mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
feat: add features section in helm values (#6935)
* feat: add features section in helm values Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * configs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * overrides Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
349a5fe41a
commit
e39587b2bd
12 changed files with 368 additions and 290 deletions
|
@ -235,11 +235,25 @@ The chart values are organised per component.
|
|||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| features.admissionReports.enabled | bool | `true` | Enables the feature |
|
||||
| features.autoUpdateWebhooks.enabled | bool | `true` | Enables the feature |
|
||||
| features.backgroundScan.enabled | bool | `true` | Enables the feature |
|
||||
| features.backgroundScan.backgroundScanWorkers | int | `2` | Number of background scan workers |
|
||||
| features.backgroundScan.backgroundScanInterval | string | `"1h"` | Background scan interval |
|
||||
| features.backgroundScan.skipResourceFilters | bool | `true` | Skips resource filters in background scan |
|
||||
| features.configMapCaching.enabled | bool | `true` | Enables the feature |
|
||||
| features.dumpPayload.enabled | bool | `false` | Enables the feature |
|
||||
| features.forceFailurePolicyIgnore.enabled | bool | `false` | Enables the feature |
|
||||
| features.policyExceptions.enabled | bool | `false` | Enables the feature |
|
||||
| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace |
|
||||
| features.protectManagedResources.enabled | bool | `false` | Enables the feature |
|
||||
| features.reports.chunkSize | int | `1000` | Reports chunk size |
|
||||
|
||||
### Admission controller
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| admissionController.featuresOverride | object | `{}` | Overrides features defined at the root level |
|
||||
| admissionController.rbac.create | bool | `true` | Create RBAC resources |
|
||||
| admissionController.rbac.serviceAccount.name | string | `nil` | The ServiceAccount name |
|
||||
| admissionController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
|
||||
|
@ -322,6 +336,7 @@ The chart values are organised per component.
|
|||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| backgroundController.featuresOverride | object | `{}` | Overrides features defined at the root level |
|
||||
| backgroundController.enabled | bool | `true` | Enable background controller. |
|
||||
| backgroundController.rbac.create | bool | `true` | Create RBAC resources |
|
||||
| backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name |
|
||||
|
@ -381,6 +396,7 @@ The chart values are organised per component.
|
|||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| cleanupController.featuresOverride | object | `{}` | Overrides features defined at the root level |
|
||||
| cleanupController.enabled | bool | `true` | Enable cleanup controller. |
|
||||
| cleanupController.rbac.create | bool | `true` | Create RBAC resources |
|
||||
| cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name |
|
||||
|
@ -448,6 +464,7 @@ The chart values are organised per component.
|
|||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| reportsController.featuresOverride | object | `{}` | Overrides features defined at the root level |
|
||||
| reportsController.enabled | bool | `true` | Enable reports controller. |
|
||||
| reportsController.rbac.create | bool | `true` | Create RBAC resources |
|
||||
| reportsController.rbac.serviceAccount.name | string | `nil` | Service account name |
|
||||
|
@ -463,7 +480,7 @@ The chart values are organised per component.
|
|||
| reportsController.priorityClassName | string | `""` | Optional priority class |
|
||||
| reportsController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
|
||||
| reportsController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
|
||||
| reportsController.extraArgs | object | `{"clientRateLimitBurst":300,"clientRateLimitQPS":300,"skipResourceFilters":true}` | Extra arguments passed to the container on the command line |
|
||||
| reportsController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line |
|
||||
| reportsController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
|
||||
| reportsController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
|
||||
| reportsController.nodeSelector | object | `{}` | Node labels for pod assignment |
|
||||
|
|
|
@ -7,3 +7,41 @@
|
|||
{{- .Chart.Version | replace "+" "_" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "kyverno.features.flags" -}}
|
||||
{{- $flags := list -}}
|
||||
{{- with .admissionReports -}}
|
||||
{{- $flags = append $flags (print "--admissionReports=" .enabled) -}}
|
||||
{{- end -}}
|
||||
{{- with .autoUpdateWebhooks -}}
|
||||
{{- $flags = append $flags (print "--autoUpdateWebhooks=" .enabled) -}}
|
||||
{{- end -}}
|
||||
{{- with .backgroundScan -}}
|
||||
{{- $flags = append $flags (print "--backgroundScan=" .enabled) -}}
|
||||
{{- $flags = append $flags (print "--backgroundScanWorkers=" .backgroundScanWorkers) -}}
|
||||
{{- $flags = append $flags (print "--backgroundScanInterval=" .backgroundScanInterval) -}}
|
||||
{{- $flags = append $flags (print "--skipResourceFilters=" .skipResourceFilters) -}}
|
||||
{{- end -}}
|
||||
{{- with .configMapCaching -}}
|
||||
{{- $flags = append $flags (print "--enableConfigMapCaching=" .enabled) -}}
|
||||
{{- end -}}
|
||||
{{- with .dumpPayload -}}
|
||||
{{- $flags = append $flags (print "--dumpPayload=" .enabled) -}}
|
||||
{{- end -}}
|
||||
{{- with .forceFailurePolicyIgnore -}}
|
||||
{{- $flags = append $flags (print "--forceFailurePolicyIgnore=" .enabled) -}}
|
||||
{{- end -}}
|
||||
{{- with .policyExceptions -}}
|
||||
{{- $flags = append $flags (print "--enablePolicyException=" .enabled) -}}
|
||||
{{- $flags = append $flags (print "--exceptionNamespace=" .namespace) -}}
|
||||
{{- end -}}
|
||||
{{- with .protectManagedResources -}}
|
||||
{{- $flags = append $flags (print "--protectManagedResources=" .enabled) -}}
|
||||
{{- end -}}
|
||||
{{- with .reports -}}
|
||||
{{- $flags = append $flags (print "--reportsChunkSize=" .chunkSize) -}}
|
||||
{{- end -}}
|
||||
{{- with $flags -}}
|
||||
{{- toYaml . -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
|
|
@ -146,6 +146,15 @@ spec:
|
|||
{{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
|
||||
- --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
|
||||
{{- end }}
|
||||
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.admissionController.featuresOverride)
|
||||
"admissionReports"
|
||||
"autoUpdateWebhooks"
|
||||
"configMapCaching"
|
||||
"dumpPayload"
|
||||
"forceFailurePolicyIgnore"
|
||||
"policyExceptions"
|
||||
"protectManagedResources"
|
||||
) | nindent 12 }}
|
||||
{{- range $key, $value := .Values.admissionController.container.extraArgs }}
|
||||
{{- if $value }}
|
||||
- --{{ $key }}={{ $value }}
|
||||
|
|
|
@ -103,6 +103,10 @@ spec:
|
|||
{{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
|
||||
- --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
|
||||
{{- end }}
|
||||
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.backgroundController.featuresOverride)
|
||||
"configMapCaching"
|
||||
"policyExceptions"
|
||||
) | nindent 12 }}
|
||||
{{- range $key, $value := .Values.backgroundController.extraArgs }}
|
||||
{{- if $value }}
|
||||
- --{{ $key }}={{ $value }}
|
||||
|
|
|
@ -101,6 +101,9 @@ spec:
|
|||
- --transportCreds={{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.cleanupController.featuresOverride)
|
||||
"dumpPayload"
|
||||
) | nindent 12 }}
|
||||
{{- range $key, $value := .Values.cleanupController.extraArgs }}
|
||||
{{- if $value }}
|
||||
- --{{ $key }}={{ $value }}
|
||||
|
|
|
@ -103,6 +103,13 @@ spec:
|
|||
{{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
|
||||
- --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
|
||||
{{- end }}
|
||||
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.reportsController.featuresOverride)
|
||||
"admissionReports"
|
||||
"backgroundScan"
|
||||
"configMapCaching"
|
||||
"policyExceptions"
|
||||
"reports"
|
||||
) | nindent 12 }}
|
||||
{{- range $key, $value := .Values.reportsController.extraArgs }}
|
||||
{{- if $value }}
|
||||
- --{{ $key }}={{ $value }}
|
||||
|
|
|
@ -319,9 +319,50 @@ grafana:
|
|||
# -- Grafana dashboard configmap annotations.
|
||||
annotations: {}
|
||||
|
||||
# Features configuration
|
||||
features:
|
||||
admissionReports:
|
||||
# -- Enables the feature
|
||||
enabled: true
|
||||
autoUpdateWebhooks:
|
||||
# -- Enables the feature
|
||||
enabled: true
|
||||
backgroundScan:
|
||||
# -- Enables the feature
|
||||
enabled: true
|
||||
# -- Number of background scan workers
|
||||
backgroundScanWorkers: 2
|
||||
# -- Background scan interval
|
||||
backgroundScanInterval: 1h
|
||||
# -- Skips resource filters in background scan
|
||||
skipResourceFilters: true
|
||||
configMapCaching:
|
||||
# -- Enables the feature
|
||||
enabled: true
|
||||
dumpPayload:
|
||||
# -- Enables the feature
|
||||
enabled: false
|
||||
forceFailurePolicyIgnore:
|
||||
# -- Enables the feature
|
||||
enabled: false
|
||||
policyExceptions:
|
||||
# -- Enables the feature
|
||||
enabled: false
|
||||
# -- Restrict policy exceptions to a single namespace
|
||||
namespace: ''
|
||||
protectManagedResources:
|
||||
# -- Enables the feature
|
||||
enabled: false
|
||||
reports:
|
||||
# -- Reports chunk size
|
||||
chunkSize: 1000
|
||||
|
||||
# Admission controller configuration
|
||||
admissionController:
|
||||
|
||||
# -- Overrides features defined at the root level
|
||||
featuresOverride: {}
|
||||
|
||||
rbac:
|
||||
# -- Create RBAC resources
|
||||
create: true
|
||||
|
@ -652,9 +693,220 @@ admissionController:
|
|||
# -- Otel collector credentials
|
||||
creds: ''
|
||||
|
||||
# Background controller configuration
|
||||
backgroundController:
|
||||
|
||||
# -- Overrides features defined at the root level
|
||||
featuresOverride: {}
|
||||
|
||||
# -- Enable background controller.
|
||||
enabled: true
|
||||
|
||||
rbac:
|
||||
# -- Create RBAC resources
|
||||
create: true
|
||||
|
||||
serviceAccount:
|
||||
# -- Service account name
|
||||
name:
|
||||
|
||||
# -- Annotations for the ServiceAccount
|
||||
annotations: {}
|
||||
# example.com/annotation: value
|
||||
|
||||
clusterRole:
|
||||
# -- Extra resource permissions to add in the cluster role
|
||||
extraResources: []
|
||||
# - apiGroups:
|
||||
# - ''
|
||||
# resources:
|
||||
# - pods
|
||||
|
||||
image:
|
||||
# -- (string) Image registry
|
||||
registry: ~
|
||||
# If you want to manage the registry you should remove it from the repository
|
||||
# registry: ghcr.io
|
||||
# repository: kyverno/background-controller
|
||||
# -- Image repository
|
||||
repository: ghcr.io/kyverno/background-controller
|
||||
# -- Image tag
|
||||
# Defaults to appVersion in Chart.yaml if omitted
|
||||
tag: # replaced in e2e tests
|
||||
# -- Image pull policy
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
# -- Image pull secrets
|
||||
imagePullSecrets: []
|
||||
# - secretName
|
||||
|
||||
# -- (int) Desired number of pods
|
||||
replicas: ~
|
||||
|
||||
# -- Deployment update strategy.
|
||||
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
|
||||
# @default -- See [values.yaml](values.yaml)
|
||||
updateStrategy:
|
||||
rollingUpdate:
|
||||
maxSurge: 1
|
||||
maxUnavailable: 40%
|
||||
type: RollingUpdate
|
||||
|
||||
# -- Optional priority class
|
||||
priorityClassName: ''
|
||||
|
||||
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
|
||||
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
|
||||
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
|
||||
hostNetwork: false
|
||||
|
||||
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
|
||||
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
|
||||
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
|
||||
dnsPolicy: ClusterFirst
|
||||
|
||||
# -- Extra arguments passed to the container on the command line
|
||||
extraArgs: {}
|
||||
|
||||
resources:
|
||||
# -- Pod resource limits
|
||||
limits:
|
||||
memory: 128Mi
|
||||
# -- Pod resource requests
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 64Mi
|
||||
|
||||
# -- Node labels for pod assignment
|
||||
nodeSelector: {}
|
||||
|
||||
# -- List of node taints to tolerate
|
||||
tolerations: []
|
||||
|
||||
antiAffinity:
|
||||
# -- Pod antiAffinities toggle.
|
||||
# Enabled by default but can be disabled if you want to schedule pods to the same node.
|
||||
enabled: true
|
||||
|
||||
# -- Pod anti affinity constraints.
|
||||
# @default -- See [values.yaml](values.yaml)
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- weight: 1
|
||||
podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/component
|
||||
operator: In
|
||||
values:
|
||||
- background-controller
|
||||
topologyKey: kubernetes.io/hostname
|
||||
|
||||
# -- Pod affinity constraints.
|
||||
podAffinity: {}
|
||||
|
||||
# -- Node affinity constraints.
|
||||
nodeAffinity: {}
|
||||
|
||||
# -- Topology spread constraints.
|
||||
topologySpreadConstraints: []
|
||||
|
||||
# -- Security context for the pod
|
||||
podSecurityContext: {}
|
||||
|
||||
# -- Security context for the containers
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
podDisruptionBudget:
|
||||
# -- Configures the minimum available pods for disruptions.
|
||||
# Cannot be used if `maxUnavailable` is set.
|
||||
minAvailable: 1
|
||||
# -- Configures the maximum unavailable pods for disruptions.
|
||||
# Cannot be used if `minAvailable` is set.
|
||||
maxUnavailable:
|
||||
|
||||
metricsService:
|
||||
# -- Create service.
|
||||
create: true
|
||||
# -- Service port.
|
||||
# Metrics server will be exposed at this port.
|
||||
port: 8000
|
||||
# -- Service type.
|
||||
type: ClusterIP
|
||||
# -- Service node port.
|
||||
# Only used if `metricsService.type` is `NodePort`.
|
||||
nodePort:
|
||||
# -- Service annotations.
|
||||
annotations: {}
|
||||
|
||||
networkPolicy:
|
||||
|
||||
# -- When true, use a NetworkPolicy to allow ingress to the webhook
|
||||
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
|
||||
enabled: false
|
||||
|
||||
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
|
||||
ingressFrom: []
|
||||
|
||||
serviceMonitor:
|
||||
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
|
||||
enabled: false
|
||||
# -- Additional labels
|
||||
additionalLabels: {}
|
||||
# -- (string) Override namespace
|
||||
namespace: ~
|
||||
# -- Interval to scrape metrics
|
||||
interval: 30s
|
||||
# -- Timeout if metrics can't be retrieved in given time interval
|
||||
scrapeTimeout: 25s
|
||||
# -- Is TLS required for endpoint
|
||||
secure: false
|
||||
# -- TLS Configuration for endpoint
|
||||
tlsConfig: {}
|
||||
|
||||
tracing:
|
||||
# -- Enable tracing
|
||||
enabled: false
|
||||
# -- Traces receiver address
|
||||
address:
|
||||
# -- Traces receiver port
|
||||
port:
|
||||
# -- Traces receiver credentials
|
||||
creds: ''
|
||||
|
||||
logging:
|
||||
# -- Logging format
|
||||
format: text
|
||||
# -- Logging verbosity
|
||||
verbosity: 2
|
||||
|
||||
metering:
|
||||
# -- Disable metrics export
|
||||
disabled: false
|
||||
# -- Otel configuration, can be `prometheus` or `grpc`
|
||||
config: prometheus
|
||||
# -- Prometheus endpoint port
|
||||
port: 8000
|
||||
# -- Otel collector endpoint
|
||||
collector: ''
|
||||
# -- Otel collector credentials
|
||||
creds: ''
|
||||
|
||||
# Cleanup controller configuration
|
||||
cleanupController:
|
||||
|
||||
# -- Overrides features defined at the root level
|
||||
featuresOverride: {}
|
||||
|
||||
# -- Enable cleanup controller.
|
||||
enabled: true
|
||||
|
||||
|
@ -915,6 +1167,9 @@ cleanupController:
|
|||
# Reports controller configuration
|
||||
reportsController:
|
||||
|
||||
# -- Overrides features defined at the root level
|
||||
featuresOverride: {}
|
||||
|
||||
# -- Enable reports controller.
|
||||
enabled: true
|
||||
|
||||
|
@ -979,10 +1234,7 @@ reportsController:
|
|||
dnsPolicy: ClusterFirst
|
||||
|
||||
# -- Extra arguments passed to the container on the command line
|
||||
extraArgs:
|
||||
clientRateLimitQPS: 300
|
||||
clientRateLimitBurst: 300
|
||||
skipResourceFilters: true
|
||||
extraArgs: {}
|
||||
|
||||
resources:
|
||||
# -- Pod resource limits
|
||||
|
@ -993,50 +1245,6 @@ reportsController:
|
|||
cpu: 100m
|
||||
memory: 64Mi
|
||||
|
||||
# TODO
|
||||
# # -- Startup probe.
|
||||
# # The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
|
||||
# # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
|
||||
# # @default -- See [values.yaml](values.yaml)
|
||||
# startupProbe:
|
||||
# httpGet:
|
||||
# path: /health/liveness
|
||||
# port: 9443
|
||||
# scheme: HTTPS
|
||||
# failureThreshold: 20
|
||||
# initialDelaySeconds: 2
|
||||
# periodSeconds: 6
|
||||
|
||||
# # -- Liveness probe.
|
||||
# # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
|
||||
# # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
|
||||
# # @default -- See [values.yaml](values.yaml)
|
||||
# livenessProbe:
|
||||
# httpGet:
|
||||
# path: /health/liveness
|
||||
# port: 9443
|
||||
# scheme: HTTPS
|
||||
# initialDelaySeconds: 15
|
||||
# periodSeconds: 30
|
||||
# timeoutSeconds: 5
|
||||
# failureThreshold: 2
|
||||
# successThreshold: 1
|
||||
|
||||
# # -- Readiness Probe.
|
||||
# # The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
|
||||
# # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
|
||||
# # @default -- See [values.yaml](values.yaml)
|
||||
# readinessProbe:
|
||||
# httpGet:
|
||||
# path: /health/readiness
|
||||
# port: 9443
|
||||
# scheme: HTTPS
|
||||
# initialDelaySeconds: 5
|
||||
# periodSeconds: 10
|
||||
# timeoutSeconds: 5
|
||||
# failureThreshold: 6
|
||||
# successThreshold: 1
|
||||
|
||||
# -- Node labels for pod assignment
|
||||
nodeSelector: {}
|
||||
|
||||
|
@ -1167,208 +1375,3 @@ reportsController:
|
|||
collector: ~
|
||||
# -- (string) Otel collector credentials
|
||||
creds: ~
|
||||
|
||||
# Background controller configuration
|
||||
backgroundController:
|
||||
|
||||
# -- Enable background controller.
|
||||
enabled: true
|
||||
|
||||
rbac:
|
||||
# -- Create RBAC resources
|
||||
create: true
|
||||
|
||||
serviceAccount:
|
||||
# -- Service account name
|
||||
name:
|
||||
|
||||
# -- Annotations for the ServiceAccount
|
||||
annotations: {}
|
||||
# example.com/annotation: value
|
||||
|
||||
clusterRole:
|
||||
# -- Extra resource permissions to add in the cluster role
|
||||
extraResources: []
|
||||
# - apiGroups:
|
||||
# - ''
|
||||
# resources:
|
||||
# - pods
|
||||
|
||||
image:
|
||||
# -- (string) Image registry
|
||||
registry: ~
|
||||
# If you want to manage the registry you should remove it from the repository
|
||||
# registry: ghcr.io
|
||||
# repository: kyverno/background-controller
|
||||
# -- Image repository
|
||||
repository: ghcr.io/kyverno/background-controller
|
||||
# -- Image tag
|
||||
# Defaults to appVersion in Chart.yaml if omitted
|
||||
tag: # replaced in e2e tests
|
||||
# -- Image pull policy
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
# -- Image pull secrets
|
||||
imagePullSecrets: []
|
||||
# - secretName
|
||||
|
||||
# -- (int) Desired number of pods
|
||||
replicas: ~
|
||||
|
||||
# -- Deployment update strategy.
|
||||
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
|
||||
# @default -- See [values.yaml](values.yaml)
|
||||
updateStrategy:
|
||||
rollingUpdate:
|
||||
maxSurge: 1
|
||||
maxUnavailable: 40%
|
||||
type: RollingUpdate
|
||||
|
||||
# -- Optional priority class
|
||||
priorityClassName: ''
|
||||
|
||||
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
|
||||
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
|
||||
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
|
||||
hostNetwork: false
|
||||
|
||||
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
|
||||
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
|
||||
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
|
||||
dnsPolicy: ClusterFirst
|
||||
|
||||
# -- Extra arguments passed to the container on the command line
|
||||
extraArgs: {}
|
||||
|
||||
resources:
|
||||
# -- Pod resource limits
|
||||
limits:
|
||||
memory: 128Mi
|
||||
# -- Pod resource requests
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 64Mi
|
||||
|
||||
# -- Node labels for pod assignment
|
||||
nodeSelector: {}
|
||||
|
||||
# -- List of node taints to tolerate
|
||||
tolerations: []
|
||||
|
||||
antiAffinity:
|
||||
# -- Pod antiAffinities toggle.
|
||||
# Enabled by default but can be disabled if you want to schedule pods to the same node.
|
||||
enabled: true
|
||||
|
||||
# -- Pod anti affinity constraints.
|
||||
# @default -- See [values.yaml](values.yaml)
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- weight: 1
|
||||
podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/component
|
||||
operator: In
|
||||
values:
|
||||
- background-controller
|
||||
topologyKey: kubernetes.io/hostname
|
||||
|
||||
# -- Pod affinity constraints.
|
||||
podAffinity: {}
|
||||
|
||||
# -- Node affinity constraints.
|
||||
nodeAffinity: {}
|
||||
|
||||
# -- Topology spread constraints.
|
||||
topologySpreadConstraints: []
|
||||
|
||||
# -- Security context for the pod
|
||||
podSecurityContext: {}
|
||||
|
||||
# -- Security context for the containers
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
||||
podDisruptionBudget:
|
||||
# -- Configures the minimum available pods for disruptions.
|
||||
# Cannot be used if `maxUnavailable` is set.
|
||||
minAvailable: 1
|
||||
# -- Configures the maximum unavailable pods for disruptions.
|
||||
# Cannot be used if `minAvailable` is set.
|
||||
maxUnavailable:
|
||||
|
||||
metricsService:
|
||||
# -- Create service.
|
||||
create: true
|
||||
# -- Service port.
|
||||
# Metrics server will be exposed at this port.
|
||||
port: 8000
|
||||
# -- Service type.
|
||||
type: ClusterIP
|
||||
# -- Service node port.
|
||||
# Only used if `metricsService.type` is `NodePort`.
|
||||
nodePort:
|
||||
# -- Service annotations.
|
||||
annotations: {}
|
||||
|
||||
networkPolicy:
|
||||
|
||||
# -- When true, use a NetworkPolicy to allow ingress to the webhook
|
||||
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
|
||||
enabled: false
|
||||
|
||||
# -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
|
||||
ingressFrom: []
|
||||
|
||||
serviceMonitor:
|
||||
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
|
||||
enabled: false
|
||||
# -- Additional labels
|
||||
additionalLabels: {}
|
||||
# -- (string) Override namespace
|
||||
namespace: ~
|
||||
# -- Interval to scrape metrics
|
||||
interval: 30s
|
||||
# -- Timeout if metrics can't be retrieved in given time interval
|
||||
scrapeTimeout: 25s
|
||||
# -- Is TLS required for endpoint
|
||||
secure: false
|
||||
# -- TLS Configuration for endpoint
|
||||
tlsConfig: {}
|
||||
|
||||
tracing:
|
||||
# -- Enable tracing
|
||||
enabled: false
|
||||
# -- Traces receiver address
|
||||
address:
|
||||
# -- Traces receiver port
|
||||
port:
|
||||
# -- Traces receiver credentials
|
||||
creds: ''
|
||||
|
||||
logging:
|
||||
# -- Logging format
|
||||
format: text
|
||||
# -- Logging verbosity
|
||||
verbosity: 2
|
||||
|
||||
metering:
|
||||
# -- Disable metrics export
|
||||
disabled: false
|
||||
# -- Otel configuration, can be `prometheus` or `grpc`
|
||||
config: prometheus
|
||||
# -- Prometheus endpoint port
|
||||
port: 8000
|
||||
# -- Otel collector endpoint
|
||||
collector: ''
|
||||
# -- Otel collector credentials
|
||||
creds: ''
|
||||
|
|
|
@ -34953,6 +34953,14 @@ spec:
|
|||
- --disableMetrics=false
|
||||
- --otelConfig=prometheus
|
||||
- --metricsPort=8000
|
||||
- --admissionReports=true
|
||||
- --autoUpdateWebhooks=true
|
||||
- --enableConfigMapCaching=true
|
||||
- --dumpPayload=false
|
||||
- --forceFailurePolicyIgnore=false
|
||||
- --enablePolicyException=false
|
||||
- --exceptionNamespace=
|
||||
- --protectManagedResources=false
|
||||
resources:
|
||||
limits:
|
||||
memory: 384Mi
|
||||
|
@ -35092,6 +35100,9 @@ spec:
|
|||
- --disableMetrics=false
|
||||
- --otelConfig=prometheus
|
||||
- --metricsPort=8000
|
||||
- --enableConfigMapCaching=true
|
||||
- --enablePolicyException=false
|
||||
- --exceptionNamespace=
|
||||
env:
|
||||
- name: METRICS_CONFIG
|
||||
value: kyverno-metrics
|
||||
|
@ -35181,6 +35192,7 @@ spec:
|
|||
- --disableMetrics=false
|
||||
- --otelConfig=prometheus
|
||||
- --metricsPort=8000
|
||||
- --dumpPayload=false
|
||||
env:
|
||||
- name: METRICS_CONFIG
|
||||
value: kyverno-metrics
|
||||
|
@ -35301,9 +35313,15 @@ spec:
|
|||
- --disableMetrics=false
|
||||
- --otelConfig=prometheus
|
||||
- --metricsPort=8000
|
||||
- --clientRateLimitBurst=300
|
||||
- --clientRateLimitQPS=300
|
||||
- --admissionReports=true
|
||||
- --backgroundScan=true
|
||||
- --backgroundScanWorkers=2
|
||||
- --backgroundScanInterval=1h
|
||||
- --skipResourceFilters=true
|
||||
- --enableConfigMapCaching=true
|
||||
- --enablePolicyException=false
|
||||
- --exceptionNamespace=
|
||||
- --reportsChunkSize=1000
|
||||
env:
|
||||
- name: METRICS_CONFIG
|
||||
value: kyverno-metrics
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
grafana:
|
||||
enabled: true
|
||||
|
||||
admissionController:
|
||||
container:
|
||||
extraArgs:
|
||||
enablePolicyException: true
|
||||
features:
|
||||
policyExceptions:
|
||||
enabled: true
|
||||
|
||||
admissionController:
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
|
||||
|
@ -42,9 +42,6 @@ cleanupController:
|
|||
format: json
|
||||
|
||||
reportsController:
|
||||
extraArgs:
|
||||
enablePolicyException: true
|
||||
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
|
||||
|
|
|
@ -1,12 +1,3 @@
|
|||
admissionController:
|
||||
container:
|
||||
extraArgs:
|
||||
enablePolicyException: false
|
||||
|
||||
backgroundController:
|
||||
extraArgs:
|
||||
enablePolicyException: false
|
||||
|
||||
reportsController:
|
||||
extraArgs:
|
||||
enablePolicyException: false
|
||||
features:
|
||||
policyExceptions:
|
||||
enabled: false
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
admissionController:
|
||||
container:
|
||||
extraArgs:
|
||||
forceFailurePolicyIgnore: true
|
||||
features:
|
||||
forceFailurePolicyIgnore:
|
||||
enabled: true
|
||||
|
|
|
@ -1,12 +1,8 @@
|
|||
admissionController:
|
||||
container:
|
||||
extraArgs:
|
||||
enablePolicyException: true
|
||||
features:
|
||||
policyExceptions:
|
||||
enabled: true
|
||||
|
||||
backgroundController:
|
||||
extraArgs:
|
||||
enablePolicyException: true
|
||||
|
||||
rbac:
|
||||
clusterRole:
|
||||
extraResources:
|
||||
|
@ -33,7 +29,3 @@ cleanupController:
|
|||
- ''
|
||||
resources:
|
||||
- pods
|
||||
|
||||
reportsController:
|
||||
extraArgs:
|
||||
enablePolicyException: true
|
||||
|
|
Loading…
Add table
Reference in a new issue