mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix: cleanup older policy reports (#9026)

Browse source 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2023-11-28 12:36:02 +02:00 committed by GitHub
parent 5d96a8ce74
commit cb80329a79
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 98 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
charts/kyverno/README.md
View file

@ -731,6 +731,13 @@ The chart values are organised per component.
| imagePullSecrets | object | `{}` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument | | imagePullSecrets | object | `{}` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
| existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument | | existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
| customLabels | object | `{}` | Additional labels | | customLabels | object | `{}` | Additional labels |
| policyReportsCleanup.enabled | bool | `true` | Create a helm post-upgrade hook to cleanup the old policy reports. |
| policyReportsCleanup.image.registry | string | `nil` | Image registry |
| policyReportsCleanup.image.repository | string | `"bitnami/kubectl"` | Image repository |
| policyReportsCleanup.image.tag | string | `"1.28.4"` | Image tag Defaults to `latest` if omitted |
| policyReportsCleanup.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
| policyReportsCleanup.podSecurityContext | object | `{}` | Security context for the pod |
| policyReportsCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
## TLS Configuration ## TLS Configuration

58
charts/kyverno/templates/hooks/post-upgrade.yaml Normal file
View file

@ -0,0 +1,58 @@
{{- if .Values.policyReportsCleanup.enabled -}}
{{- if not .Values.templating.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kyverno.fullname" . }}-hook-post-upgrade
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
spec:
backoffLimit: 2
template:
spec:
serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }}
{{- with .Values.policyReportsCleanup.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
restartPolicy: Never
containers:
- name: kubectl
image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.policyReportsCleanup.image "defaultTag" (default .Chart.AppVersion .Values.policyReportsCleanup.image.tag))) | quote }}
imagePullPolicy: {{ .Values.policyReportsCleanup.image.pullPolicy }}
command:
- /bin/bash
- -c
- |
NAMESPACES=$(kubectl get namespaces --no-headers=true | awk '{print $1}')
for ns in ${NAMESPACES[@]};
do
COUNT=$(kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | wc -l)
if [ $COUNT -gt 0 ]; then
echo "deleting $COUNT policyreports in namespace $ns"
kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete -n $ns policyreports.wgpolicyk8s.io
else
echo "no policyreports in namespace $ns"
fi
done
COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | wc -l)
if [ $COUNT -gt 0 ]; then
echo "deleting $COUNT clusterpolicyreports"
kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io
else
echo "no clusterpolicyreports"
fi
{{- with .Values.policyReportsCleanup.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end -}}
{{- end -}}

33
charts/kyverno/values.yaml
View file

@ -392,6 +392,39 @@ webhooksCleanup:
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
policyReportsCleanup:
# -- Create a helm post-upgrade hook to cleanup the old policy reports.
enabled: true
image:
# -- (string) Image registry
registry: ~
# -- Image repository
repository: bitnami/kubectl
# -- Image tag
# Defaults to `latest` if omitted
tag: '1.28.4'
# -- (string) Image pull policy
# Defaults to image.pullPolicy if omitted
pullPolicy: ~
# -- Security context for the pod
podSecurityContext: {}
# -- Security context for the hook containers
securityContext:
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
grafana: grafana:
# -- Enable grafana dashboard creation. # -- Enable grafana dashboard creation.
enabled: false enabled: false