mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 15:37:19 +00:00
Code Activity

Remove cleanup cronjobs for updaterequests and ephemeralreports (#10760)

Browse source 
* Remove cleanup cronjobs for updaterequests and ephemeralreports

Signed-off-by: justusbunsi <61625851+justusbunsi@users.noreply.github.com>

* Cleanup Chart readme

Signed-off-by: justusbunsi <61625851+justusbunsi@users.noreply.github.com>

* Run `make codegen-manifest-all`

Signed-off-by: justusbunsi <61625851+justusbunsi@users.noreply.github.com>

---------

Signed-off-by: justusbunsi <61625851+justusbunsi@users.noreply.github.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: treydock <tdockendorf@osc.edu>
This commit is contained in:
Steven Kriegler 2024-08-06 09:41:04 +02:00 committed by GitHub
parent c0cf6c5bf1
commit 75fb7e1d1a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 0 additions and 721 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
charts/kyverno/README.md
View file

@ -728,72 +728,6 @@ The chart values are organised per component.
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| cleanupJobs.updateRequests.enabled | bool | `false` | Enable cleanup cronjob |
| cleanupJobs.updateRequests.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. |
| cleanupJobs.updateRequests.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted |
| cleanupJobs.updateRequests.image.registry | string | `nil` | Image registry |
| cleanupJobs.updateRequests.image.repository | string | `"bitnami/kubectl"` | Image repository |
| cleanupJobs.updateRequests.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted |
| cleanupJobs.updateRequests.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
| cleanupJobs.updateRequests.imagePullSecrets | list | `[]` | Image pull secrets |
| cleanupJobs.updateRequests.schedule | string | `"*/10 * * * *"` | Cronjob schedule |
| cleanupJobs.updateRequests.threshold | int | `10000` | Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them |
| cleanupJobs.updateRequests.history | object | `{"failure":1,"success":1}` | Cronjob history |
| cleanupJobs.updateRequests.podSecurityContext | object | `{}` | Security context for the pod |
| cleanupJobs.updateRequests.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| cleanupJobs.updateRequests.priorityClassName | string | `""` | Pod PriorityClassName |
| cleanupJobs.updateRequests.resources | object | `{}` | Job resources |
| cleanupJobs.updateRequests.tolerations | list | `[]` | List of node taints to tolerate |
| cleanupJobs.updateRequests.nodeSelector | object | `{}` | Node labels for pod assignment |
| cleanupJobs.updateRequests.podAnnotations | object | `{}` | Pod Annotations |
| cleanupJobs.updateRequests.podLabels | object | `{}` | Pod labels |
| cleanupJobs.updateRequests.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
| cleanupJobs.updateRequests.podAffinity | object | `{}` | Pod affinity constraints. |
| cleanupJobs.updateRequests.nodeAffinity | object | `{}` | Node affinity constraints. |
| cleanupJobs.ephemeralReports.enabled | bool | `false` | Enable cleanup cronjob |
| cleanupJobs.ephemeralReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. |
| cleanupJobs.ephemeralReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted |
| cleanupJobs.ephemeralReports.image.registry | string | `nil` | Image registry |
| cleanupJobs.ephemeralReports.image.repository | string | `"bitnami/kubectl"` | Image repository |
| cleanupJobs.ephemeralReports.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted |
| cleanupJobs.ephemeralReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
| cleanupJobs.ephemeralReports.imagePullSecrets | list | `[]` | Image pull secrets |
| cleanupJobs.ephemeralReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule |
| cleanupJobs.ephemeralReports.threshold | int | `10000` | Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them |
| cleanupJobs.ephemeralReports.history | object | `{"failure":1,"success":1}` | Cronjob history |
| cleanupJobs.ephemeralReports.podSecurityContext | object | `{}` | Security context for the pod |
| cleanupJobs.ephemeralReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| cleanupJobs.ephemeralReports.priorityClassName | string | `""` | Pod PriorityClassName |
| cleanupJobs.ephemeralReports.resources | object | `{}` | Job resources |
| cleanupJobs.ephemeralReports.tolerations | list | `[]` | List of node taints to tolerate |
| cleanupJobs.ephemeralReports.nodeSelector | object | `{}` | Node labels for pod assignment |
| cleanupJobs.ephemeralReports.podAnnotations | object | `{}` | Pod Annotations |
| cleanupJobs.ephemeralReports.podLabels | object | `{}` | Pod labels |
| cleanupJobs.ephemeralReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
| cleanupJobs.ephemeralReports.podAffinity | object | `{}` | Pod affinity constraints. |
| cleanupJobs.ephemeralReports.nodeAffinity | object | `{}` | Node affinity constraints. |
| cleanupJobs.clusterEphemeralReports.enabled | bool | `false` | Enable cleanup cronjob |
| cleanupJobs.clusterEphemeralReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. |
| cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted |
| cleanupJobs.clusterEphemeralReports.image.registry | string | `nil` | Image registry |
| cleanupJobs.clusterEphemeralReports.image.repository | string | `"bitnami/kubectl"` | Image repository |
| cleanupJobs.clusterEphemeralReports.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted |
| cleanupJobs.clusterEphemeralReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
| cleanupJobs.clusterEphemeralReports.imagePullSecrets | list | `[]` | Image pull secrets |
| cleanupJobs.clusterEphemeralReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule |
| cleanupJobs.clusterEphemeralReports.threshold | int | `10000` | Reports threshold, if number of reports are above this value the cronjob will start deleting them |
| cleanupJobs.clusterEphemeralReports.history | object | `{"failure":1,"success":1}` | Cronjob history |
| cleanupJobs.clusterEphemeralReports.podSecurityContext | object | `{}` | Security context for the pod |
| cleanupJobs.clusterEphemeralReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| cleanupJobs.clusterEphemeralReports.priorityClassName | string | `""` | Pod PriorityClassName |
| cleanupJobs.clusterEphemeralReports.resources | object | `{}` | Job resources |
| cleanupJobs.clusterEphemeralReports.tolerations | list | `[]` | List of node taints to tolerate |
| cleanupJobs.clusterEphemeralReports.nodeSelector | object | `{}` | Node labels for pod assignment |
| cleanupJobs.clusterEphemeralReports.podAnnotations | object | `{}` | Pod Annotations |
| cleanupJobs.clusterEphemeralReports.podLabels | object | `{}` | Pod Labels |
| cleanupJobs.clusterEphemeralReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
| cleanupJobs.clusterEphemeralReports.podAffinity | object | `{}` | Pod affinity constraints. |
| cleanupJobs.clusterEphemeralReports.nodeAffinity | object | `{}` | Node affinity constraints. |
### Other ### Other

