diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 71814b7b40..b4103b561f 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -65,67 +65,68 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the kyverno chart and their default values. -| Parameter | Description | Default | -| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `antiAffinity.enable` | pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node | `true` | -| `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` | -| `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` | -| `config.resourceFilters` | list of resource types to be skipped by kyverno policy engine. See [documentation](https://kyverno.io/docs/installation/#resource-filters) for details | `[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*]` | -| `config.webhooks` | customize webhook configurations for both MutatingWebhookConfiguration and ValidatingWebhookConfiguration of Kubernetes resources, only `namespaceSelector` can be configured with Kyverno v1.4.0 | `nil` | -| `customLabels` | Additional labels | `{}` | -| `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official Kubernetes docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` | -| `envVarsInit` | Extra environment variables to pass to kyverno initContainers | -| `envVars` | Extra environment variables to pass to Kyverno | `{} ` | -| `extraArgs` | object for extra arguments to give to the binary (`--set extraArgs={"-v=4"}`) | `{}` | -| `fullnameOverride` | override the expanded name of the chart | `nil` | -| `generatecontrollerExtraResources` | extra resource type Kyverno is allowed to generate | `[]` | -| `hostNetwork` | Use the host network's namespace. Set it to `true` when dealing with a custom CNI over Amazon EKS | `false` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify image pull secrets | `[]` (does not add image pull secrets to deployed pods) | -| `image.repository` | Image repository | `ghcr.io/kyverno/kyverno` | -| `image.tag` | Image tag | `nil` | -| `initImage.pullPolicy` | Init image pull policy | `nil` | -| `initImage.repository` | Init image repository | `ghcr.io/kyverno/kyvernopre` | -| `initImage.tag` | Init image tag | `nil` | -| `installCRDs` | Install the Kyverno CRDs | `true` | -| `livenessProbe` | liveness probe configuration | `{}` | -| `nameOverride` | override the name of the chart | `nil` | -| `namespace` | namespace the chart deploy to | `nil` | -| `networkPolicy.enabled` | when true, use a NetworkPolicy to grant access to the webhook. | `false` -| `nodeAffinity` | node affinities. Empty by default. Can be added for nodeAffinities. | `nil` | -| `nodeSelector` | node labels for pod assignment | `{}` | -| `podAffinity` | pod affinities. Empty by default. Can be added for podAffinities. | `nil` | -| `podAntiAffinity` | pod antiAffinities default values. can be overwrite | `Pod Anti Affinity` | -| `podAnnotations` | annotations to add to each pod | `{}` | -| `podLabels` | additional labels to add to each pod | `{}` | -| `podSecurityContext` | security context for the pod | `{}` | -| `podDisruptionBudget.minAvailable` | Configures the minimum available pods for kyverno disruptions. Cannot used if `maxUnavailable` is set. | `1` | -| `podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for kyverno disruptions. Cannot used if `minAvailable` is set. | `nil` | -| `priorityClassName` | priorityClassName | `nil` | -| `rbac.create` | create ClusterRoles, ClusterRoleBindings, and ServiceAccount | `true` | -| `rbac.serviceAccount.create` | create a ServiceAccount | `true` | -| `rbac.serviceAccount.name` | the ServiceAccount name | `nil` | -| `rbac.serviceAccount.annotations` | annotations for the ServiceAccount | `{}` | -| `readinessProbe` | readiness probe configuration | `{}` | -| `replicaCount` | desired number of pods | `1` | -| `resources` | pod resource requests and limits | `{}` | -| `securityContext` | security context configuration | `{}` | -| `service.annotations` | annotations to add to the service | `{}` | -| `service.nodePort` | node port | `nil` | -| `service.port` | port for the service | `443` | -| `service.type` | type of service | `ClusterIP` | -| `serviceMonitor.enabled` | create a ServiceMonitor(Requires Prometheus) | `false` | -| `serviceMonitor.namespace` | override namespace for ServiceMonitor (default is same than kyverno) | `false` | -| `serviceMonitor.additionalLabels` | additional labels to add for ServiceMonitor | `nil` | -| `serviceMonitor.interval` | interval to scrape metrics | `30s` | -| `serviceMonitor.scrapeTimeout` | timeout if metrics can't be retrieved in given time interval | `25s` | -| `serviceMonitor.secure` | is TLS required for endpoint | `false` | -| `serviceMonitor.tlsConfig` | TLS Configuration for endpoint | `[]` | -| `testImage.pullPolicy` | image pull policy for test image (defaults to `image.pullPolicy`) | `nil` | -| `testImage.repository` | repository for chart test image | `busybox` | -| `testImage.tag` | tag for chart test image | `nil` | -| `tolerations` | list of node taints to tolerate | `[]` | -| `topologySpreadConstraints` | node/pod topology spread constrains | `[]` | +| Parameter | Description | Default | +|--|--|--| +| `antiAffinity.enable` | pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node | `true` | +| `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` | +| `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` | +| `config.resourceFilters` | list of resource types to be skipped by kyverno policy engine. See [documentation](https://kyverno.io/docs/installation/#resource-filters) for details | `[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*]` | +| `config.webhooks` | customize webhook configurations for both MutatingWebhookConfiguration and ValidatingWebhookConfiguration of Kubernetes resources, only `namespaceSelector` can be configured with Kyverno v1.4.0 | `nil` | +| `customLabels` | Additional labels | `{}` | +| `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official Kubernetes docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` | +| `envVarsInit` | Extra environment variables to pass to kyverno initContainers | +| `envVars` | Extra environment variables to pass to Kyverno | `{}` | +| `extraArgs` | object for extra arguments to give to the binary (`--set extraArgs={"-v=4"}`) | `{}` | +| `fullnameOverride` | override the expanded name of the chart | `nil` | +| `generatecontrollerExtraResources` | extra resource type Kyverno is allowed to generate | `[]` | +| `hostNetwork` | Use the host network's namespace. Set it to `true` when dealing with a custom CNI over Amazon EKS | `false` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify image pull secrets | `[]` (does not add image pull secrets to deployed pods) | +| `image.repository` | Image repository | `ghcr.io/kyverno/kyverno` | +| `image.tag` | Image tag | `nil` | +| `initImage.pullPolicy` | Init image pull policy | `nil` | +| `initImage.repository` | Init image repository | `ghcr.io/kyverno/kyvernopre` | +| `initImage.tag` | Init image tag | `nil` | +| `installCRDs` | Install the Kyverno CRDs | `true` | +| `livenessProbe` | liveness probe configuration | `{}` | +| `nameOverride` | override the name of the chart | `nil` | +| `namespace` | namespace the chart deploy to | `nil` | +| `networkPolicy.enabled` | when true, use a NetworkPolicy to grant access to the webhook. | `false` | +| `nodeAffinity` | node affinities. Empty by default. Can be added for nodeAffinities. | `nil` | +| `nodeSelector` | node labels for pod assignment | `{}` | +| `podAffinity` | pod affinities. Empty by default. Can be added for podAffinities. | `nil` | +| `podAntiAffinity` | pod antiAffinities default values. can be overwrite | `Pod Anti Affinity` | +| `podAnnotations` | annotations to add to each pod | `{}` | +| `podLabels` | additional labels to add to each pod | `{}` | +| `podSecurityContext` | security context for the pod | `{}` | +| `podDisruptionBudget.minAvailable` | Configures the minimum available pods for kyverno disruptions. Cannot used if `maxUnavailable` is set. | `1` | +| `podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for kyverno disruptions. Cannot used if `minAvailable` is set. | `nil` | +| `priorityClassName` | priorityClassName | `nil` | +| `rbac.create` | create ClusterRoles, ClusterRoleBindings, and ServiceAccount | `true` | +| `rbac.serviceAccount.create` | create a ServiceAccount | `true` | +| `rbac.serviceAccount.name` | the ServiceAccount name | `nil` | +| `rbac.serviceAccount.annotations` | annotations for the ServiceAccount | `{}` | +| `readinessProbe` | readiness probe configuration | `{}` | +| `replicaCount` | desired number of pods | `0` | +| `mode` | a mode for Kyverno installation | `standalone` | +| `resources` | pod resource requests and limits | `{}` | +| `securityContext` | security context configuration | `{}` | +| `service.annotations` | annotations to add to the service | `{}` | +| `service.nodePort` | node port | `nil` | +| `service.port` | port for the service | `443` | +| `service.type` | type of service | `ClusterIP` | +| `serviceMonitor.enabled` | create a ServiceMonitor(Requires Prometheus) | `false` | +| `serviceMonitor.namespace` | override namespace for ServiceMonitor (default is same than kyverno) | `false` | +| `serviceMonitor.additionalLabels` | additional labels to add for ServiceMonitor | `nil` | +| `serviceMonitor.interval` | interval to scrape metrics | `30s` | +| `serviceMonitor.scrapeTimeout` | timeout if metrics can't be retrieved in given time interval | `25s` | +| `serviceMonitor.secure` | is TLS required for endpoint | `false` | +| `serviceMonitor.tlsConfig` | TLS Configuration for endpoint | `[]` | +| `testImage.pullPolicy` | image pull policy for test image (defaults to `image.pullPolicy`) | `nil` | +| `testImage.repository` | repository for chart test image | `busybox` | +| `testImage.tag` | tag for chart test image | `nil` | +| `tolerations` | list of node taints to tolerate | `[]` | +| `topologySpreadConstraints` | node/pod topology spread constrains | `[]` | | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl index ce96993af3..d2a8477981 100644 --- a/charts/kyverno/templates/_helpers.tpl +++ b/charts/kyverno/templates/_helpers.tpl @@ -104,3 +104,13 @@ minAvailable: {{ default 1 .Values.podDisruptionBudget.minAvailable }} maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} {{- end }} {{- end }} + +{{- define "kyverno.replicaCount" -}} +{{- if not (empty .Values.replicaCount) }} +replicas: {{ .Values.replicaCount }} +{{- else if eq .Values.mode "standalone" }} +replicas: 1 +{{- else if eq .Values.mode "ha" }} +replicas: 3 +{{- end }} +{{- end }} diff --git a/charts/kyverno/templates/deployment.yaml b/charts/kyverno/templates/deployment.yaml index 5a81670435..390d3f442c 100644 --- a/charts/kyverno/templates/deployment.yaml +++ b/charts/kyverno/templates/deployment.yaml @@ -6,9 +6,9 @@ metadata: app: kyverno namespace: {{ template "kyverno.namespace" . }} spec: +{{- include "kyverno.replicaCount" . | indent 2 }} selector: matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }} - replicas: {{ .Values.replicaCount }} {{- if .Values.updateStrategy }} strategy: {{ toYaml .Values.updateStrategy | nindent 4 | trim }} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index f44c52768b..c0b0d82eda 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -1,7 +1,7 @@ nameOverride: fullnameOverride: namespace: - +mode: "standalone" # -- Additional labels customLabels: {} @@ -35,7 +35,7 @@ testImage: # testImage.pullPolicy defaults to image.pullPolicy if omitted pullPolicy: -replicaCount: 1 +replicaCount: 0 podLabels: {} # example.com/label: foo