mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

feat: ha mode support in helm chart (#3207)

Browse source 
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
Co-authored-by: @necatican @f9n
Signed-off-by: Emin Aktas <eminaktas34@gmail.com>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>

Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
This commit is contained in:
Batuhan Apaydın 2022-02-15 10:57:23 +03:00 committed by GitHub
parent bd1a145678
commit 943fe2dd41
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 75 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

123
charts/kyverno/README.md
View file

@ -65,67 +65,68 @@ The command removes all the Kubernetes components associated with the chart and
The following table lists the configurable parameters of the kyverno chart and their default values.
| Parameter | Description | Default |
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `antiAffinity.enable` | pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node | `true` |
| `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` |
| `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` |
| `config.resourceFilters` | list of resource types to be skipped by kyverno policy engine. See [documentation](https://kyverno.io/docs/installation/#resource-filters) for details | `[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*]` |
| `config.webhooks` | customize webhook configurations for both MutatingWebhookConfiguration and ValidatingWebhookConfiguration of Kubernetes resources, only `namespaceSelector` can be configured with Kyverno v1.4.0 | `nil` |
| `customLabels` | Additional labels | `{}` |
| `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official Kubernetes docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` |
| `envVarsInit` | Extra environment variables to pass to kyverno initContainers |
| `envVars` | Extra environment variables to pass to Kyverno | `{} ` |
| `extraArgs` | object for extra arguments to give to the binary (`--set extraArgs={"-v=4"}`) | `{}` |
| `fullnameOverride` | override the expanded name of the chart | `nil` |
| `generatecontrollerExtraResources` | extra resource type Kyverno is allowed to generate | `[]` |
| `hostNetwork` | Use the host network's namespace. Set it to `true` when dealing with a custom CNI over Amazon EKS | `false` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify image pull secrets | `[]` (does not add image pull secrets to deployed pods) |
| `image.repository` | Image repository | `ghcr.io/kyverno/kyverno` |
| `image.tag` | Image tag | `nil` |
| `initImage.pullPolicy` | Init image pull policy | `nil` |
| `initImage.repository` | Init image repository | `ghcr.io/kyverno/kyvernopre` |
| `initImage.tag` | Init image tag | `nil` |
| `installCRDs` | Install the Kyverno CRDs | `true` |
| `livenessProbe` | liveness probe configuration | `{}` |
| `nameOverride` | override the name of the chart | `nil` |
| `namespace` | namespace the chart deploy to | `nil` |
| `networkPolicy.enabled` | when true, use a NetworkPolicy to grant access to the webhook. | `false`
| `nodeAffinity` | node affinities. Empty by default. Can be added for nodeAffinities. | `nil` |
| `nodeSelector` | node labels for pod assignment | `{}` |
| `podAffinity` | pod affinities. Empty by default. Can be added for podAffinities. | `nil` |
| `podAntiAffinity` | pod antiAffinities default values. can be overwrite | `Pod Anti Affinity` |
| `podAnnotations` | annotations to add to each pod | `{}` |
| `podLabels` | additional labels to add to each pod | `{}` |
| `podSecurityContext` | security context for the pod | `{}` |
| `podDisruptionBudget.minAvailable` | Configures the minimum available pods for kyverno disruptions. Cannot used if `maxUnavailable` is set. | `1` |
| `podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for kyverno disruptions. Cannot used if `minAvailable` is set. | `nil` |
| `priorityClassName` | priorityClassName | `nil` |
| `rbac.create` | create ClusterRoles, ClusterRoleBindings, and ServiceAccount | `true` |
| `rbac.serviceAccount.create` | create a ServiceAccount | `true` |
| `rbac.serviceAccount.name` | the ServiceAccount name | `nil` |
| `rbac.serviceAccount.annotations` | annotations for the ServiceAccount | `{}` |
| `readinessProbe` | readiness probe configuration | `{}` |
| `replicaCount` | desired number of pods | `1` |
| `resources` | pod resource requests and limits | `{}` |
| `securityContext` | security context configuration | `{}` |
| `service.annotations` | annotations to add to the service | `{}` |
| `service.nodePort` | node port | `nil` |
| `service.port` | port for the service | `443` |
| `service.type` | type of service | `ClusterIP` |
| `serviceMonitor.enabled` | create a ServiceMonitor(Requires Prometheus) | `false` |
| `serviceMonitor.namespace` | override namespace for ServiceMonitor (default is same than kyverno) | `false` |
| `serviceMonitor.additionalLabels` | additional labels to add for ServiceMonitor | `nil` |
| `serviceMonitor.interval` | interval to scrape metrics | `30s` |
| `serviceMonitor.scrapeTimeout` | timeout if metrics can't be retrieved in given time interval | `25s` |
| `serviceMonitor.secure` | is TLS required for endpoint | `false` |
| `serviceMonitor.tlsConfig` | TLS Configuration for endpoint | `[]` |
| `testImage.pullPolicy` | image pull policy for test image (defaults to `image.pullPolicy`) | `nil` |
| `testImage.repository` | repository for chart test image | `busybox` |
| `testImage.tag` | tag for chart test image | `nil` |
| `tolerations` | list of node taints to tolerate | `[]` |
| `topologySpreadConstraints` | node/pod topology spread constrains | `[]` |
| Parameter | Description | Default |
|--|--|--|
| `antiAffinity.enable` | pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node | `true` |
| `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` |
| `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` |
| `config.resourceFilters` | list of resource types to be skipped by kyverno policy engine. See [documentation](https://kyverno.io/docs/installation/#resource-filters) for details | `[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*]` |
| `config.webhooks` | customize webhook configurations for both MutatingWebhookConfiguration and ValidatingWebhookConfiguration of Kubernetes resources, only `namespaceSelector` can be configured with Kyverno v1.4.0 | `nil` |
| `customLabels` | Additional labels | `{}` |
| `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official Kubernetes docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` |
| `envVarsInit` | Extra environment variables to pass to kyverno initContainers |
| `envVars` | Extra environment variables to pass to Kyverno | `{}` |
| `extraArgs` | object for extra arguments to give to the binary (`--set extraArgs={"-v=4"}`) | `{}` |
| `fullnameOverride` | override the expanded name of the chart | `nil` |
| `generatecontrollerExtraResources` | extra resource type Kyverno is allowed to generate | `[]` |
| `hostNetwork` | Use the host network's namespace. Set it to `true` when dealing with a custom CNI over Amazon EKS | `false` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify image pull secrets | `[]` (does not add image pull secrets to deployed pods) |
| `image.repository` | Image repository | `ghcr.io/kyverno/kyverno` |
| `image.tag` | Image tag | `nil` |
| `initImage.pullPolicy` | Init image pull policy | `nil` |
| `initImage.repository` | Init image repository | `ghcr.io/kyverno/kyvernopre` |
| `initImage.tag` | Init image tag | `nil` |
| `installCRDs` | Install the Kyverno CRDs | `true` |
| `livenessProbe` | liveness probe configuration | `{}` |
| `nameOverride` | override the name of the chart | `nil` |
| `namespace` | namespace the chart deploy to | `nil` |
| `networkPolicy.enabled` | when true, use a NetworkPolicy to grant access to the webhook. | `false` |
| `nodeAffinity` | node affinities. Empty by default. Can be added for nodeAffinities. | `nil` |
| `nodeSelector` | node labels for pod assignment | `{}` |
| `podAffinity` | pod affinities. Empty by default. Can be added for podAffinities. | `nil` |
| `podAntiAffinity` | pod antiAffinities default values. can be overwrite | `Pod Anti Affinity` |
| `podAnnotations` | annotations to add to each pod | `{}` |
| `podLabels` | additional labels to add to each pod | `{}` |
| `podSecurityContext` | security context for the pod | `{}` |
| `podDisruptionBudget.minAvailable` | Configures the minimum available pods for kyverno disruptions. Cannot used if `maxUnavailable` is set. | `1` |
| `podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for kyverno disruptions. Cannot used if `minAvailable` is set. | `nil` |
| `priorityClassName` | priorityClassName | `nil` |
| `rbac.create` | create ClusterRoles, ClusterRoleBindings, and ServiceAccount | `true` |
| `rbac.serviceAccount.create` | create a ServiceAccount | `true` |
| `rbac.serviceAccount.name` | the ServiceAccount name | `nil` |
| `rbac.serviceAccount.annotations` | annotations for the ServiceAccount | `{}` |
| `readinessProbe` | readiness probe configuration | `{}` |
| `replicaCount` | desired number of pods | `0` |
| `mode` | a mode for Kyverno installation | `standalone` |
| `resources` | pod resource requests and limits | `{}` |
| `securityContext` | security context configuration | `{}` |
| `service.annotations` | annotations to add to the service | `{}` |
| `service.nodePort` | node port | `nil` |
| `service.port` | port for the service | `443` |
| `service.type` | type of service | `ClusterIP` |
| `serviceMonitor.enabled` | create a ServiceMonitor(Requires Prometheus) | `false` |
| `serviceMonitor.namespace` | override namespace for ServiceMonitor (default is same than kyverno) | `false` |
| `serviceMonitor.additionalLabels` | additional labels to add for ServiceMonitor | `nil` |
| `serviceMonitor.interval` | interval to scrape metrics | `30s` |
| `serviceMonitor.scrapeTimeout` | timeout if metrics can't be retrieved in given time interval | `25s` |
| `serviceMonitor.secure` | is TLS required for endpoint | `false` |
| `serviceMonitor.tlsConfig` | TLS Configuration for endpoint | `[]` |
| `testImage.pullPolicy` | image pull policy for test image (defaults to `image.pullPolicy`) | `nil` |
| `testImage.repository` | repository for chart test image | `busybox` |
| `testImage.tag` | tag for chart test image | `nil` |
| `tolerations` | list of node taints to tolerate | `[]` |
| `topologySpreadConstraints` | node/pod topology spread constrains | `[]` | |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