31
charts/kyverno/ci/cleanupJobs-values.yaml
View file

@ -1,31 +0,0 @@
cleanupJobs:
ephemeralReports:
enabled: true
nodeSelector:
kubernetes.io/os: linux
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- cleanup
topologyKey: kubernetes.io/hostname
clusterEphemeralReports:
enabled: true
nodeSelector:
kubernetes.io/os: linux
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- cleanup
topologyKey: kubernetes.io/hostname

9
charts/kyverno/templates/cleanup/_helpers.tpl
View file

@ -1,9 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.cleanup.labels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.common" .)
(include "kyverno.matchLabels.common" .)
(include "kyverno.labels.component" "cleanup")
) -}}
{{- end -}}

91
charts/kyverno/templates/cleanup/cleanup-cluster-ephemeral-reports.yaml
View file

@ -1,91 +0,0 @@
{{- if .Values.cleanupJobs.clusterEphemeralReports.enabled -}}
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ template "kyverno.name" . }}-cleanup-cluster-ephemeral-reports
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.cleanup.labels" . | nindent 4 }}
spec:
schedule: {{ .Values.cleanupJobs.clusterEphemeralReports.schedule | quote }}
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: {{ .Values.cleanupJobs.clusterEphemeralReports.history.success }}
failedJobsHistoryLimit: {{ .Values.cleanupJobs.clusterEphemeralReports.history.failure }}
jobTemplate:
spec:
backoffLimit: {{ .Values.cleanupJobs.clusterEphemeralReports.backoffLimit }}
{{- if .Values.cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ .Values.cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished }}
{{- end }}
template:
metadata:
{{- with .Values.cleanupJobs.clusterEphemeralReports.podAnnotations }}
annotations:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.clusterEphemeralReports.podLabels }}
labels:
{{- toYaml . | nindent 12 }}
{{- end }}
spec:
serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
{{- with .Values.cleanupJobs.clusterEphemeralReports.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.clusterEphemeralReports.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
containers:
- name: cleanup
image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.clusterEphemeralReports.image)) | quote }}
imagePullPolicy: {{ .Values.cleanupJobs.clusterEphemeralReports.image.pullPolicy }}
command:
- /bin/bash
- -c
- |
set -euo pipefail
COUNT=$(kubectl get clusterephemeralreports.reports.kyverno.io -A | wc -l)
if [ "$COUNT" -gt {{ .Values.cleanupJobs.clusterEphemeralReports.threshold }} ]; then
echo "too many clusterephemeralreports found ($COUNT), cleaning up..."
kubectl delete clusterephemeralreports.reports.kyverno.io -A --all
else
echo "($COUNT) reports found, no clean up needed"
fi
{{- with .Values.cleanupJobs.clusterEphemeralReports.securityContext }}
securityContext:
{{- toYaml . | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.clusterEphemeralReports.resources }}
resources:
{{- toYaml . | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.clusterEphemeralReports.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
{{- with .Values.cleanupJobs.clusterEphemeralReports.tolerations | default .Values.global.tolerations}}
tolerations:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.clusterEphemeralReports.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- if or .Values.cleanupJobs.clusterEphemeralReports.podAntiAffinity .Values.cleanupJobs.clusterEphemeralReports.podAffinity .Values.cleanupJobs.clusterEphemeralReports.nodeAffinity }}
affinity:
{{- with .Values.cleanupJobs.clusterEphemeralReports.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.clusterEphemeralReports.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.clusterEphemeralReports.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 14 }}
{{- end }}
{{- end }}
{{- end -}}

91
charts/kyverno/templates/cleanup/cleanup-ephemeral-reports.yaml
View file

@ -1,91 +0,0 @@
{{- if .Values.cleanupJobs.ephemeralReports.enabled -}}
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ template "kyverno.name" . }}-cleanup-ephemeral-reports
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.cleanup.labels" . | nindent 4 }}
spec:
schedule: {{ .Values.cleanupJobs.ephemeralReports.schedule | quote }}
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: {{ .Values.cleanupJobs.ephemeralReports.history.success }}
failedJobsHistoryLimit: {{ .Values.cleanupJobs.ephemeralReports.history.failure }}
jobTemplate:
spec:
backoffLimit: {{ .Values.cleanupJobs.ephemeralReports.backoffLimit }}
{{- if .Values.cleanupJobs.ephemeralReports.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ .Values.cleanupJobs.ephemeralReports.ttlSecondsAfterFinished }}
{{- end }}
template:
metadata:
{{- with .Values.cleanupJobs.ephemeralReports.podAnnotations }}
annotations:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.ephemeralReports.podLabels }}
labels:
{{- toYaml . | nindent 12 }}
{{- end }}
spec:
serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
{{- with .Values.cleanupJobs.ephemeralReports.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.ephemeralReports.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
containers:
- name: cleanup
image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.ephemeralReports.image)) | quote }}
imagePullPolicy: {{ .Values.cleanupJobs.ephemeralReports.image.pullPolicy }}
command:
- /bin/bash
- -c
- |
set -euo pipefail
COUNT=$(kubectl get ephemeralreports.reports.kyverno.io -A | wc -l)
if [ "$COUNT" -gt {{ .Values.cleanupJobs.ephemeralReports.threshold }} ]; then
echo "too many ephemeralreports found ($COUNT), cleaning up..."
kubectl delete ephemeralreports.reports.kyverno.io -A --all
else
echo "($COUNT) reports found, no clean up needed"
fi
{{- with .Values.cleanupJobs.ephemeralReports.securityContext }}
securityContext:
{{- toYaml . | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.ephemeralReports.resources }}
resources:
{{- toYaml . | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.ephemeralReports.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
{{- with .Values.cleanupJobs.ephemeralReports.tolerations | default .Values.global.tolerations}}
tolerations:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.ephemeralReports.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- if or .Values.cleanupJobs.ephemeralReports.podAntiAffinity .Values.cleanupJobs.ephemeralReports.podAffinity .Values.cleanupJobs.ephemeralReports.nodeAffinity }}
affinity:
{{- with .Values.cleanupJobs.ephemeralReports.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.ephemeralReports.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.ephemeralReports.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 14 }}
{{- end }}
{{- end }}
{{- end -}}

91
charts/kyverno/templates/cleanup/cleanup-update-requests.yaml
View file

@ -1,91 +0,0 @@
{{- if .Values.cleanupJobs.updateRequests.enabled -}}
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ template "kyverno.name" . }}-cleanup-update-requests
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.cleanup.labels" . | nindent 4 }}
spec:
schedule: {{ .Values.cleanupJobs.updateRequests.schedule | quote }}
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: {{ .Values.cleanupJobs.updateRequests.history.success }}
failedJobsHistoryLimit: {{ .Values.cleanupJobs.updateRequests.history.failure }}
jobTemplate:
spec:
backoffLimit: {{ .Values.cleanupJobs.updateRequests.backoffLimit }}
{{- if .Values.cleanupJobs.updateRequests.ttlSecondsAfterFinished }}
ttlSecondsAfterFinished: {{ .Values.cleanupJobs.updateRequests.ttlSecondsAfterFinished }}
{{- end }}
template:
metadata:
{{- with .Values.cleanupJobs.updateRequests.podAnnotations }}
annotations:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.updateRequests.podLabels }}
labels:
{{- toYaml . | nindent 12 }}
{{- end }}
spec:
serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
{{- with .Values.cleanupJobs.updateRequests.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.updateRequests.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
containers:
- name: cleanup
image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.updateRequests.image)) | quote }}
imagePullPolicy: {{ .Values.cleanupJobs.updateRequests.image.pullPolicy }}
command:
- /bin/bash
- -c
- |
set -euo pipefail
COUNT=$(kubectl get updaterequests.kyverno.io -A | wc -l)
if [ "$COUNT" -gt {{ .Values.cleanupJobs.updateRequests.threshold }} ]; then
echo "too many updaterequests found ($COUNT), cleaning up..."
kubectl delete updaterequests.kyverno.io --all -n kyverno
else
echo "($COUNT) reports found, no clean up needed"
fi
{{- with .Values.cleanupJobs.updateRequests.securityContext }}
securityContext:
{{- toYaml . | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.updateRequests.resources }}
resources:
{{- toYaml . | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.updateRequests.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
{{- with .Values.cleanupJobs.updateRequests.tolerations | default .Values.global.tolerations}}
tolerations:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.updateRequests.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- if or .Values.cleanupJobs.updateRequests.podAntiAffinity .Values.cleanupJobs.updateRequests.podAffinity .Values.cleanupJobs.updateRequests.nodeAffinity }}
affinity:
{{- with .Values.cleanupJobs.updateRequests.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.updateRequests.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 14 }}
{{- end }}
{{- with .Values.cleanupJobs.updateRequests.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 14 }}
{{- end }}
{{- end }}
{{- end -}}

24
charts/kyverno/templates/cleanup/clusterrole.yaml
View file

@ -1,24 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.name" . }}:cleanup-jobs
labels:
{{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
resources:
- updaterequests
verbs:
- list
- deletecollection
- delete
- apiGroups:
- reports.kyverno.io
resources:
- ephemeralreports
- clusterephemeralreports
verbs:
- list
- deletecollection
- delete

14
charts/kyverno/templates/cleanup/clusterrolebinding.yaml
View file

@ -1,14 +0,0 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.name" . }}:cleanup-jobs
labels:
{{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.name" . }}:cleanup-jobs
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.name" . }}-cleanup-jobs
namespace: {{ template "kyverno.namespace" . }}

7
charts/kyverno/templates/cleanup/serviceaccount.yaml
View file

@ -1,7 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kyverno.name" . }}-cleanup-jobs
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }}

243
charts/kyverno/values.yaml
View file

@ -681,249 +681,6 @@ features:
# -- (string) Tuf mirror # -- (string) Tuf mirror
mirror: ~ mirror: ~
# Cleanup cronjobs to prevent internal resources from stacking up in the cluster
cleanupJobs:
updateRequests:
# -- Enable cleanup cronjob
enabled: false
# -- Maximum number of retries before considering a Job as failed. Defaults to 3.
backoffLimit: 3
# -- Time until the pod from the cronjob is deleted
ttlSecondsAfterFinished: ""
image:
# -- (string) Image registry
registry: ~
# -- Image repository
repository: bitnami/kubectl
# -- Image tag
# Defaults to `latest` if omitted
tag: '1.30.2'
# -- (string) Image pull policy
# Defaults to image.pullPolicy if omitted
pullPolicy: ~
# -- Image pull secrets
imagePullSecrets: []
# - name: secretName
# -- Cronjob schedule
schedule: '*/10 * * * *'
# -- Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them
threshold: 10000
# -- Cronjob history
history:
success: 1
failure: 1
# -- Security context for the pod
podSecurityContext: {}
# -- Security context for the containers
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# -- Pod PriorityClassName
priorityClassName: ""
# -- Job resources
resources: {}
# -- List of node taints to tolerate
tolerations: []
# -- Node labels for pod assignment
nodeSelector: {}
# -- Pod Annotations
podAnnotations: {}
# -- Pod labels
podLabels: {}
# -- Pod anti affinity constraints.
podAntiAffinity: {}
# -- Pod affinity constraints.
podAffinity: {}
# -- Node affinity constraints.
nodeAffinity: {}
ephemeralReports:
# -- Enable cleanup cronjob
enabled: false
# -- Maximum number of retries before considering a Job as failed. Defaults to 3.
backoffLimit: 3
# -- Time until the pod from the cronjob is deleted
ttlSecondsAfterFinished: ""
image:
# -- (string) Image registry
registry: ~
# -- Image repository
repository: bitnami/kubectl
# -- Image tag
# Defaults to `latest` if omitted
tag: '1.30.2'
# -- (string) Image pull policy
# Defaults to image.pullPolicy if omitted
pullPolicy: ~
# -- Image pull secrets
imagePullSecrets: []
# - name: secretName
# -- Cronjob schedule
schedule: '*/10 * * * *'
# -- Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them
threshold: 10000
# -- Cronjob history
history:
success: 1
failure: 1
# -- Security context for the pod
podSecurityContext: {}
# -- Security context for the containers
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# -- Pod PriorityClassName
priorityClassName: ""
# -- Job resources
resources: {}
# -- List of node taints to tolerate
tolerations: []
# -- Node labels for pod assignment
nodeSelector: {}
# -- Pod Annotations
podAnnotations: {}
# -- Pod labels
podLabels: {}
# -- Pod anti affinity constraints.
podAntiAffinity: {}
# -- Pod affinity constraints.
podAffinity: {}
# -- Node affinity constraints.
nodeAffinity: {}
clusterEphemeralReports:
# -- Enable cleanup cronjob
enabled: false
# -- Maximum number of retries before considering a Job as failed. Defaults to 3.
backoffLimit: 3
# -- Time until the pod from the cronjob is deleted
ttlSecondsAfterFinished: ""
image:
# -- (string) Image registry
registry: ~
# -- Image repository
repository: bitnami/kubectl
# -- Image tag
# Defaults to `latest` if omitted
tag: '1.30.2'
# -- (string) Image pull policy
# Defaults to image.pullPolicy if omitted
pullPolicy: ~
# -- Image pull secrets
imagePullSecrets: []
# - name: secretName
# -- Cronjob schedule
schedule: '*/10 * * * *'
# -- Reports threshold, if number of reports are above this value the cronjob will start deleting them
threshold: 10000
# -- Cronjob history
history:
success: 1
failure: 1
# -- Security context for the pod
podSecurityContext: {}
# -- Security context for the containers
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# -- Pod PriorityClassName
priorityClassName: ""
# -- Job resources
resources: {}
# -- List of node taints to tolerate
tolerations: []
# -- Node labels for pod assignment
nodeSelector: {}
# -- Pod Annotations
podAnnotations: {}
# -- Pod Labels
podLabels: {}
# -- Pod anti affinity constraints.
podAntiAffinity: {}
# -- Pod affinity constraints.
podAffinity: {}
# -- Node affinity constraints.
nodeAffinity: {}
# Admission controller configuration # Admission controller configuration
admissionController: admissionController:

54
config/install-latest-testing.yaml
View file

@ -43,16 +43,6 @@ metadata:
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata:
name: kyverno-cleanup-jobs
namespace: kyverno
labels:
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
---
apiVersion: v1
kind: ServiceAccount
metadata: metadata:
name: kyverno-reports-controller name: kyverno-reports-controller
namespace: kyverno namespace: kyverno
@ -43996,33 +43986,6 @@ rules:
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata:
name: kyverno:cleanup-jobs
labels:
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- kyverno.io
resources:
- updaterequests
verbs:
- list
- deletecollection
- delete
- apiGroups:
- reports.kyverno.io
resources:
- ephemeralreports
- clusterephemeralreports
verbs:
- list
- deletecollection
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata: metadata:
name: kyverno:rbac:admin:policies name: kyverno:rbac:admin:policies
labels: labels:
@ -44369,23 +44332,6 @@ subjects:
--- ---
kind: ClusterRoleBinding kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:cleanup-jobs
labels:
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:cleanup-jobs
subjects:
- kind: ServiceAccount
name: kyverno-cleanup-jobs
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: kyverno:reports-controller name: kyverno:reports-controller
labels: labels: