From b4c1590ff318db4ea87acf58322230a928e24fd9 Mon Sep 17 00:00:00 2001 From: shuting Date: Wed, 1 Feb 2023 00:12:34 +0800 Subject: [PATCH] feat: template background controller (#6157) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add make targets for background controller Signed-off-by: ShutingZhao * template background controller Signed-off-by: ShutingZhao * fix code-gen manifests Signed-off-by: ShutingZhao * remove unused code Signed-off-by: ShutingZhao * trim spaces Signed-off-by: ShutingZhao * Update Makefile Co-authored-by: Charles-Edouard Brétéché Signed-off-by: shuting * Update Makefile Signed-off-by: shuting * fix Signed-off-by: ShutingZhao * refactor: move resolvers into engine api package (#6162) Signed-off-by: Charles-Edouard Brétéché * add rbac Signed-off-by: ShutingZhao * add more rbac Signed-off-by: ShutingZhao * add debug info Signed-off-by: ShutingZhao * add notes to helm install Signed-off-by: ShutingZhao * fix permissions Signed-off-by: ShutingZhao --------- Signed-off-by: ShutingZhao Signed-off-by: shuting Signed-off-by: Charles-Edouard Brétéché Co-authored-by: Charles-Edouard Brétéché Co-authored-by: kyverno-bot <104836976+kyverno-bot@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché --- .github/actions/kyverno-logs/action.yaml | 2 + .gitignore | 1 + .ko.yaml | 4 +- Makefile | 52 +++- charts/kyverno/README.md | 50 ++++ charts/kyverno/templates/NOTES.txt | 3 + .../background-controller/_helpers.tpl | 39 +++ .../background-controller/clusterrole.yaml | 77 ++++++ .../clusterrolebinding.yaml | 18 ++ .../background-controller/deployment.yaml | 126 +++++++++ .../poddisruptionbudget.yaml | 16 ++ .../templates/background-controller/role.yaml | 30 +++ .../background-controller/rolebinding.yaml | 19 ++ .../background-controller/service.yaml | 27 ++ .../background-controller/serviceaccount.yaml | 11 + charts/kyverno/values.yaml | 190 ++++++++++++++ .../main.go | 0 cmd/kyverno/main.go | 51 ---- config/install.yaml | 245 ++++++++++++++++++ scripts/config/standard/kyverno.yaml | 16 ++ 20 files changed, 919 insertions(+), 58 deletions(-) create mode 100644 charts/kyverno/templates/background-controller/_helpers.tpl create mode 100644 charts/kyverno/templates/background-controller/clusterrole.yaml create mode 100644 charts/kyverno/templates/background-controller/clusterrolebinding.yaml create mode 100644 charts/kyverno/templates/background-controller/deployment.yaml create mode 100644 charts/kyverno/templates/background-controller/poddisruptionbudget.yaml create mode 100644 charts/kyverno/templates/background-controller/role.yaml create mode 100644 charts/kyverno/templates/background-controller/rolebinding.yaml create mode 100644 charts/kyverno/templates/background-controller/service.yaml create mode 100644 charts/kyverno/templates/background-controller/serviceaccount.yaml rename cmd/{updaterequest-controller => background-controller}/main.go (100%) diff --git a/.github/actions/kyverno-logs/action.yaml b/.github/actions/kyverno-logs/action.yaml index f03b4a5827..ff36ff6130 100644 --- a/.github/actions/kyverno-logs/action.yaml +++ b/.github/actions/kyverno-logs/action.yaml @@ -17,7 +17,9 @@ runs: run: | kubectl -n kyverno logs deploy/kyverno --all-containers -p || true kubectl -n kyverno logs deploy/kyverno-cleanup-controller --all-containers -p || true + kubectl -n kyverno logs deploy/kyverno-background-controller --all-containers -p || true - shell: bash run: | kubectl -n kyverno logs deploy/kyverno --all-containers kubectl -n kyverno logs deploy/kyverno-cleanup-controller --all-containers + kubectl -n kyverno logs deploy/kyverno-background-controller --all-containers diff --git a/.gitignore b/.gitignore index 6978c3d703..dabd532d49 100644 --- a/.gitignore +++ b/.gitignore @@ -9,6 +9,7 @@ cmd/kyverno/kyverno cmd/kyverno-init/kyvernopre cmd/cleanup-controller/cleanup-controller cmd/reports-controller/reports-controller +cmd/background-controller/background-controller /release .DS_Store .tools diff --git a/.ko.yaml b/.ko.yaml index 755f6b7330..874a581f1d 100644 --- a/.ko.yaml +++ b/.ko.yaml @@ -24,7 +24,7 @@ builds: ldflags: - '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}' -- id: updaterequest-controller - main: ./cmd/updaterequest-controller +- id: background-controller + main: ./cmd/background-controller ldflags: - '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}' diff --git a/Makefile b/Makefile index 2842a9409d..9ad035bc7a 100644 --- a/Makefile +++ b/Makefile @@ -27,11 +27,13 @@ KYVERNO_IMAGE := kyverno CLI_IMAGE := kyverno-cli CLEANUP_IMAGE := cleanup-controller REPORTS_IMAGE := reports-controller +BACKGROUND_IMAGE := background-controller REPO_KYVERNOPRE := $(REGISTRY)/$(REPO)/$(KYVERNOPRE_IMAGE) REPO_KYVERNO := $(REGISTRY)/$(REPO)/$(KYVERNO_IMAGE) REPO_CLI := $(REGISTRY)/$(REPO)/$(CLI_IMAGE) REPO_CLEANUP := $(REGISTRY)/$(REPO)/$(CLEANUP_IMAGE) REPO_REPORTS := $(REGISTRY)/$(REPO)/$(REPORTS_IMAGE) +REPO_BACKGROUND := $(REGISTRY)/$(REPO)/$(BACKGROUND_IMAGE) USE_CONFIG ?= standard ######### @@ -139,11 +141,13 @@ KYVERNOPRE_DIR := $(CMD_DIR)/kyverno-init CLI_DIR := $(CMD_DIR)/cli/kubectl-kyverno CLEANUP_DIR := $(CMD_DIR)/cleanup-controller REPORTS_DIR := $(CMD_DIR)/reports-controller +BACKGROUND_DIR := $(CMD_DIR)/background-controller KYVERNO_BIN := $(KYVERNO_DIR)/kyverno KYVERNOPRE_BIN := $(KYVERNOPRE_DIR)/kyvernopre CLI_BIN := $(CLI_DIR)/kubectl-kyverno CLEANUP_BIN := $(CLEANUP_DIR)/cleanup-controller REPORTS_BIN := $(REPORTS_DIR)/reports-controller +BACKGROUND_BIN := $(BACKGROUND_DIR)/background-controller PACKAGE ?= github.com/kyverno/kyverno CGO_ENABLED ?= 0 LD_FLAGS = "-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)" @@ -207,6 +211,10 @@ $(REPORTS_BIN): fmt vet @echo Build reports controller binary... >&2 @CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) go build -o ./$(REPORTS_BIN) -ldflags=$(LD_FLAGS) ./$(REPORTS_DIR) +$(REPORTS_BIN): fmt vet + @echo Build background controller binary... >&2 + @CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) go build -o $(BACKGROUND_BIN) -ldflags=$(LD_FLAGS) $(BACKGROUND_DIR) + .PHONY: build-kyverno-init build-kyverno-init: $(KYVERNOPRE_BIN) ## Build kyvernopre binary @@ -222,7 +230,10 @@ build-cleanup-controller: $(CLEANUP_BIN) ## Build cleanup controller binary .PHONY: build-reports-controller build-reports-controller: $(REPORTS_BIN) ## Build reports controller binary -build-all: build-kyverno-init build-kyverno build-cli build-cleanup-controller build-reports-controller ## Build all binaries +.PHONY: build-background-controller +build-background-controller: $(BACKGROUND_BIN) ## Build background controller binary + +build-all: build-kyverno-init build-kyverno build-cli build-cleanup-controller build-reports-controller build-background-controller ## Build all binaries ############## # BUILD (KO) # @@ -263,14 +274,24 @@ ko-build-reports-controller: $(KO) ## Build reports controller local image (with @echo Build reports controller local image with ko... >&2 @LD_FLAGS=$(LD_FLAGS_DEV) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(KO_REGISTRY) $(KO) build ./$(REPORTS_DIR) --preserve-import-paths --tags=$(KO_TAGS_DEV) --platform=$(LOCAL_PLATFORM) +.PHONY: ko-build-background-controller +ko-build-background-controller: $(KO) ## Build background controller local image (with ko) + @echo Build background controller local image with ko... >&2 + @LD_FLAGS=$(LD_FLAGS_DEV) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=ko.local $(KO) build ./$(BACKGROUND_DIR) --preserve-import-paths --tags=$(KO_TAGS_DEV) --platform=$(LOCAL_PLATFORM) + .PHONY: ko-build-all -ko-build-all: ko-build-kyverno-init ko-build-kyverno ko-build-cli ko-build-cleanup-controller ko-build-reports-controller ## Build all local images (with ko) +ko-build-all: ko-build-kyverno-init ko-build-kyverno ko-build-cli ko-build-cleanup-controller ko-build-reports-controller ko-build-background-controller ## Build all local images (with ko) ################ # PUBLISH (KO) # ################ REGISTRY_USERNAME ?= dummy +KO_KYVERNOPRE_IMAGE := ko.local/github.com/kyverno/kyverno/cmd/kyverno-init +KO_KYVERNO_IMAGE := ko.local/github.com/kyverno/kyverno/cmd/kyverno +KO_CLEANUP_IMAGE := ko.local/github.com/kyverno/kyverno/cmd/cleanup-controller +KO_REPORTS_IMAGE := ko.local/github.com/kyverno/kyverno/cmd/reports-controller +KO_BACKGROUND_IMAGE := ko.local/github.com/kyverno/kyverno/cmd/background-controller PLATFORMS := linux/amd64,linux/arm64,linux/s390x .PHONY: ko-login @@ -297,6 +318,10 @@ ko-publish-cleanup-controller: ko-login ## Build and publish cleanup controller ko-publish-reports-controller: ko-login ## Build and publish reports controller image (with ko) @LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_REPORTS) $(KO) build $(REPORTS_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS) +.PHONY: ko-publish-backgound-controller +ko-publish-backgound-controller: ko-login ## Build and publish background controller image (with ko) + @LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_REPORTS) $(KO) build $(BACKGROUND_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS) + .PHONY: ko-publish-kyverno-init-dev ko-publish-kyverno-init-dev: ko-login ## Build and publish kyvernopre dev image (with ko) @LD_FLAGS=$(LD_FLAGS_DEV) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_KYVERNOPRE) $(KO) build $(KYVERNOPRE_DIR) --bare --tags=$(KO_TAGS_DEV) --platform=$(PLATFORMS) @@ -317,11 +342,16 @@ ko-publish-cleanup-controller-dev: ko-login ## Build and publish cleanup control ko-publish-reports-controller-dev: ko-login ## Build and publish reports controller dev image (with ko) @LD_FLAGS=$(LD_FLAGS_DEV) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_REPORTS) $(KO) build $(REPORTS_DIR) --bare --tags=$(KO_TAGS_DEV) --platform=$(PLATFORMS) +.PHONY: ko-publish-background-controller-dev +ko-publish-background-controller-dev: ko-login ## Build and publish background controller dev image (with ko) + @LD_FLAGS=$(LD_FLAGS_DEV) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_REPORTS) $(KO) build $(BACKGROUND_DIR) --bare --tags=$(KO_TAGS_DEV) --platform=$(PLATFORMS) + + .PHONY: ko-publish-all -ko-publish-all: ko-publish-kyverno-init ko-publish-kyverno ko-publish-cli ko-publish-cleanup-controller ko-publish-reports-controller ## Build and publish all images (with ko) +ko-publish-all: ko-publish-kyverno-init ko-publish-kyverno ko-publish-cli ko-publish-cleanup-controller ko-publish-reports-controller ko-publish-backgound-controller ## Build and publish all images (with ko) .PHONY: ko-publish-all-dev -ko-publish-all-dev: ko-publish-kyverno-init-dev ko-publish-kyverno-dev ko-publish-cli-dev ko-publish-cleanup-controller-dev ko-publish-reports-controller-dev ## Build and publish all dev images (with ko) +ko-publish-all-dev: ko-publish-kyverno-init-dev ko-publish-kyverno-dev ko-publish-cli-dev ko-publish-cleanup-controller-dev ko-publish-reports-controller-dev ko-publish-background-controller-dev ## Build and publish all dev images (with ko) ################# # BUILD (IMAGE) # @@ -333,6 +363,7 @@ LOCAL_KYVERNOPRE_REPO := $($(shell echo $(BUILD_WITH) | tr '[:lower:]' '[:upper LOCAL_KYVERNO_REPO := $($(shell echo $(BUILD_WITH) | tr '[:lower:]' '[:upper:]')_KYVERNO_REPO) LOCAL_CLEANUP_REPO := $($(shell echo $(BUILD_WITH) | tr '[:lower:]' '[:upper:]')_CLEANUP_REPO) LOCAL_REPORTS_REPO := $($(shell echo $(BUILD_WITH) | tr '[:lower:]' '[:upper:]')_REPORTS_REPO) +LOCAL_BACKGROUND_IMAGE := $($(shell echo $(BUILD_WITH) | tr '[:lower:]' '[:upper:]')_BACKGROUND_IMAGE) .PHONY: image-build-kyverno-init image-build-kyverno-init: $(BUILD_WITH)-build-kyverno-init @@ -349,6 +380,9 @@ image-build-cleanup-controller: $(BUILD_WITH)-build-cleanup-controller .PHONY: image-build-reports-controller image-build-reports-controller: $(BUILD_WITH)-build-reports-controller +.PHONY: image-build-background-controller +image-build-background-controller: $(BUILD_WITH)-build-background-controller + .PHONY: image-build-all image-build-all: $(BUILD_WITH)-build-all @@ -467,6 +501,7 @@ codegen-manifest-install: $(HELM) ## Create install manifest --set initImage.tag=latest \ --set cleanupController.image.tag=latest \ --set reportsController.image.tag=latest \ + --set backgroundController.image.tag=latest \ | $(SED) -e '/^#.*/d' \ > ./config/install.yaml @@ -734,8 +769,13 @@ kind-load-reports-controller: $(KIND) image-build-reports-controller ## Build re @echo Load reports controller image... >&2 @$(KIND) load docker-image --name $(KIND_NAME) $(LOCAL_REGISTRY)/$(LOCAL_REPORTS_REPO):$(IMAGE_TAG_DEV) +.PHONY: kind-load-background-controller +kind-load-background-controller: $(KIND) image-build-background-controller ## Build background controller image and load it in kind cluster + @echo Load background controller image... >&2 + @$(KIND) load docker-image --name $(KIND_NAME) $(LOCAL_BACKGROUND_IMAGE):$(IMAGE_TAG_DEV) + .PHONY: kind-load-all -kind-load-all: kind-load-kyverno-init kind-load-kyverno kind-load-cleanup-controller kind-load-reports-controller ## Build images and load them in kind cluster +kind-load-all: kind-load-kyverno-init kind-load-kyverno kind-load-cleanup-controller kind-load-reports-controller kind-load-background-controller ## Build images and load them in kind cluster .PHONY: kind-deploy-kyverno kind-deploy-kyverno: $(HELM) kind-load-all ## Build images, load them in kind cluster and deploy kyverno helm chart @@ -753,6 +793,8 @@ kind-deploy-kyverno: $(HELM) kind-load-all ## Build images, load them in kind cl --set reportsController.image.registry=$(LOCAL_REGISTRY) \ --set reportsController.image.repository=$(LOCAL_REPORTS_REPO) \ --set reportsController.image.tag=$(IMAGE_TAG_DEV) \ + --set backgroundController.image.repository=$(LOCAL_BACKGROUND_IMAGE) \ + --set backgroundController.image.tag=$(IMAGE_TAG_DEV) \ --values ./scripts/config/$(USE_CONFIG)/kyverno.yaml .PHONY: kind-deploy-kyverno-policies diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 23db331482..8cb26ae79e 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -354,6 +354,56 @@ The command removes all the Kubernetes components associated with the chart and | reportsController.metering.port | int | `8000` | Prometheus endpoint port | | reportsController.metering.collector | string | `""` | Otel collector endpoint | | reportsController.metering.creds | string | `""` | Otel collector credentials | +| backgroundController.enabled | bool | `true` | Enable background controller. | +| backgroundController.rbac.create | bool | `true` | Create RBAC resources | +| backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name | +| backgroundController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | +| backgroundController.image.registry | string | `nil` | Image registry | +| backgroundController.image.repository | string | `"ghcr.io/kyverno/background-controller"` | Image repository | +| backgroundController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | +| backgroundController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| backgroundController.image.pullSecrets | list | `[]` | Image pull secrets | +| backgroundController.replicas | int | `nil` | Desired number of pods | +| backgroundController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | +| backgroundController.priorityClassName | string | `""` | Optional priority class | +| backgroundController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. | +| backgroundController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. | +| backgroundController.extraArgs | list | `[]` | Extra arguments passed to the container on the command line | +| backgroundController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits | +| backgroundController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests | +| backgroundController.nodeSelector | object | `{}` | Node labels for pod assignment | +| backgroundController.tolerations | list | `[]` | List of node taints to tolerate | +| backgroundController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. | +| backgroundController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. | +| backgroundController.podAffinity | object | `{}` | Pod affinity constraints. | +| backgroundController.nodeAffinity | object | `{}` | Node affinity constraints. | +| backgroundController.topologySpreadConstraints | list | `[]` | Topology spread constraints. | +| backgroundController.podSecurityContext | object | `{}` | Security context for the pod | +| backgroundController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | +| backgroundController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. | +| backgroundController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | +| backgroundController.metricsService.create | bool | `true` | Create service. | +| backgroundController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. | +| backgroundController.metricsService.type | string | `"ClusterIP"` | Service type. | +| backgroundController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. | +| backgroundController.metricsService.annotations | object | `{}` | Service annotations. | +| backgroundController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. | +| backgroundController.serviceMonitor.additionalLabels | string | `nil` | Additional labels | +| backgroundController.serviceMonitor.namespace | string | `nil` | Override namespace (default is the same as kyverno) | +| backgroundController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics | +| backgroundController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval | +| backgroundController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint | +| backgroundController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint | +| backgroundController.tracing.enabled | bool | `false` | Enable tracing | +| backgroundController.tracing.address | string | `nil` | Traces receiver address | +| backgroundController.tracing.port | string | `nil` | Traces receiver port | +| backgroundController.tracing.creds | string | `""` | Traces receiver credentials | +| backgroundController.logging.format | string | `"text"` | Logging format | +| backgroundController.metering.disabled | bool | `false` | Disable metrics export | +| backgroundController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` | +| backgroundController.metering.port | int | `8000` | Prometheus endpoint port | +| backgroundController.metering.collector | string | `""` | Otel collector endpoint | +| backgroundController.metering.creds | string | `""` | Otel collector credentials | ## TLS Configuration diff --git a/charts/kyverno/templates/NOTES.txt b/charts/kyverno/templates/NOTES.txt index fba86cb2de..cd50070aba 100644 --- a/charts/kyverno/templates/NOTES.txt +++ b/charts/kyverno/templates/NOTES.txt @@ -14,6 +14,9 @@ The following components have been installed in your cluster: {{- if .Values.cleanupController.enabled }} - Cleanup controller {{- end }} +{{- if .Values.backgroundController.enabled }} +- Background controller +{{- end }} {{- if .Values.grafana.enabled }} - Grafana dashboard {{- end }} diff --git a/charts/kyverno/templates/background-controller/_helpers.tpl b/charts/kyverno/templates/background-controller/_helpers.tpl new file mode 100644 index 0000000000..ffa1ebab90 --- /dev/null +++ b/charts/kyverno/templates/background-controller/_helpers.tpl @@ -0,0 +1,39 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.background-controller.name" -}} +{{ template "kyverno.name" . }}-background-controller +{{- end -}} + +{{- define "kyverno.background-controller.labels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.common" .) + (include "kyverno.background-controller.matchLabels" .) +) -}} +{{- end -}} + +{{- define "kyverno.background-controller.matchLabels" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.matchLabels.common" .) + (include "kyverno.labels.component" "background-controller") +) -}} +{{- end -}} + +{{- define "kyverno.background-controller.image" -}} +{{- if .image.registry -}} + {{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} +{{- else -}} + {{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} +{{- end -}} +{{- end -}} + +{{- define "kyverno.background-controller.roleName" -}} +{{ .Release.Name }}:background-controller +{{- end -}} + +{{- define "kyverno.background-controller.serviceAccountName" -}} +{{- if .Values.backgroundController.rbac.create -}} + {{ default (include "kyverno.background-controller.name" .) .Values.backgroundController.rbac.serviceAccount.name }} +{{- else -}} + {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.backgroundController.rbac.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno/templates/background-controller/clusterrole.yaml b/charts/kyverno/templates/background-controller/clusterrole.yaml new file mode 100644 index 0000000000..e8627c30f6 --- /dev/null +++ b/charts/kyverno/templates/background-controller/clusterrole.yaml @@ -0,0 +1,77 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if .Values.backgroundController.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.background-controller.roleName" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + {{- include "kyverno.background-controller.matchLabels" . | nindent 8 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.background-controller.roleName" . }}:core + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - kyverno.io + resources: + - updaterequests + - updaterequests/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - '' + resources: + - events + verbs: + - create + - update + - patch + - delete + - deletecollection +{{- with .Values.backgroundController.rbac.clusterRole.extraResources }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.background-controller.roleName" $ }}:additional + labels: + {{- include "kyverno.background-controller.labels" $ | nindent 4 }} +rules: + {{- range . }} + - apiGroups: + {{- toYaml .apiGroups | nindent 6 }} + resources: + {{- toYaml .resources | nindent 6 }} + verbs: + - create + - update + - patch + - delete + - get + - list + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/kyverno/templates/background-controller/clusterrolebinding.yaml b/charts/kyverno/templates/background-controller/clusterrolebinding.yaml new file mode 100644 index 0000000000..7dcbfffe6c --- /dev/null +++ b/charts/kyverno/templates/background-controller/clusterrolebinding.yaml @@ -0,0 +1,18 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if .Values.backgroundController.rbac.create -}} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.background-controller.roleName" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kyverno.background-controller.roleName" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kyverno.background-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno/templates/background-controller/deployment.yaml b/charts/kyverno/templates/background-controller/deployment.yaml new file mode 100644 index 0000000000..cb896335d9 --- /dev/null +++ b/charts/kyverno/templates/background-controller/deployment.yaml @@ -0,0 +1,126 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if not .Values.templating.debug -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "kyverno.background-controller.name" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} + namespace: {{ template "kyverno.namespace" . }} +spec: + {{- with .Values.backgroundController.replicas }} + replicas: {{ . }} + {{- end }} + {{- with .Values.backgroundController.updateStrategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "kyverno.background-controller.labels" . | nindent 8 }} + spec: + {{- with .Values.backgroundController.image.pullSecrets }} + imagePullSecrets: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.backgroundController.podSecurityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.backgroundController.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.backgroundController.tolerations }} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.backgroundController.topologySpreadConstraints }} + topologySpreadConstraints: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.backgroundController.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- with .Values.backgroundController.hostNetwork }} + hostNetwork: {{ . }} + {{- end }} + {{- with .Values.backgroundController.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + {{- if or .Values.backgroundController.antiAffinity.enabled .Values.backgroundController.podAffinity .Values.backgroundController.nodeAffinity }} + affinity: + {{- if .Values.backgroundController.antiAffinity.enabled }} + {{- with .Values.backgroundController.podAntiAffinity }} + podAntiAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} + {{- with .Values.backgroundController.podAffinity }} + podAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.backgroundController.nodeAffinity }} + nodeAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{ template "kyverno.background-controller.serviceAccountName" . }} + containers: + - name: controller + image: {{ include "kyverno.background-controller.image" (dict "image" .Values.backgroundController.image "defaultTag" .Chart.AppVersion) | quote }} + ports: + - containerPort: 9443 + name: https + protocol: TCP + - containerPort: 8000 + name: metrics + protocol: TCP + args: + - --loggingFormat={{ .Values.backgroundController.logging.format }} + {{- if .Values.backgroundController.tracing.enabled }} + - --enableTracing + - --tracingAddress={{ .Values.backgroundController.tracing.address }} + - --tracingPort={{ .Values.backgroundController.tracing.port }} + {{- with .Values.backgroundController.tracing.creds }} + - --tracingCreds={{ . }} + {{- end }} + {{- end }} + - --disableMetrics={{ .Values.backgroundController.metering.disabled }} + {{- if not .Values.backgroundController.metering.disabled }} + - --otelConfig={{ .Values.backgroundController.metering.config }} + - --metricsPort={{ .Values.backgroundController.metering.port }} + {{- with .Values.backgroundController.metering.collector }} + - --otelCollector={{ . }} + {{- end }} + {{- with .Values.backgroundController.metering.creds }} + - --transportCreds={{ . }} + {{- end }} + {{- end }} + {{- range .Values.backgroundController.extraArgs }} + - {{ . }} + {{- end }} + env: + - name: METRICS_CONFIG + value: {{ template "kyverno.config.metricsConfigMapName" . }} + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- with .Values.backgroundController.resources }} + resources: {{ tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.backgroundController.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno/templates/background-controller/poddisruptionbudget.yaml b/charts/kyverno/templates/background-controller/poddisruptionbudget.yaml new file mode 100644 index 0000000000..7808aed3f4 --- /dev/null +++ b/charts/kyverno/templates/background-controller/poddisruptionbudget.yaml @@ -0,0 +1,16 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if (gt (int .Values.backgroundController.replicas) 1) -}} +apiVersion: {{ template "kyverno.pdb.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ template "kyverno.background-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} +spec: + {{- include "kyverno.pdb.spec" .Values.backgroundController.podDisruptionBudget | nindent 2 }} + selector: + matchLabels: + {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno/templates/background-controller/role.yaml b/charts/kyverno/templates/background-controller/role.yaml new file mode 100644 index 0000000000..725c453d44 --- /dev/null +++ b/charts/kyverno/templates/background-controller/role.yaml @@ -0,0 +1,30 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if .Values.backgroundController.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "kyverno.background-controller.roleName" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} + namespace: {{ template "kyverno.namespace" . }} +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - patch + - update +{{- end -}} +{{- end -}} diff --git a/charts/kyverno/templates/background-controller/rolebinding.yaml b/charts/kyverno/templates/background-controller/rolebinding.yaml new file mode 100644 index 0000000000..1eef40c708 --- /dev/null +++ b/charts/kyverno/templates/background-controller/rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if .Values.backgroundController.rbac.create -}} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.background-controller.roleName" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} + namespace: {{ template "kyverno.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kyverno.background-controller.roleName" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.background-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno/templates/background-controller/service.yaml b/charts/kyverno/templates/background-controller/service.yaml new file mode 100644 index 0000000000..ad84fdfd39 --- /dev/null +++ b/charts/kyverno/templates/background-controller/service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if .Values.backgroundController.metricsService.create -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.background-controller.name" . }}-metrics + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} + {{- with .Values.backgroundController.metricsService.annotations }} + annotations: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} +spec: + ports: + - port: {{ .Values.backgroundController.metricsService.port }} + targetPort: 8000 + protocol: TCP + name: metrics-port + {{- if and (eq .Values.backgroundController.metricsService.type "NodePort") (not (empty .Values.backgroundController.metricsService.nodePort)) }} + nodePort: {{ .Values.backgroundController.metricsService.nodePort }} + {{- end }} + selector: + {{- include "kyverno.background-controller.matchLabels" . | nindent 4 }} + type: {{ .Values.backgroundController.metricsService.type }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno/templates/background-controller/serviceaccount.yaml b/charts/kyverno/templates/background-controller/serviceaccount.yaml new file mode 100644 index 0000000000..067add7a96 --- /dev/null +++ b/charts/kyverno/templates/background-controller/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if .Values.backgroundController.enabled -}} +{{- if .Values.backgroundController.rbac.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kyverno.background-controller.serviceAccountName" . }} + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 6c257a2a07..80c9a4bef1 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -983,3 +983,193 @@ reportsController: collector: '' # -- Otel collector credentials creds: '' + +# Background controller configuration +backgroundController: + + # -- Enable background controller. + enabled: true + + rbac: + # -- Create RBAC resources + create: true + + serviceAccount: + # -- Service account name + name: + + clusterRole: + # -- Extra resource permissions to add in the cluster role + extraResources: [] + # - apiGroups: + # - '' + # resources: + # - pods + + image: + # -- (string) Image registry + registry: ~ + # If you want to manage the registry you should remove it from the repository + # registry: ghcr.io + # repository: kyverno/background-controller + # -- Image repository + repository: ghcr.io/kyverno/background-controller + # -- Image tag + # Defaults to appVersion in Chart.yaml if omitted + tag: # replaced in e2e tests + # -- Image pull policy + pullPolicy: IfNotPresent + # -- Image pull secrets + pullSecrets: [] + # - secretName + + # -- (int) Desired number of pods + replicas: ~ + + # -- Deployment update strategy. + # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # @default -- See [values.yaml](values.yaml) + updateStrategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + + # -- Optional priority class + priorityClassName: '' + + # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. + # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. + # Update the `dnsPolicy` accordingly as well to suit the host network mode. + hostNetwork: false + + # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. + # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. + # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. + dnsPolicy: ClusterFirst + + # -- Extra arguments passed to the container on the command line + extraArgs: [] + + resources: + # -- Pod resource limits + limits: + memory: 128Mi + # -- Pod resource requests + requests: + cpu: 100m + memory: 64Mi + + # -- Node labels for pod assignment + nodeSelector: {} + + # -- List of node taints to tolerate + tolerations: [] + + antiAffinity: + # -- Pod antiAffinities toggle. + # Enabled by default but can be disabled if you want to schedule pods to the same node. + enabled: true + + # -- Pod anti affinity constraints. + # @default -- See [values.yaml](values.yaml) + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - reports-controller + topologyKey: kubernetes.io/hostname + + # -- Pod affinity constraints. + podAffinity: {} + + # -- Node affinity constraints. + nodeAffinity: {} + + # -- Topology spread constraints. + topologySpreadConstraints: [] + + # -- Security context for the pod + podSecurityContext: {} + + # -- Security context for the containers + securityContext: + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + + podDisruptionBudget: + # -- Configures the minimum available pods for disruptions. + # Cannot be used if `maxUnavailable` is set. + minAvailable: 1 + # -- Configures the maximum unavailable pods for disruptions. + # Cannot be used if `minAvailable` is set. + maxUnavailable: + + metricsService: + # -- Create service. + create: true + # -- Service port. + # Metrics server will be exposed at this port. + port: 8000 + # -- Service type. + type: ClusterIP + # -- Service node port. + # Only used if `metricsService.type` is `NodePort`. + nodePort: + # -- Service annotations. + annotations: {} + + serviceMonitor: + # -- Create a `ServiceMonitor` to collect Prometheus metrics. + enabled: false + # -- Additional labels + additionalLabels: + # key: value + # -- Override namespace (default is the same as kyverno) + namespace: + # -- Interval to scrape metrics + interval: 30s + # -- Timeout if metrics can't be retrieved in given time interval + scrapeTimeout: 25s + # -- Is TLS required for endpoint + secure: false + # -- TLS Configuration for endpoint + tlsConfig: {} + + tracing: + # -- Enable tracing + enabled: false + # -- Traces receiver address + address: + # -- Traces receiver port + port: + # -- Traces receiver credentials + creds: '' + + logging: + # -- Logging format + format: text + + metering: + # -- Disable metrics export + disabled: false + # -- Otel configuration, can be `prometheus` or `grpc` + config: prometheus + # -- Prometheus endpoint port + port: 8000 + # -- Otel collector endpoint + collector: '' + # -- Otel collector credentials + creds: '' diff --git a/cmd/updaterequest-controller/main.go b/cmd/background-controller/main.go similarity index 100% rename from cmd/updaterequest-controller/main.go rename to cmd/background-controller/main.go diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index ef5c7d19c2..58571bd0fc 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -13,7 +13,6 @@ import ( "github.com/go-logr/logr" "github.com/kyverno/kyverno/cmd/internal" - "github.com/kyverno/kyverno/pkg/background" "github.com/kyverno/kyverno/pkg/client/clientset/versioned" kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions" "github.com/kyverno/kyverno/pkg/clients/dclient" @@ -37,7 +36,6 @@ import ( "github.com/kyverno/kyverno/pkg/logging" "github.com/kyverno/kyverno/pkg/metrics" "github.com/kyverno/kyverno/pkg/openapi" - "github.com/kyverno/kyverno/pkg/policy" "github.com/kyverno/kyverno/pkg/policycache" "github.com/kyverno/kyverno/pkg/registryclient" "github.com/kyverno/kyverno/pkg/tls" @@ -109,12 +107,9 @@ func createNonLeaderControllers( kyvernoInformer kyvernoinformer.SharedInformerFactory, kyvernoClient versioned.Interface, dynamicClient dclient.Interface, - rclient registryclient.Client, configuration config.Configuration, policyCache policycache.Cache, - eventGenerator event.Interface, manager openapi.Manager, - informerCacheResolvers engineapi.ConfigmapResolver, ) ([]internal.Controller, func() error) { policyCacheController := policycachecontroller.NewController( dynamicClient, @@ -130,24 +125,10 @@ func createNonLeaderControllers( configuration, kubeKyvernoInformer.Core().V1().ConfigMaps(), ) - updateRequestController := background.NewController( - kyvernoClient, - dynamicClient, - engine.LegacyContextLoaderFactory(rclient), - kyvernoInformer.Kyverno().V1().ClusterPolicies(), - kyvernoInformer.Kyverno().V1().Policies(), - kyvernoInformer.Kyverno().V1beta1().UpdateRequests(), - kubeInformer.Core().V1().Namespaces(), - kubeKyvernoInformer.Core().V1().Pods(), - eventGenerator, - configuration, - informerCacheResolvers, - ) return []internal.Controller{ internal.NewController(policycachecontroller.ControllerName, policyCacheController, policycachecontroller.Workers), internal.NewController(openapicontroller.ControllerName, openApiController, openapicontroller.Workers), internal.NewController(configcontroller.ControllerName, configurationController, configcontroller.Workers), - internal.NewController("update-request-controller", updateRequestController, genWorkers), }, func() error { return policyCacheController.WarmUp() @@ -165,33 +146,10 @@ func createrLeaderControllers( kubeClient kubernetes.Interface, kyvernoClient versioned.Interface, dynamicClient dclient.Interface, - rclient registryclient.Client, - configuration config.Configuration, - metricsConfig metrics.MetricsConfigManager, - eventGenerator event.Interface, certRenewer tls.CertRenewer, runtime runtimeutils.Runtime, - configMapResolver engineapi.ConfigmapResolver, servicePort int32, ) ([]internal.Controller, func(context.Context) error, error) { - policyCtrl, err := policy.NewPolicyController( - kyvernoClient, - dynamicClient, - engine.LegacyContextLoaderFactory(rclient), - kyvernoInformer.Kyverno().V1().ClusterPolicies(), - kyvernoInformer.Kyverno().V1().Policies(), - kyvernoInformer.Kyverno().V1beta1().UpdateRequests(), - configuration, - eventGenerator, - kubeInformer.Core().V1().Namespaces(), - configMapResolver, - logging.WithName("PolicyController"), - time.Hour, - metricsConfig, - ) - if err != nil { - return nil, nil, err - } certManager := certmanager.NewController( kubeKyvernoInformer.Core().V1().Secrets(), certRenewer, @@ -241,7 +199,6 @@ func createrLeaderControllers( genericwebhookcontroller.None, ) return []internal.Controller{ - internal.NewController("policy-controller", policyCtrl, 2), internal.NewController(certmanager.ControllerName, certManager, certmanager.Workers), internal.NewController(webhookcontroller.ControllerName, webhookController, webhookcontroller.Workers), internal.NewController(exceptionWebhookControllerName, exceptionWebhookController, 1), @@ -405,12 +362,9 @@ func main() { kyvernoInformer, kyvernoClient, dClient, - rclient, configuration, policyCache, - eventGenerator, openApiManager, - configMapResolver, ) // start informers and wait for cache sync if !internal.StartInformersAndWaitForCacheSync(signalCtx, kyvernoInformer, kubeInformer, kubeKyvernoInformer, cacheInformer) { @@ -452,13 +406,8 @@ func main() { kubeClient, kyvernoClient, dClient, - rclient, - configuration, - metricsConfig, - eventGenerator, certRenewer, runtime, - configMapResolver, int32(servicePort), ) if err != nil { diff --git a/config/install.yaml b/config/install.yaml index 973a9dfc52..fe218b3f95 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -21,6 +21,17 @@ metadata: --- apiVersion: v1 kind: ServiceAccount +metadata: + name: kyverno-background-controller + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest + namespace: kyverno +--- +apiVersion: v1 +kind: ServiceAccount metadata: name: kyverno-cleanup-controller namespace: kyverno @@ -31500,6 +31511,65 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + name: kyverno:background-controller + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest +aggregationRule: + clusterRoleSelectors: + - matchLabels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:background-controller:core + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - kyverno.io + resources: + - updaterequests + - updaterequests/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - '' + resources: + - events + verbs: + - create + - update + - patch + - delete + - deletecollection +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: kyverno:cleanup-controller labels: @@ -31775,6 +31845,24 @@ subjects: --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:background-controller + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:background-controller +subjects: +- kind: ServiceAccount + name: kyverno-background-controller + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kyverno:cleanup-controller labels: @@ -31870,6 +31958,36 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role +metadata: + name: kyverno:background-controller + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest + namespace: kyverno +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: name: kyverno:cleanup-controller labels: @@ -31959,6 +32077,25 @@ subjects: --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:background-controller + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest + namespace: kyverno +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kyverno:background-controller +subjects: + - kind: ServiceAccount + name: kyverno-background-controller + namespace: kyverno +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kyverno:cleanup-controller labels: @@ -32041,6 +32178,28 @@ spec: --- apiVersion: v1 kind: Service +metadata: + name: kyverno-background-controller-metrics + namespace: kyverno + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest +spec: + ports: + - port: 8000 + targetPort: 8000 + protocol: TCP + name: metrics-port + selector: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + type: ClusterIP +--- +apiVersion: v1 +kind: Service metadata: name: kyverno-cleanup-controller namespace: kyverno @@ -32282,6 +32441,92 @@ spec: --- apiVersion: apps/v1 kind: Deployment +metadata: + name: kyverno-background-controller + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest + namespace: kyverno +spec: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + template: + metadata: + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest + spec: + dnsPolicy: ClusterFirst + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - reports-controller + topologyKey: kubernetes.io/hostname + weight: 1 + serviceAccountName: kyverno-background-controller + containers: + - name: controller + image: "ghcr.io/kyverno/background-controller:latest" + ports: + - containerPort: 9443 + name: https + protocol: TCP + - containerPort: 8000 + name: metrics + protocol: TCP + args: + - --loggingFormat=text + - --disableMetrics=false + - --otelConfig=prometheus + - --metricsPort=8000 + env: + - name: METRICS_CONFIG + value: kyverno-metrics + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + limits: + memory: 128Mi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment metadata: name: kyverno-cleanup-controller labels: diff --git a/scripts/config/standard/kyverno.yaml b/scripts/config/standard/kyverno.yaml index b9c670c4f3..7810c15f2b 100644 --- a/scripts/config/standard/kyverno.yaml +++ b/scripts/config/standard/kyverno.yaml @@ -14,3 +14,19 @@ cleanupController: - '' resources: - pods + +backgroundController: + rbac: + clusterRole: + extraResources: + - apiGroups: + - '*' + resources: + - configmaps + - secrets + - roles + - rolebindings + - limitranges + - namespaces + - nodes + - nodes/status