From add898c1c7fdaa0a3e1cbc9aed45a23823872912 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
<charles.edouard@nirmata.com>
Date: Fri, 3 Mar 2023 05:24:32 +0100
Subject: [PATCH] refactor: helm admission controller config (#6460)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
charts/kyverno/README.md | 36 +++++----
charts/kyverno/README.md.gotmpl | 4 +
.../admission-controller/deployment.yaml | 8 +-
.../admission-controller/servicemonitor.yaml | 22 +++---
charts/kyverno/values.yaml | 76 +++++++++----------
scripts/config/dev/kyverno.yaml | 7 +-
6 files changed, 79 insertions(+), 74 deletions(-)
diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index a400c18360..a2cc5b5377 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -139,6 +139,10 @@ In `v3` chart values changed significantly, please read the instructions below t
- `livenessProbe` has been replaced with `admissionController.livenessProbe`
- `readinessProbe` has been replaced with `admissionController.readinessProbe`
- `createSelfSignedCert` has been replaced with `admissionController.createSelfSignedCert`
+- `serviceMonitor` has been replaced with `admissionController.serviceMonitor`
+- `podSecurityContext` has been replaced with `admissionController.podSecurityContext`
+- `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath`
+- `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume`
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
@@ -207,7 +211,6 @@ The command removes all the Kubernetes components associated with the chart and
| initContainer.extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the kyvernopre binary. |
| podLabels | object | `{}` | Additional labels to add to each pod |
| podAnnotations | object | `{}` | Additional annotations to add to each pod |
-| podSecurityContext | object | `{}` | Security context for the pod |
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| envVarsInit | object | `{}` | Env variables for initContainers. |
| envVars | object | `{}` | Env variables for containers. |
@@ -230,19 +233,10 @@ The command removes all the Kubernetes components associated with the chart and
| metricsService.type | string | `"ClusterIP"` | Service type. |
| metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
| metricsService.annotations | object | `{}` | Service annotations. |
-| serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
-| serviceMonitor.additionalLabels | string | `nil` | Additional labels |
-| serviceMonitor.namespace | string | `nil` | Override namespace (default is the same as kyverno) |
-| serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
-| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
-| serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
-| serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
| networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
| networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| webhooksCleanup.enabled | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
| webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
-| tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
-| sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. |
| grafana.enabled | bool | `false` | Enable grafana dashboard creation. |
| grafana.configMapName | string | `"{{ include \"kyverno.fullname\" . }}-grafana"` | Configmap name template. |
| grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. |
@@ -263,8 +257,18 @@ The command removes all the Kubernetes components associated with the chart and
| admissionController.podAffinity | object | `{}` | Pod affinity constraints. |
| admissionController.nodeAffinity | object | `{}` | Node affinity constraints. |
| admissionController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
+| admissionController.podSecurityContext | object | `{}` | Security context for the pod |
| admissionController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
| admissionController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
+| admissionController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
+| admissionController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| admissionController.serviceMonitor.namespace | string | `nil` | Override namespace |
+| admissionController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| admissionController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
+| admissionController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
+| admissionController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
+| admissionController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
+| admissionController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. |
| cleanupController.enabled | bool | `true` | Enable cleanup controller. |
| cleanupController.rbac.create | bool | `true` | Create RBAC resources |
| cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name |
@@ -307,8 +311,8 @@ The command removes all the Kubernetes components associated with the chart and
| cleanupController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
| cleanupController.metricsService.annotations | object | `{}` | Service annotations. |
| cleanupController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
-| cleanupController.serviceMonitor.additionalLabels | string | `nil` | Additional labels |
-| cleanupController.serviceMonitor.namespace | string | `nil` | Override namespace (default is the same as kyverno) |
+| cleanupController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| cleanupController.serviceMonitor.namespace | string | `nil` | Override namespace |
| cleanupController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
| cleanupController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| cleanupController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
@@ -357,8 +361,8 @@ The command removes all the Kubernetes components associated with the chart and
| reportsController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
| reportsController.metricsService.annotations | object | `{}` | Service annotations. |
| reportsController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
-| reportsController.serviceMonitor.additionalLabels | string | `nil` | Additional labels |
-| reportsController.serviceMonitor.namespace | string | `nil` | Override namespace (default is the same as kyverno) |
+| reportsController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| reportsController.serviceMonitor.namespace | string | `nil` | Override namespace |
| reportsController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
| reportsController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| reportsController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
@@ -407,8 +411,8 @@ The command removes all the Kubernetes components associated with the chart and
| backgroundController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
| backgroundController.metricsService.annotations | object | `{}` | Service annotations. |
| backgroundController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
-| backgroundController.serviceMonitor.additionalLabels | string | `nil` | Additional labels |
-| backgroundController.serviceMonitor.namespace | string | `nil` | Override namespace (default is the same as kyverno) |
+| backgroundController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| backgroundController.serviceMonitor.namespace | string | `nil` | Override namespace |
| backgroundController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
| backgroundController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| backgroundController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
diff --git a/charts/kyverno/README.md.gotmpl b/charts/kyverno/README.md.gotmpl
index e10d64290c..0a6c1ab4b4 100644
--- a/charts/kyverno/README.md.gotmpl
+++ b/charts/kyverno/README.md.gotmpl
@@ -139,6 +139,10 @@ In `v3` chart values changed significantly, please read the instructions below t
- `livenessProbe` has been replaced with `admissionController.livenessProbe`
- `readinessProbe` has been replaced with `admissionController.readinessProbe`
- `createSelfSignedCert` has been replaced with `admissionController.createSelfSignedCert`
+- `serviceMonitor` has been replaced with `admissionController.serviceMonitor`
+- `podSecurityContext` has been replaced with `admissionController.podSecurityContext`
+- `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath`
+- `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume`
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
diff --git a/charts/kyverno/templates/admission-controller/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml
index 94143d306b..f75c8753d9 100644
--- a/charts/kyverno/templates/admission-controller/deployment.yaml
+++ b/charts/kyverno/templates/admission-controller/deployment.yaml
@@ -30,7 +30,7 @@ spec:
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
- {{- with .Values.podSecurityContext }}
+ {{- with .Values.admissionController.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
@@ -156,7 +156,7 @@ spec:
- name: KYVERNO_SVC
value: {{ template "kyverno.admission-controller.serviceName" . }}
- name: TUF_ROOT
- value: {{ .Values.tufRootMountPath }}
+ value: {{ .Values.admissionController.tufRootMountPath }}
{{- with .Values.envVars }}
{{- toYaml . | nindent 10 }}
{{- end }}
@@ -175,13 +175,13 @@ spec:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
volumeMounts:
- - mountPath: {{ .Values.tufRootMountPath }}
+ - mountPath: {{ .Values.admissionController.tufRootMountPath }}
name: sigstore
- mountPath: /var/run/secrets/tokens
name: api-token
volumes:
- name: sigstore
- {{- toYaml (required "A valid .Values.sigstoreVolume entry is required" .Values.sigstoreVolume) | nindent 8 }}
+ {{- toYaml (required "A valid .Values.admissionController.sigstoreVolume entry is required" .Values.admissionController.sigstoreVolume) | nindent 8 }}
- name: api-token
projected:
sources:
diff --git a/charts/kyverno/templates/admission-controller/servicemonitor.yaml b/charts/kyverno/templates/admission-controller/servicemonitor.yaml
index 806f9a886e..f695d756b8 100644
--- a/charts/kyverno/templates/admission-controller/servicemonitor.yaml
+++ b/charts/kyverno/templates/admission-controller/servicemonitor.yaml
@@ -1,17 +1,17 @@
-{{- if .Values.serviceMonitor.enabled }}
-apiVersion: "monitoring.coreos.com/v1"
+{{- if .Values.admissionController.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "kyverno.admission-controller.name" . }}
- {{- if .Values.serviceMonitor.namespace }}
- namespace: {{ .Values.serviceMonitor.namespace }}
+ {{- if .Values.admissionController.serviceMonitor.namespace }}
+ namespace: {{ .Values.admissionController.serviceMonitor.namespace }}
{{- else }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
- {{- if .Values.serviceMonitor.additionalLabels }}
- {{- toYaml .Values.serviceMonitor.additionalLabels | nindent 4 }}
+ {{- with .Values.admissionController.serviceMonitor.additionalLabels }}
+ {{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
@@ -22,11 +22,11 @@ spec:
- {{ template "kyverno.namespace" . }}
endpoints:
- port: metrics-port
- interval: {{ .Values.serviceMonitor.interval }}
- scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
- {{- if .Values.serviceMonitor.secure }}
+ interval: {{ .Values.admissionController.serviceMonitor.interval }}
+ scrapeTimeout: {{ .Values.admissionController.serviceMonitor.scrapeTimeout }}
+ {{- if .Values.admissionController.serviceMonitor.secure }}
scheme: https
tlsConfig:
- {{- toYaml .Values.serviceMonitor.tlsConfig | nindent 8 }}
+ {{- toYaml .Values.admissionController.serviceMonitor.tlsConfig | nindent 8 }}
{{- end }}
-{{- end }}
+{{- end -}}
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index 0012f3f53b..8465c159e7 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -87,7 +87,7 @@ config:
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
- - '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.serviceName" . }}-service-monitor]'
+ - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.serviceName" . }}-service-monitor]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-*]'
# -- Defines the `namespaceSelector` in the webhook configurations.
@@ -242,9 +242,6 @@ podLabels: {}
podAnnotations: {}
# example.com/annotation: foo
-# -- Security context for the pod
-podSecurityContext: {}
-
# -- Security context for the containers
securityContext:
runAsNonRoot: true
@@ -338,23 +335,6 @@ metricsService:
# -- Service annotations.
annotations: {}
-serviceMonitor:
- # -- Create a `ServiceMonitor` to collect Prometheus metrics.
- enabled: false
- # -- Additional labels
- additionalLabels:
- # key: value
- # -- Override namespace (default is the same as kyverno)
- namespace:
- # -- Interval to scrape metrics
- interval: 30s
- # -- Timeout if metrics can't be retrieved in given time interval
- scrapeTimeout: 25s
- # -- Is TLS required for endpoint
- secure: false
- # -- TLS Configuration for endpoint
- tlsConfig: {}
-
networkPolicy:
# -- When true, use a NetworkPolicy to allow ingress to the webhook
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
@@ -368,13 +348,6 @@ webhooksCleanup:
# -- `kubectl` image to run commands for deleting webhooks.
image: bitnami/kubectl:latest
-# -- A writable volume to use for the TUF root initialization.
-tufRootMountPath: /.sigstore
-
-# -- Volume to be mounted in pods for TUF/cosign work.
-sigstoreVolume:
- emptyDir: {}
-
grafana:
# -- Enable grafana dashboard creation.
enabled: false
@@ -498,6 +471,9 @@ admissionController:
# -- Topology spread constraints.
topologySpreadConstraints: []
+ # -- Security context for the pod
+ podSecurityContext: {}
+
podDisruptionBudget:
# -- Configures the minimum available pods for disruptions.
# Cannot be used if `maxUnavailable` is set.
@@ -506,6 +482,29 @@ admissionController:
# Cannot be used if `minAvailable` is set.
maxUnavailable:
+ serviceMonitor:
+ # -- Create a `ServiceMonitor` to collect Prometheus metrics.
+ enabled: false
+ # -- Additional labels
+ additionalLabels: {}
+ # -- (string) Override namespace
+ namespace: ~
+ # -- Interval to scrape metrics
+ interval: 30s
+ # -- Timeout if metrics can't be retrieved in given time interval
+ scrapeTimeout: 25s
+ # -- Is TLS required for endpoint
+ secure: false
+ # -- TLS Configuration for endpoint
+ tlsConfig: {}
+
+ # -- A writable volume to use for the TUF root initialization.
+ tufRootMountPath: /.sigstore
+
+ # -- Volume to be mounted in pods for TUF/cosign work.
+ sigstoreVolume:
+ emptyDir: {}
+
# Cleanup controller configuration
cleanupController:
@@ -712,10 +711,9 @@ cleanupController:
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
enabled: false
# -- Additional labels
- additionalLabels:
- # key: value
- # -- Override namespace (default is the same as kyverno)
- namespace:
+ additionalLabels: {}
+ # -- (string) Override namespace
+ namespace: ~
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
@@ -943,10 +941,9 @@ reportsController:
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
enabled: false
# -- Additional labels
- additionalLabels:
- # key: value
- # -- Override namespace (default is the same as kyverno)
- namespace:
+ additionalLabels: {}
+ # -- (string) Override namespace
+ namespace: ~
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
@@ -1133,10 +1130,9 @@ backgroundController:
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
enabled: false
# -- Additional labels
- additionalLabels:
- # key: value
- # -- Override namespace (default is the same as kyverno)
- namespace:
+ additionalLabels: {}
+ # -- (string) Override namespace
+ namespace: ~
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
diff --git a/scripts/config/dev/kyverno.yaml b/scripts/config/dev/kyverno.yaml
index 0c71ed64f5..e52729e2ac 100644
--- a/scripts/config/dev/kyverno.yaml
+++ b/scripts/config/dev/kyverno.yaml
@@ -9,12 +9,13 @@ extraArgs:
- --tracingPort=4317
- --enablePolicyException
-serviceMonitor:
- enabled: true
-
grafana:
enabled: true
+admissionController:
+ serviceMonitor:
+ enabled: true
+
cleanupController:
rbac:
clusterRole: