context for the containers - securityContext: - runAsNonRoot: true - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - - # -- Pod PriorityClassName - priorityClassName: "" - - # -- Job resources - resources: {} - - # -- List of node taints to tolerate - tolerations: [] - - # -- Node labels for pod assignment - nodeSelector: {} - - # -- Pod Annotations - podAnnotations: {} - - # -- Pod labels - podLabels: {} - - # -- Pod anti affinity constraints. - podAntiAffinity: {} - - # -- Pod affinity constraints. - podAffinity: {} - - # -- Node affinity constraints. - nodeAffinity: {} - - ephemeralReports: - - # -- Enable cleanup cronjob - enabled: false - - # -- Maximum number of retries before considering a Job as failed. Defaults to 3. - backoffLimit: 3 - - # -- Time until the pod from the cronjob is deleted - ttlSecondsAfterFinished: "" - - image: - # -- (string) Image registry - registry: ~ - # -- Image repository - repository: bitnami/kubectl - # -- Image tag - # Defaults to `latest` if omitted - tag: '1.30.2' - # -- (string) Image pull policy - # Defaults to image.pullPolicy if omitted - pullPolicy: ~ - - # -- Image pull secrets - imagePullSecrets: [] - # - name: secretName - - # -- Cronjob schedule - schedule: '*/10 * * * *' - - # -- Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them - threshold: 10000 - - # -- Cronjob history - history: - success: 1 - failure: 1 - - # -- Security context for the pod - podSecurityContext: {} - - # -- Security context for the containers - securityContext: - runAsNonRoot: true - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - - # -- Pod PriorityClassName - priorityClassName: "" - - # -- Job resources - resources: {} - - # -- List of node taints to tolerate - tolerations: [] - - # -- Node labels for pod assignment - nodeSelector: {} - - # -- Pod Annotations - podAnnotations: {} - - # -- Pod labels - podLabels: {} - - # -- Pod anti affinity constraints. - podAntiAffinity: {} - - # -- Pod affinity constraints. - podAffinity: {} - - # -- Node affinity constraints. - nodeAffinity: {} - - clusterEphemeralReports: - - # -- Enable cleanup cronjob - enabled: false - - # -- Maximum number of retries before considering a Job as failed. Defaults to 3. - backoffLimit: 3 - - # -- Time until the pod from the cronjob is deleted - ttlSecondsAfterFinished: "" - - image: - # -- (string) Image registry - registry: ~ - # -- Image repository - repository: bitnami/kubectl - # -- Image tag - # Defaults to `latest` if omitted - tag: '1.30.2' - # -- (string) Image pull policy - # Defaults to image.pullPolicy if omitted - pullPolicy: ~ - - # -- Image pull secrets - imagePullSecrets: [] - # - name: secretName - - # -- Cronjob schedule - schedule: '*/10 * * * *' - - # -- Reports threshold, if number of reports are above this value the cronjob will start deleting them - threshold: 10000 - - # -- Cronjob history - history: - success: 1 - failure: 1 - - # -- Security context for the pod - podSecurityContext: {} - - # -- Security context for the containers - securityContext: - runAsNonRoot: true - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - - # -- Pod PriorityClassName - priorityClassName: "" - - # -- Job resources - resources: {} - - # -- List of node taints to tolerate - tolerations: [] - - # -- Node labels for pod assignment - nodeSelector: {} - - # -- Pod Annotations - podAnnotations: {} - - # -- Pod Labels - podLabels: {} - - # -- Pod anti affinity constraints. - podAntiAffinity: {} - - # -- Pod affinity constraints. - podAffinity: {} - - # -- Node affinity constraints. - nodeAffinity: {} - # Admission controller configuration admissionController: diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 8661a019c1..99624fe34b 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -43,16 +43,6 @@ metadata: --- apiVersion: v1 kind: ServiceAccount -metadata: - name: kyverno-cleanup-jobs - namespace: kyverno - labels: - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest ---- -apiVersion: v1 -kind: ServiceAccount metadata: name: kyverno-reports-controller namespace: kyverno @@ -43996,33 +43986,6 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -metadata: - name: kyverno:cleanup-jobs - labels: - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest -rules: - - apiGroups: - - kyverno.io - resources: - - updaterequests - verbs: - - list - - deletecollection - - delete - - apiGroups: - - reports.kyverno.io - resources: - - ephemeralreports - - clusterephemeralreports - verbs: - - list - - deletecollection - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole metadata: name: kyverno:rbac:admin:policies labels: @@ -44369,23 +44332,6 @@ subjects: --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:cleanup-jobs - labels: - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:cleanup-jobs -subjects: - - kind: ServiceAccount - name: kyverno-cleanup-jobs - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kyverno:reports-controller labels: