mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 07:26:55 +00:00
Code Activity

feat: add features section in helm values (#6935)

Browse source 
* feat: add features section in helm values

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* configs

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* overrides

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-04-25 13:23:01 +02:00 committed by GitHub
parent 349a5fe41a
commit e39587b2bd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 368 additions and 290 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
charts/kyverno/README.md
View file

@ -235,11 +235,25 @@ The chart values are organised per component.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| features.admissionReports.enabled | bool | `true` | Enables the feature |
| features.autoUpdateWebhooks.enabled | bool | `true` | Enables the feature |
| features.backgroundScan.enabled | bool | `true` | Enables the feature |
| features.backgroundScan.backgroundScanWorkers | int | `2` | Number of background scan workers |
| features.backgroundScan.backgroundScanInterval | string | `"1h"` | Background scan interval |
| features.backgroundScan.skipResourceFilters | bool | `true` | Skips resource filters in background scan |
| features.configMapCaching.enabled | bool | `true` | Enables the feature |
| features.dumpPayload.enabled | bool | `false` | Enables the feature |
| features.forceFailurePolicyIgnore.enabled | bool | `false` | Enables the feature |
| features.policyExceptions.enabled | bool | `false` | Enables the feature |
| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace |
| features.protectManagedResources.enabled | bool | `false` | Enables the feature |
| features.reports.chunkSize | int | `1000` | Reports chunk size |
### Admission controller
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| admissionController.featuresOverride | object | `{}` | Overrides features defined at the root level |
| admissionController.rbac.create | bool | `true` | Create RBAC resources |
| admissionController.rbac.serviceAccount.name | string | `nil` | The ServiceAccount name |
| admissionController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
@ -322,6 +336,7 @@ The chart values are organised per component.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| backgroundController.featuresOverride | object | `{}` | Overrides features defined at the root level |
| backgroundController.enabled | bool | `true` | Enable background controller. |
| backgroundController.rbac.create | bool | `true` | Create RBAC resources |
| backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name |
@ -381,6 +396,7 @@ The chart values are organised per component.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| cleanupController.featuresOverride | object | `{}` | Overrides features defined at the root level |
| cleanupController.enabled | bool | `true` | Enable cleanup controller. |
| cleanupController.rbac.create | bool | `true` | Create RBAC resources |
| cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name |
@ -448,6 +464,7 @@ The chart values are organised per component.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| reportsController.featuresOverride | object | `{}` | Overrides features defined at the root level |
| reportsController.enabled | bool | `true` | Enable reports controller. |
| reportsController.rbac.create | bool | `true` | Create RBAC resources |
| reportsController.rbac.serviceAccount.name | string | `nil` | Service account name |
@ -463,7 +480,7 @@ The chart values are organised per component.
| reportsController.priorityClassName | string | `""` | Optional priority class |
| reportsController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
| reportsController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
| reportsController.extraArgs | object | `{"clientRateLimitBurst":300,"clientRateLimitQPS":300,"skipResourceFilters":true}` | Extra arguments passed to the container on the command line |
| reportsController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line |
| reportsController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
| reportsController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
| reportsController.nodeSelector | object | `{}` | Node labels for pod assignment |

38
charts/kyverno/templates/_helpers.tpl
View file

@ -7,3 +7,41 @@
{{- .Chart.Version | replace "+" "_" -}}
{{- end -}}
{{- end -}}
{{- define "kyverno.features.flags" -}}
{{- $flags := list -}}
{{- with .admissionReports -}}
{{- $flags = append $flags (print "--admissionReports=" .enabled) -}}
{{- end -}}
{{- with .autoUpdateWebhooks -}}
{{- $flags = append $flags (print "--autoUpdateWebhooks=" .enabled) -}}
{{- end -}}
{{- with .backgroundScan -}}
{{- $flags = append $flags (print "--backgroundScan=" .enabled) -}}
{{- $flags = append $flags (print "--backgroundScanWorkers=" .backgroundScanWorkers) -}}
{{- $flags = append $flags (print "--backgroundScanInterval=" .backgroundScanInterval) -}}
{{- $flags = append $flags (print "--skipResourceFilters=" .skipResourceFilters) -}}
{{- end -}}
{{- with .configMapCaching -}}
{{- $flags = append $flags (print "--enableConfigMapCaching=" .enabled) -}}
{{- end -}}
{{- with .dumpPayload -}}
{{- $flags = append $flags (print "--dumpPayload=" .enabled) -}}
{{- end -}}
{{- with .forceFailurePolicyIgnore -}}
{{- $flags = append $flags (print "--forceFailurePolicyIgnore=" .enabled) -}}
{{- end -}}
{{- with .policyExceptions -}}
{{- $flags = append $flags (print "--enablePolicyException=" .enabled) -}}
{{- $flags = append $flags (print "--exceptionNamespace=" .namespace) -}}
{{- end -}}
{{- with .protectManagedResources -}}
{{- $flags = append $flags (print "--protectManagedResources=" .enabled) -}}
{{- end -}}
{{- with .reports -}}
{{- $flags = append $flags (print "--reportsChunkSize=" .chunkSize) -}}
{{- end -}}
{{- with $flags -}}
{{- toYaml . -}}
{{- end -}}
{{- end -}}

9
charts/kyverno/templates/admission-controller/deployment.yaml
View file

@ -146,6 +146,15 @@ spec:
{{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
- --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
{{- end }}
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.admissionController.featuresOverride)
"admissionReports"
"autoUpdateWebhooks"
"configMapCaching"
"dumpPayload"
"forceFailurePolicyIgnore"
"policyExceptions"
"protectManagedResources"
) | nindent 12 }}
{{- range $key, $value := .Values.admissionController.container.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}

4
charts/kyverno/templates/background-controller/deployment.yaml
View file

@ -103,6 +103,10 @@ spec:
{{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
- --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
{{- end }}
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.backgroundController.featuresOverride)
"configMapCaching"
"policyExceptions"
) | nindent 12 }}
{{- range $key, $value := .Values.backgroundController.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}

3
charts/kyverno/templates/cleanup-controller/deployment.yaml
View file

@ -101,6 +101,9 @@ spec:
- --transportCreds={{ . }}
{{- end }}
{{- end }}
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.cleanupController.featuresOverride)
"dumpPayload"
) | nindent 12 }}
{{- range $key, $value := .Values.cleanupController.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}

7
charts/kyverno/templates/reports-controller/deployment.yaml
View file

@ -103,6 +103,13 @@ spec:
{{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
- --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
{{- end }}
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.reportsController.featuresOverride)
"admissionReports"
"backgroundScan"
"configMapCaching"
"policyExceptions"
"reports"
) | nindent 12 }}
{{- range $key, $value := .Values.reportsController.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}

509
charts/kyverno/values.yaml
View file

@ -319,9 +319,50 @@ grafana:
# -- Grafana dashboard configmap annotations.
annotations: {}
# Features configuration
features:
admissionReports:
# -- Enables the feature
enabled: true
autoUpdateWebhooks:
# -- Enables the feature
enabled: true
backgroundScan:
# -- Enables the feature
enabled: true
# -- Number of background scan workers
backgroundScanWorkers: 2
# -- Background scan interval
backgroundScanInterval: 1h
# -- Skips resource filters in background scan
skipResourceFilters: true
configMapCaching:
# -- Enables the feature
enabled: true
dumpPayload:
# -- Enables the feature
enabled: false
forceFailurePolicyIgnore:
# -- Enables the feature
enabled: false
policyExceptions:
# -- Enables the feature
enabled: false
# -- Restrict policy exceptions to a single namespace
namespace: ''
protectManagedResources:
# -- Enables the feature
enabled: false
reports:
# -- Reports chunk size
chunkSize: 1000
# Admission controller configuration
admissionController:
# -- Overrides features defined at the root level
featuresOverride: {}
rbac:
# -- Create RBAC resources
create: true
@ -652,9 +693,220 @@ admissionController:
# -- Otel collector credentials
creds: ''
# Background controller configuration
backgroundController:
# -- Overrides features defined at the root level
featuresOverride: {}
# -- Enable background controller.
enabled: true
rbac:
# -- Create RBAC resources
create: true
serviceAccount:
# -- Service account name
name:
# -- Annotations for the ServiceAccount
annotations: {}
# example.com/annotation: value
clusterRole:
# -- Extra resource permissions to add in the cluster role
extraResources: []
# - apiGroups:
# - ''
# resources:
# - pods
image:
# -- (string) Image registry
registry: ~
# If you want to manage the registry you should remove it from the repository
# registry: ghcr.io
# repository: kyverno/background-controller
# -- Image repository
repository: ghcr.io/kyverno/background-controller
# -- Image tag
# Defaults to appVersion in Chart.yaml if omitted
tag: # replaced in e2e tests
# -- Image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets
imagePullSecrets: []
# - secretName
# -- (int) Desired number of pods
replicas: ~
# -- Deployment update strategy.
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
# @default -- See [values.yaml](values.yaml)
updateStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 40%
type: RollingUpdate
# -- Optional priority class
priorityClassName: ''
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
hostNetwork: false
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
dnsPolicy: ClusterFirst
# -- Extra arguments passed to the container on the command line
extraArgs: {}
resources:
# -- Pod resource limits
limits:
memory: 128Mi
# -- Pod resource requests
requests:
cpu: 100m
memory: 64Mi
# -- Node labels for pod assignment
nodeSelector: {}
# -- List of node taints to tolerate
tolerations: []
antiAffinity:
# -- Pod antiAffinities toggle.
# Enabled by default but can be disabled if you want to schedule pods to the same node.
enabled: true
# -- Pod anti affinity constraints.
# @default -- See [values.yaml](values.yaml)
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- background-controller
topologyKey: kubernetes.io/hostname
# -- Pod affinity constraints.
podAffinity: {}
# -- Node affinity constraints.
nodeAffinity: {}
# -- Topology spread constraints.
topologySpreadConstraints: []
# -- Security context for the pod
podSecurityContext: {}
# -- Security context for the containers
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
podDisruptionBudget:
# -- Configures the minimum available pods for disruptions.
# Cannot be used if `maxUnavailable` is set.
minAvailable: 1
# -- Configures the maximum unavailable pods for disruptions.
# Cannot be used if `minAvailable` is set.
maxUnavailable:
metricsService:
# -- Create service.
create: true
# -- Service port.
# Metrics server will be exposed at this port.
port: 8000
# -- Service type.
type: ClusterIP
# -- Service node port.
# Only used if `metricsService.type` is `NodePort`.
nodePort:
# -- Service annotations.
annotations: {}
networkPolicy:
# -- When true, use a NetworkPolicy to allow ingress to the webhook
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
enabled: false
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
ingressFrom: []
serviceMonitor:
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
enabled: false
# -- Additional labels
additionalLabels: {}
# -- (string) Override namespace
namespace: ~
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
# -- Is TLS required for endpoint
secure: false
# -- TLS Configuration for endpoint
tlsConfig: {}
tracing:
# -- Enable tracing
enabled: false
# -- Traces receiver address
address:
# -- Traces receiver port
port:
# -- Traces receiver credentials
creds: ''
logging:
# -- Logging format
format: text
# -- Logging verbosity
verbosity: 2
metering:
# -- Disable metrics export
disabled: false
# -- Otel configuration, can be `prometheus` or `grpc`
config: prometheus
# -- Prometheus endpoint port
port: 8000
# -- Otel collector endpoint
collector: ''
# -- Otel collector credentials
creds: ''
# Cleanup controller configuration
cleanupController:
# -- Overrides features defined at the root level
featuresOverride: {}
# -- Enable cleanup controller.
enabled: true
@ -915,6 +1167,9 @@ cleanupController:
# Reports controller configuration
reportsController:
# -- Overrides features defined at the root level
featuresOverride: {}
# -- Enable reports controller.
enabled: true
@ -979,10 +1234,7 @@ reportsController:
dnsPolicy: ClusterFirst
# -- Extra arguments passed to the container on the command line
extraArgs:
clientRateLimitQPS: 300
clientRateLimitBurst: 300
skipResourceFilters: true
extraArgs: {}
resources:
# -- Pod resource limits
@ -993,50 +1245,6 @@ reportsController:
cpu: 100m
memory: 64Mi
# TODO
# # -- Startup probe.
# # The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
# # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# # @default -- See [values.yaml](values.yaml)
# startupProbe:
# httpGet:
# path: /health/liveness
# port: 9443
# scheme: HTTPS
# failureThreshold: 20
# initialDelaySeconds: 2
# periodSeconds: 6
# # -- Liveness probe.
# # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
# # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# # @default -- See [values.yaml](values.yaml)
# livenessProbe:
# httpGet:
# path: /health/liveness
# port: 9443
# scheme: HTTPS
# initialDelaySeconds: 15
# periodSeconds: 30
# timeoutSeconds: 5
# failureThreshold: 2
# successThreshold: 1
# # -- Readiness Probe.
# # The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
# # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# # @default -- See [values.yaml](values.yaml)
# readinessProbe:
# httpGet:
# path: /health/readiness
# port: 9443
# scheme: HTTPS
# initialDelaySeconds: 5
# periodSeconds: 10
# timeoutSeconds: 5
# failureThreshold: 6
# successThreshold: 1
# -- Node labels for pod assignment
nodeSelector: {}
@ -1167,208 +1375,3 @@ reportsController:
collector: ~
# -- (string) Otel collector credentials
creds: ~
# Background controller configuration
backgroundController:
# -- Enable background controller.
enabled: true
rbac:
# -- Create RBAC resources
create: true
serviceAccount:
# -- Service account name
name:
# -- Annotations for the ServiceAccount
annotations: {}
# example.com/annotation: value
clusterRole:
# -- Extra resource permissions to add in the cluster role
extraResources: []
# - apiGroups:
# - ''
# resources:
# - pods
image:
# -- (string) Image registry
registry: ~
# If you want to manage the registry you should remove it from the repository
# registry: ghcr.io
# repository: kyverno/background-controller
# -- Image repository
repository: ghcr.io/kyverno/background-controller
# -- Image tag
# Defaults to appVersion in Chart.yaml if omitted
tag: # replaced in e2e tests
# -- Image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets
imagePullSecrets: []
# - secretName
# -- (int) Desired number of pods
replicas: ~
# -- Deployment update strategy.
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
# @default -- See [values.yaml](values.yaml)
updateStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 40%
type: RollingUpdate
# -- Optional priority class
priorityClassName: ''
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
hostNetwork: false
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
dnsPolicy: ClusterFirst
# -- Extra arguments passed to the container on the command line
extraArgs: {}
resources:
# -- Pod resource limits
limits:
memory: 128Mi
# -- Pod resource requests
requests:
cpu: 100m
memory: 64Mi
# -- Node labels for pod assignment
nodeSelector: {}
# -- List of node taints to tolerate
tolerations: []
antiAffinity:
# -- Pod antiAffinities toggle.
# Enabled by default but can be disabled if you want to schedule pods to the same node.
enabled: true
# -- Pod anti affinity constraints.
# @default -- See [values.yaml](values.yaml)
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- background-controller
topologyKey: kubernetes.io/hostname
# -- Pod affinity constraints.
podAffinity: {}
# -- Node affinity constraints.
nodeAffinity: {}
# -- Topology spread constraints.
topologySpreadConstraints: []
# -- Security context for the pod
podSecurityContext: {}
# -- Security context for the containers
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
podDisruptionBudget:
# -- Configures the minimum available pods for disruptions.
# Cannot be used if `maxUnavailable` is set.
minAvailable: 1
# -- Configures the maximum unavailable pods for disruptions.
# Cannot be used if `minAvailable` is set.
maxUnavailable:
metricsService:
# -- Create service.
create: true
# -- Service port.
# Metrics server will be exposed at this port.
port: 8000
# -- Service type.
type: ClusterIP
# -- Service node port.
# Only used if `metricsService.type` is `NodePort`.
nodePort:
# -- Service annotations.
annotations: {}
networkPolicy:
# -- When true, use a NetworkPolicy to allow ingress to the webhook
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
enabled: false
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
ingressFrom: []
serviceMonitor:
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
enabled: false
# -- Additional labels
additionalLabels: {}
# -- (string) Override namespace
namespace: ~
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
# -- Is TLS required for endpoint
secure: false
# -- TLS Configuration for endpoint
tlsConfig: {}
tracing:
# -- Enable tracing
enabled: false
# -- Traces receiver address
address:
# -- Traces receiver port
port:
# -- Traces receiver credentials
creds: ''
logging:
# -- Logging format
format: text
# -- Logging verbosity
verbosity: 2
metering:
# -- Disable metrics export
disabled: false
# -- Otel configuration, can be `prometheus` or `grpc`
config: prometheus
# -- Prometheus endpoint port
port: 8000
# -- Otel collector endpoint
collector: ''
# -- Otel collector credentials
creds: ''

22
config/install-latest-testing.yaml
View file

@ -34953,6 +34953,14 @@ spec:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --admissionReports=true
- --autoUpdateWebhooks=true
- --enableConfigMapCaching=true
- --dumpPayload=false
- --forceFailurePolicyIgnore=false
- --enablePolicyException=false
- --exceptionNamespace=
- --protectManagedResources=false
resources:
limits:
memory: 384Mi
@ -35092,6 +35100,9 @@ spec:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --enableConfigMapCaching=true
- --enablePolicyException=false
- --exceptionNamespace=
env:
- name: METRICS_CONFIG
value: kyverno-metrics
@ -35181,6 +35192,7 @@ spec:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --dumpPayload=false
env:
- name: METRICS_CONFIG
value: kyverno-metrics
@ -35301,9 +35313,15 @@ spec:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --clientRateLimitBurst=300
- --clientRateLimitQPS=300
- --admissionReports=true
- --backgroundScan=true
- --backgroundScanWorkers=2
- --backgroundScanInterval=1h
- --skipResourceFilters=true
- --enableConfigMapCaching=true
- --enablePolicyException=false
- --exceptionNamespace=
- --reportsChunkSize=1000
env:
- name: METRICS_CONFIG
value: kyverno-metrics

11
scripts/config/dev/kyverno.yaml
View file

@ -1,11 +1,11 @@
grafana:
enabled: true
admissionController:
container:
extraArgs:
enablePolicyException: true
features:
policyExceptions:
enabled: true
admissionController:
serviceMonitor:
enabled: true
@ -42,9 +42,6 @@ cleanupController:
format: json
reportsController:
extraArgs:
enablePolicyException: true
serviceMonitor:
enabled: true

15
scripts/config/exceptions-disabled/kyverno.yaml
View file

@ -1,12 +1,3 @@
admissionController:
container:
extraArgs:
enablePolicyException: false
backgroundController:
extraArgs:
enablePolicyException: false
reportsController:
extraArgs:
enablePolicyException: false
features:
policyExceptions:
enabled: false

7
scripts/config/force-failure-policy-ignore/kyverno.yaml
View file

@ -1,4 +1,3 @@
admissionController:
container:
extraArgs:
forceFailurePolicyIgnore: true
features:
forceFailurePolicyIgnore:
enabled: true

14
scripts/config/standard/kyverno.yaml
View file

@ -1,12 +1,8 @@
admissionController:
container:
extraArgs:
enablePolicyException: true
features:
policyExceptions:
enabled: true
backgroundController:
extraArgs:
enablePolicyException: true
rbac:
clusterRole:
extraResources:
@ -33,7 +29,3 @@ cleanupController:
- ''
resources:
- pods
reportsController:
extraArgs:
enablePolicyException: true