10
charts/kyverno/templates/_helpers.tpl
View file

@ -104,3 +104,13 @@ minAvailable: {{ default 1 .Values.podDisruptionBudget.minAvailable }}
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- end }}
{{- define "kyverno.replicaCount" -}}
{{- if not (empty .Values.replicaCount) }}
replicas: {{ .Values.replicaCount }}
{{- else if eq .Values.mode "standalone" }}
replicas: 1
{{- else if eq .Values.mode "ha" }}
replicas: 3
{{- end }}
{{- end }}

2
charts/kyverno/templates/deployment.yaml
View file

@ -6,9 +6,9 @@ metadata:
app: kyverno
namespace: {{ template "kyverno.namespace" . }}
spec:
{{- include "kyverno.replicaCount" . | indent 2 }}
selector:
matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
replicas: {{ .Values.replicaCount }}
{{- if .Values.updateStrategy }}
strategy:
{{ toYaml .Values.updateStrategy | nindent 4 | trim }}

4
charts/kyverno/values.yaml
View file

@ -1,7 +1,7 @@
nameOverride:
fullnameOverride:
namespace:
mode: "standalone"
# -- Additional labels
customLabels: {}
@ -35,7 +35,7 @@ testImage:
# testImage.pullPolicy defaults to image.pullPolicy if omitted
pullPolicy:
replicaCount: 1
replicaCount: 0
podLabels: {}
# example.com/label: foo