From cb80329a79fd9ed6605916be87738fe54d896cf4 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Tue, 28 Nov 2023 12:36:02 +0200 Subject: [PATCH] fix: cleanup older policy reports (#9026) Signed-off-by: Mariam Fahmy --- charts/kyverno/README.md | 7 +++ .../kyverno/templates/hooks/post-upgrade.yaml | 58 +++++++++++++++++++ charts/kyverno/values.yaml | 33 +++++++++++ 3 files changed, 98 insertions(+) create mode 100644 charts/kyverno/templates/hooks/post-upgrade.yaml diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 4e5720a86b..cf93507fab 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -731,6 +731,13 @@ The chart values are organised per component. | imagePullSecrets | object | `{}` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument | | existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument | | customLabels | object | `{}` | Additional labels | +| policyReportsCleanup.enabled | bool | `true` | Create a helm post-upgrade hook to cleanup the old policy reports. | +| policyReportsCleanup.image.registry | string | `nil` | Image registry | +| policyReportsCleanup.image.repository | string | `"bitnami/kubectl"` | Image repository | +| policyReportsCleanup.image.tag | string | `"1.28.4"` | Image tag Defaults to `latest` if omitted | +| policyReportsCleanup.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | +| policyReportsCleanup.podSecurityContext | object | `{}` | Security context for the pod | +| policyReportsCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | ## TLS Configuration diff --git a/charts/kyverno/templates/hooks/post-upgrade.yaml b/charts/kyverno/templates/hooks/post-upgrade.yaml new file mode 100644 index 0000000000..7f1c049e92 --- /dev/null +++ b/charts/kyverno/templates/hooks/post-upgrade.yaml @@ -0,0 +1,58 @@ +{{- if .Values.policyReportsCleanup.enabled -}} + {{- if not .Values.templating.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kyverno.fullname" . }}-hook-post-upgrade + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + backoffLimit: 2 + template: + spec: + serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }} + {{- with .Values.policyReportsCleanup.podSecurityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: kubectl + image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.policyReportsCleanup.image "defaultTag" (default .Chart.AppVersion .Values.policyReportsCleanup.image.tag))) | quote }} + imagePullPolicy: {{ .Values.policyReportsCleanup.image.pullPolicy }} + command: + - /bin/bash + - -c + - | + NAMESPACES=$(kubectl get namespaces --no-headers=true | awk '{print $1}') + + for ns in ${NAMESPACES[@]}; + do + COUNT=$(kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | wc -l) + + if [ $COUNT -gt 0 ]; then + echo "deleting $COUNT policyreports in namespace $ns" + kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete -n $ns policyreports.wgpolicyk8s.io + else + echo "no policyreports in namespace $ns" + fi + done + + COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | wc -l) + + if [ $COUNT -gt 0 ]; then + echo "deleting $COUNT clusterpolicyreports" + kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io + else + echo "no clusterpolicyreports" + fi + {{- with .Values.policyReportsCleanup.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end -}} +{{- end -}} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 5903d02f23..244f815cb0 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -392,6 +392,39 @@ webhooksCleanup: seccompProfile: type: RuntimeDefault +policyReportsCleanup: + # -- Create a helm post-upgrade hook to cleanup the old policy reports. + enabled: true + + image: + # -- (string) Image registry + registry: ~ + # -- Image repository + repository: bitnami/kubectl + # -- Image tag + # Defaults to `latest` if omitted + tag: '1.28.4' + # -- (string) Image pull policy + # Defaults to image.pullPolicy if omitted + pullPolicy: ~ + + # -- Security context for the pod + podSecurityContext: {} + + # -- Security context for the hook containers + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + grafana: # -- Enable grafana dashboard creation. enabled: false