From b33f7e8d736f743c6fa564b0675c188261e42c66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Mon, 6 Mar 2023 15:39:07 +0100 Subject: [PATCH] refactor: helm admission controller config (#6501) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * refactor: helm admission controller config Signed-off-by: Charles-Edouard Brétéché * more Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché --- charts/kyverno/README.md | 25 ++++--- charts/kyverno/README.md.gotmpl | 9 +++ charts/kyverno/ci/extraContainers-values.yaml | 17 ++--- .../admission-controller/deployment.yaml | 30 ++++---- charts/kyverno/values.yaml | 71 +++++++++---------- scripts/config/dev/kyverno.yaml | 23 +++--- scripts/config/standard/kyverno.yaml | 15 ++-- 7 files changed, 105 insertions(+), 85 deletions(-) diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 60b9e14f8f..75ea66b3da 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -151,6 +151,15 @@ In `v3` chart values changed significantly, please read the instructions below t - `service` has been replaced with `admissionController.service` - `metricsService` has been replaced with `admissionController.metricsService` +- `initContainer.extraArgs` has been replaced with `admissionController.initContainer.extraArgs` +- `envVarsInit` has been replaced with `admissionController.initContainer.extraEnvVars` +- `envVars` has been replaced with `admissionController.container.extraEnvVars` +- `extraArgs` has been replaced with `admissionController.container.extraArgs` +- `extraInitContainers` has been replaced with `admissionController.extraInitContainers` +- `extraContainers` has been replaced with `admissionController.extraContainers` +- `podLabels` has been replaced with `admissionController.podLabels` +- `podAnnotations` has been replaced with `admissionController.podAnnotations` + - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above. - Image tags are now validated and must be strings, if you use image tags in the `1.35` form please add quotes around the tag value. @@ -206,15 +215,7 @@ The command removes all the Kubernetes components associated with the chart and | rbac.serviceAccount.create | bool | `true` | Create a ServiceAccount | | rbac.serviceAccount.name | string | `nil` | The ServiceAccount name | | rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | -| initContainer.extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the kyvernopre binary. | -| podLabels | object | `{}` | Additional labels to add to each pod | -| podAnnotations | object | `{}` | Additional annotations to add to each pod | | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | -| envVarsInit | object | `{}` | Env variables for initContainers. | -| envVars | object | `{}` | Env variables for containers. | -| extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the binary. | -| extraInitContainers | list | `[]` | Array of extra init containers | -| extraContainers | list | `[]` | Array of extra containers to run alongside kyverno | | generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. | | excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters | | resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters | @@ -228,6 +229,8 @@ The command removes all the Kubernetes components associated with the chart and | grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. | | admissionController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. | | admissionController.replicas | int | `nil` | Desired number of pods | +| admissionController.podLabels | object | `{}` | Additional labels to add to each pod | +| admissionController.podAnnotations | object | `{}` | Additional annotations to add to each pod | | admissionController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | | admissionController.priorityClassName | string | `""` | Optional priority class | | admissionController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. | @@ -261,12 +264,18 @@ The command removes all the Kubernetes components associated with the chart and | admissionController.initContainer.image.pullPolicy | string | `nil` | Image pull policy If missing, defaults to image.pullPolicy | | admissionController.initContainer.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | | admissionController.initContainer.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | +| admissionController.initContainer.extraArgs | list | `["--loggingFormat=text"]` | Additional container args. | +| admissionController.initContainer.extraEnvVars | list | `[]` | Additional container environment variables. | | admissionController.container.image.registry | string | `"ghcr.io"` | Image registry | | admissionController.container.image.repository | string | `"kyverno/kyverno"` | Image repository | | admissionController.container.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | | admissionController.container.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | admissionController.container.resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits | | admissionController.container.resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests | +| admissionController.container.extraArgs | list | `["--loggingFormat=text"]` | Additional container args. | +| admissionController.container.extraEnvVars | list | `[]` | Additional container environment variables. | +| admissionController.extraInitContainers | list | `[]` | Array of extra init containers | +| admissionController.extraContainers | list | `[]` | Array of extra containers to run alongside kyverno | | admissionController.service.port | int | `443` | Service port. | | admissionController.service.type | string | `"ClusterIP"` | Service type. | | admissionController.service.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | diff --git a/charts/kyverno/README.md.gotmpl b/charts/kyverno/README.md.gotmpl index a15ebbf9f0..86d80cab61 100644 --- a/charts/kyverno/README.md.gotmpl +++ b/charts/kyverno/README.md.gotmpl @@ -151,6 +151,15 @@ In `v3` chart values changed significantly, please read the instructions below t - `service` has been replaced with `admissionController.service` - `metricsService` has been replaced with `admissionController.metricsService` +- `initContainer.extraArgs` has been replaced with `admissionController.initContainer.extraArgs` +- `envVarsInit` has been replaced with `admissionController.initContainer.extraEnvVars` +- `envVars` has been replaced with `admissionController.container.extraEnvVars` +- `extraArgs` has been replaced with `admissionController.container.extraArgs` +- `extraInitContainers` has been replaced with `admissionController.extraInitContainers` +- `extraContainers` has been replaced with `admissionController.extraContainers` +- `podLabels` has been replaced with `admissionController.podLabels` +- `podAnnotations` has been replaced with `admissionController.podAnnotations` + - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above. - Image tags are now validated and must be strings, if you use image tags in the `1.35` form please add quotes around the tag value. diff --git a/charts/kyverno/ci/extraContainers-values.yaml b/charts/kyverno/ci/extraContainers-values.yaml index ab4229b61f..a8d7265c09 100644 --- a/charts/kyverno/ci/extraContainers-values.yaml +++ b/charts/kyverno/ci/extraContainers-values.yaml @@ -1,9 +1,10 @@ -extraContainers: - - name: myapp-container - image: busybox - command: ['sh', '-c', 'echo Hello && sleep 3600'] +admissionController: + extraContainers: + - name: myapp-container + image: busybox + command: ['sh', '-c', 'echo Hello && sleep 3600'] -extraInitContainers: - - name: init-container - image: busybox - command: ['sh', '-c', 'echo Hello'] + extraInitContainers: + - name: init-container + image: busybox + command: ['sh', '-c', 'echo Hello'] diff --git a/charts/kyverno/templates/admission-controller/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml index 1830d34743..6ba69494ad 100644 --- a/charts/kyverno/templates/admission-controller/deployment.yaml +++ b/charts/kyverno/templates/admission-controller/deployment.yaml @@ -19,10 +19,10 @@ spec: metadata: labels: {{- include "kyverno.admission-controller.labels" . | nindent 8 }} - {{- range $key, $value := .Values.podLabels }} + {{- range $key, $value := .Values.admissionController.podLabels }} {{ $key }}: {{ $value }} {{- end }} - {{- with .Values.podAnnotations }} + {{- with .Values.admissionController.podAnnotations }} annotations: {{ tpl (toYaml .) $ | nindent 8 }} {{- end }} spec: @@ -74,15 +74,15 @@ spec: {{- end }} serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }} initContainers: - {{- if .Values.extraInitContainers }} - {{- toYaml .Values.extraInitContainers | nindent 8 }} - {{- end }} + {{- with .Values.admissionController.extraInitContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} - name: kyverno-pre image: {{ include "kyverno.image" (dict "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.admissionController.container.image.tag)) | quote }} imagePullPolicy: {{ default .Values.admissionController.container.image.pullPolicy .Values.admissionController.initContainer.image.pullPolicy }} - {{- if .Values.initContainer.extraArgs }} + {{- with .Values.admissionController.initContainer.extraArgs }} args: - {{- tpl (toYaml .Values.initContainer.extraArgs) . | nindent 12 }} + {{- tpl (toYaml .) $ | nindent 12 }} {{- end }} {{- with .Values.admissionController.initContainer.resources }} resources: @@ -105,21 +105,21 @@ spec: fieldPath: metadata.name - name: KYVERNO_DEPLOYMENT value: {{ template "kyverno.fullname" . }} - {{- with .Values.envVarsInit }} + {{- with .Values.admissionController.initContainer.extraEnvVars }} {{- toYaml . | nindent 10 }} {{- end }} containers: - {{- if .Values.extraContainers }} - {{- toYaml .Values.extraContainers | nindent 8 }} - {{- end }} + {{- with .Values.admissionController.extraContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} - name: kyverno image: {{ include "kyverno.image" (dict "image" .Values.admissionController.container.image "defaultTag" .Chart.AppVersion) | quote }} imagePullPolicy: {{ .Values.admissionController.container.image.pullPolicy }} - {{- if or .Values.extraArgs .Values.imagePullSecrets }} + {{- if or .Values.admissionController.container.extraArgs .Values.imagePullSecrets }} args: - --servicePort={{ .Values.admissionController.service.port }} - {{- if .Values.extraArgs -}} - {{ tpl (toYaml .Values.extraArgs) . | nindent 12 }} + {{- if .Values.admissionController.container.extraArgs -}} + {{ tpl (toYaml .Values.admissionController.container.extraArgs) . | nindent 12 }} {{- end }} {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }} - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }} @@ -158,7 +158,7 @@ spec: value: {{ template "kyverno.admission-controller.serviceName" . }} - name: TUF_ROOT value: {{ .Values.admissionController.tufRootMountPath }} - {{- with .Values.envVars }} + {{- with .Values.admissionController.container.extraEnvVars }} {{- toYaml . | nindent 10 }} {{- end }} - name: KYVERNO_DEPLOYMENT diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index f3d407f09f..4871fb8e54 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -203,19 +203,6 @@ rbac: annotations: {} # example.com/annotation: value -initContainer: - # -- Extra arguments to give to the kyvernopre binary. - extraArgs: - - --loggingFormat=text - -# -- Additional labels to add to each pod -podLabels: {} - # example.com/label: foo - -# -- Additional annotations to add to each pod -podAnnotations: {} - # example.com/annotation: foo - # -- Security context for the containers securityContext: runAsNonRoot: true @@ -228,30 +215,6 @@ securityContext: seccompProfile: type: RuntimeDefault -# -- Env variables for initContainers. -envVarsInit: {} - -# -- Env variables for containers. -envVars: {} - -# -- Extra arguments to give to the binary. -extraArgs: - - --loggingFormat=text - -# -- Array of extra init containers -extraInitContainers: [] -# Example: -# - name: init-container -# image: busybox -# command: ['sh', '-c', 'echo Hello'] - -# -- Array of extra containers to run alongside kyverno -extraContainers: [] -# Example: -# - name: myapp-container -# image: busybox -# command: ['sh', '-c', 'echo Hello && sleep 3600'] - # -- Additional resources to be added to controller RBAC permissions. generatecontrollerExtraResources: [] # - ResourceA @@ -302,6 +265,14 @@ admissionController: # -- (int) Desired number of pods replicas: ~ + # -- Additional labels to add to each pod + podLabels: {} + # example.com/label: foo + + # -- Additional annotations to add to each pod + podAnnotations: {} + # example.com/annotation: foo + # -- Deployment update strategy. # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy # @default -- See [values.yaml](values.yaml) @@ -463,6 +434,13 @@ admissionController: cpu: 10m memory: 64Mi + # -- Additional container args. + extraArgs: + - --loggingFormat=text + + # -- Additional container environment variables. + extraEnvVars: [] + container: image: @@ -485,6 +463,25 @@ admissionController: cpu: 100m memory: 128Mi + # -- Additional container args. + extraArgs: + - --loggingFormat=text + + # -- Additional container environment variables. + extraEnvVars: [] + + # -- Array of extra init containers + extraInitContainers: [] + # - name: init-container + # image: busybox + # command: ['sh', '-c', 'echo Hello'] + + # -- Array of extra containers to run alongside kyverno + extraContainers: [] + # - name: myapp-container + # image: busybox + # command: ['sh', '-c', 'echo Hello && sleep 3600'] + service: # -- Service port. port: 443 diff --git a/scripts/config/dev/kyverno.yaml b/scripts/config/dev/kyverno.yaml index e52729e2ac..46ce379799 100644 --- a/scripts/config/dev/kyverno.yaml +++ b/scripts/config/dev/kyverno.yaml @@ -1,14 +1,3 @@ -initContainer: - extraArgs: - - --loggingFormat=json - -extraArgs: - - --loggingFormat=json - - --enableTracing - - --tracingAddress=tempo.monitoring - - --tracingPort=4317 - - --enablePolicyException - grafana: enabled: true @@ -16,6 +5,18 @@ admissionController: serviceMonitor: enabled: true + initContainer: + extraArgs: + - --loggingFormat=json + + container: + extraArgs: + - --loggingFormat=json + - --enableTracing + - --tracingAddress=tempo.monitoring + - --tracingPort=4317 + - --enablePolicyException + cleanupController: rbac: clusterRole: diff --git a/scripts/config/standard/kyverno.yaml b/scripts/config/standard/kyverno.yaml index 6e65706a7a..512b03d361 100644 --- a/scripts/config/standard/kyverno.yaml +++ b/scripts/config/standard/kyverno.yaml @@ -1,10 +1,13 @@ -initContainer: - extraArgs: - - --loggingFormat=json +admissionController: -extraArgs: - - --loggingFormat=json - - --enablePolicyException + initContainer: + extraArgs: + - --loggingFormat=json + + container: + extraArgs: + - --loggingFormat=json + - --enablePolicyException cleanupController: rbac: