From e4b19ebb2581505af8f655510849a59b1a6b72db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 27 Jan 2023 14:52:26 +0100 Subject: [PATCH] refactor: helm admission controller part 2 (#6130) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Charles-Edouard Brétéché --- charts/kyverno/README.md | 4 +- charts/kyverno/README.md.gotmpl | 2 + charts/kyverno/templates/_helpers.tpl | 26 -- charts/kyverno/templates/_helpers/_image.tpl | 13 + charts/kyverno/templates/_helpers/_pdb.tpl | 21 ++ .../admission-controller/_helpers.tpl | 4 + .../deployment.yaml | 4 +- .../poddisruptionbudget.yaml | 14 + .../{ => admission-controller}/secret.yaml | 8 +- .../{ => admission-controller}/service.yaml | 8 +- .../servicemonitor.yaml | 18 +- .../templates/cleanup-controller/_helpers.tpl | 13 - .../poddisruptionbudget.yaml | 10 +- .../kyverno/templates/hooks/pre-delete.yaml | 4 +- .../templates/poddisruptionbudget.yaml | 18 - .../templates/reports-controller/_helpers.tpl | 14 - .../poddisruptionbudget.yaml | 10 +- .../tests/admission-controller-liveness.yaml | 2 +- .../tests/admission-controller-metrics.yaml | 2 +- .../tests/admission-controller-readiness.yaml | 2 +- charts/kyverno/values.yaml | 34 +- config/install.yaml | 322 +++++++++--------- 22 files changed, 265 insertions(+), 288 deletions(-) create mode 100644 charts/kyverno/templates/_helpers/_image.tpl create mode 100644 charts/kyverno/templates/_helpers/_pdb.tpl rename charts/kyverno/templates/{ => admission-controller}/deployment.yaml (98%) create mode 100644 charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml rename charts/kyverno/templates/{ => admission-controller}/secret.yaml (64%) rename charts/kyverno/templates/{ => admission-controller}/service.yaml (90%) rename charts/kyverno/templates/{ => admission-controller}/servicemonitor.yaml (74%) delete mode 100644 charts/kyverno/templates/poddisruptionbudget.yaml diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 8251876026..ef1a6732f5 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -124,6 +124,8 @@ In `v3` chart values changed significantly, please read the instructions below t - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above. +- Image tags are now validated and must be strings, if you use image tags in the `1.35` form please add quotes around the tag value. + ## Uninstalling the Chart To uninstall/delete the `kyverno` deployment: @@ -163,7 +165,7 @@ The command removes all the Kubernetes components associated with the chart and | existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument | | test.image.registry | string | `nil` | Image registry | | test.image.repository | string | `"busybox"` | Image repository | -| test.image.tag | float | `1.35` | Image tag Defaults to `latest` if omitted | +| test.image.tag | string | `"1.35"` | Image tag Defaults to `latest` if omitted | | test.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | | test.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | | test.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | diff --git a/charts/kyverno/README.md.gotmpl b/charts/kyverno/README.md.gotmpl index 3137c31651..d3c15eadcb 100644 --- a/charts/kyverno/README.md.gotmpl +++ b/charts/kyverno/README.md.gotmpl @@ -124,6 +124,8 @@ In `v3` chart values changed significantly, please read the instructions below t - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above. +- Image tags are now validated and must be strings, if you use image tags in the `1.35` form please add quotes around the tag value. + ## Uninstalling the Chart To uninstall/delete the `kyverno` deployment: diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl index 74c6b566db..926f2cf2b6 100644 --- a/charts/kyverno/templates/_helpers.tpl +++ b/charts/kyverno/templates/_helpers.tpl @@ -33,24 +33,6 @@ {{ default .Release.Namespace .Values.namespaceOverride }} {{- end -}} -{{/* Create the name of the service to use */}} -{{- define "kyverno.serviceName" -}} -{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* Create the default PodDisruptionBudget to use */}} -{{- define "kyverno.podDisruptionBudget.spec" -}} -{{- if and .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable }} -{{- fail "Cannot set both .Values.podDisruptionBudget.minAvailable and .Values.podDisruptionBudget.maxUnavailable" -}} -{{- end }} -{{- if not .Values.podDisruptionBudget.maxUnavailable }} -minAvailable: {{ default 1 .Values.podDisruptionBudget.minAvailable }} -{{- end }} -{{- if .Values.podDisruptionBudget.maxUnavailable }} -maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} -{{- end }} -{{- end }} - {{- define "kyverno.securityContext" -}} {{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }} {{ toYaml (omit .Values.securityContext "seccompProfile") }} @@ -58,11 +40,3 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} {{ toYaml .Values.securityContext }} {{- end }} {{- end }} - -{{- define "kyverno.image" -}} - {{- if .image.registry -}} -{{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} - {{- else -}} -{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} - {{- end -}} -{{- end }} diff --git a/charts/kyverno/templates/_helpers/_image.tpl b/charts/kyverno/templates/_helpers/_image.tpl new file mode 100644 index 0000000000..5354a4d664 --- /dev/null +++ b/charts/kyverno/templates/_helpers/_image.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.image" -}} +{{- $tag := default .defaultTag .image.tag -}} +{{- if not (typeIs "string" $tag) -}} + {{ fail "Image tags must be strings." }} +{{- end -}} +{{- if .image.registry -}} + {{- print .image.registry "/" (required "An image repository is required" .image.repository) ":" $tag -}} +{{- else -}} + {{- print (required "An image repository is required" .image.repository) ":" $tag -}} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno/templates/_helpers/_pdb.tpl b/charts/kyverno/templates/_helpers/_pdb.tpl new file mode 100644 index 0000000000..78fc2e5324 --- /dev/null +++ b/charts/kyverno/templates/_helpers/_pdb.tpl @@ -0,0 +1,21 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "kyverno.pdb.apiVersion" -}} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} +policy/v1 +{{- else -}} +policy/v1beta1 +{{- end -}} +{{- end -}} + +{{- define "kyverno.pdb.spec" -}} +{{- if and .minAvailable .maxUnavailable -}} + {{- fail "Cannot set both .minAvailable and .maxUnavailable" -}} +{{- end -}} +{{- if not .maxUnavailable }} +minAvailable: {{ default 1 .minAvailable }} +{{- end }} +{{- if .maxUnavailable }} +maxUnavailable: {{ .maxUnavailable }} +{{- end }} +{{- end -}} diff --git a/charts/kyverno/templates/admission-controller/_helpers.tpl b/charts/kyverno/templates/admission-controller/_helpers.tpl index da16b7dd30..781c314493 100644 --- a/charts/kyverno/templates/admission-controller/_helpers.tpl +++ b/charts/kyverno/templates/admission-controller/_helpers.tpl @@ -29,3 +29,7 @@ {{ default "default" .Values.rbac.serviceAccount.name }} {{- end -}} {{- end -}} + +{{- define "kyverno.admission-controller.serviceName" -}} +{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/kyverno/templates/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml similarity index 98% rename from charts/kyverno/templates/deployment.yaml rename to charts/kyverno/templates/admission-controller/deployment.yaml index 9794161218..6b4de085d4 100644 --- a/charts/kyverno/templates/deployment.yaml +++ b/charts/kyverno/templates/admission-controller/deployment.yaml @@ -3,9 +3,9 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "kyverno.fullname" . }} + namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} - namespace: {{ template "kyverno.namespace" . }} spec: {{- with .Values.replicaCount }} replicas: {{ . }} @@ -148,7 +148,7 @@ spec: - name: KYVERNO_SERVICEACCOUNT_NAME value: {{ template "kyverno.admission-controller.serviceAccountName" . }} - name: KYVERNO_SVC - value: {{ template "kyverno.serviceName" . }} + value: {{ template "kyverno.admission-controller.serviceName" . }} - name: TUF_ROOT value: {{ .Values.tufRootMountPath }} {{- with .Values.envVars }} diff --git a/charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml b/charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml new file mode 100644 index 0000000000..18b8b52ff9 --- /dev/null +++ b/charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml @@ -0,0 +1,14 @@ +{{- if (gt (int .Values.replicaCount) 1) -}} +apiVersion: {{ template "kyverno.pdb.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ template "kyverno.admission-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +spec: + {{- include "kyverno.pdb.spec" .Values.podDisruptionBudget | nindent 2 }} + selector: + matchLabels: + {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }} +{{- end -}} diff --git a/charts/kyverno/templates/secret.yaml b/charts/kyverno/templates/admission-controller/secret.yaml similarity index 64% rename from charts/kyverno/templates/secret.yaml rename to charts/kyverno/templates/admission-controller/secret.yaml index bf751a7ad1..e16734156e 100644 --- a/charts/kyverno/templates/secret.yaml +++ b/charts/kyverno/templates/admission-controller/secret.yaml @@ -1,11 +1,11 @@ -{{- if .Values.createSelfSignedCert }} +{{- if .Values.createSelfSignedCert -}} {{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}} -{{- $svcName := (printf "%s.%s.svc" (include "kyverno.serviceName" .) (include "kyverno.namespace" .)) -}} +{{- $svcName := (printf "%s.%s.svc" (include "kyverno.admission-controller.serviceName" .) (include "kyverno.namespace" .)) -}} {{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}} apiVersion: v1 kind: Secret metadata: - name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca + name: {{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} @@ -17,7 +17,7 @@ data: apiVersion: v1 kind: Secret metadata: - name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair + name: {{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} diff --git a/charts/kyverno/templates/service.yaml b/charts/kyverno/templates/admission-controller/service.yaml similarity index 90% rename from charts/kyverno/templates/service.yaml rename to charts/kyverno/templates/admission-controller/service.yaml index 0c21e7c43a..4fb0d60338 100644 --- a/charts/kyverno/templates/service.yaml +++ b/charts/kyverno/templates/admission-controller/service.yaml @@ -1,10 +1,10 @@ apiVersion: v1 kind: Service metadata: - name: {{ template "kyverno.serviceName" . }} + name: {{ template "kyverno.admission-controller.serviceName" . }} + namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} - namespace: {{ template "kyverno.namespace" . }} {{- with .Values.service.annotations }} annotations: {{ tpl (toYaml .) $ | nindent 4 }} {{- end }} @@ -25,10 +25,10 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ template "kyverno.serviceName" . }}-metrics + name: {{ template "kyverno.admission-controller.serviceName" . }}-metrics + namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} - namespace: {{ template "kyverno.namespace" . }} {{- with .Values.metricsService.annotations }} annotations: {{ tpl (toYaml .) $ | nindent 4 }} {{- end }} diff --git a/charts/kyverno/templates/servicemonitor.yaml b/charts/kyverno/templates/admission-controller/servicemonitor.yaml similarity index 74% rename from charts/kyverno/templates/servicemonitor.yaml rename to charts/kyverno/templates/admission-controller/servicemonitor.yaml index 0fa57e1ad8..806f9a886e 100644 --- a/charts/kyverno/templates/servicemonitor.yaml +++ b/charts/kyverno/templates/admission-controller/servicemonitor.yaml @@ -2,17 +2,17 @@ apiVersion: "monitoring.coreos.com/v1" kind: ServiceMonitor metadata: + name: {{ template "kyverno.admission-controller.name" . }} + {{- if .Values.serviceMonitor.namespace }} + namespace: {{ .Values.serviceMonitor.namespace }} + {{- else }} + namespace: {{ template "kyverno.namespace" . }} + {{- end }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} -{{- if .Values.serviceMonitor.additionalLabels }} -{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }} -{{- end }} - name: {{ template "kyverno.serviceName" . }}-service-monitor -{{- if .Values.serviceMonitor.namespace }} - namespace: {{ .Values.serviceMonitor.namespace }} -{{- else }} - namespace: {{ template "kyverno.namespace" . }} -{{- end }} + {{- if .Values.serviceMonitor.additionalLabels }} + {{- toYaml .Values.serviceMonitor.additionalLabels | nindent 4 }} + {{- end }} spec: selector: matchLabels: diff --git a/charts/kyverno/templates/cleanup-controller/_helpers.tpl b/charts/kyverno/templates/cleanup-controller/_helpers.tpl index 6c2e1b8ed0..4aa641b9a8 100644 --- a/charts/kyverno/templates/cleanup-controller/_helpers.tpl +++ b/charts/kyverno/templates/cleanup-controller/_helpers.tpl @@ -45,16 +45,3 @@ {{- toYaml .Values.cleanupController.securityContext -}} {{- end }} {{- end }} - -{{/* Create the default PodDisruptionBudget to use */}} -{{- define "kyverno.cleanup-controller.podDisruptionBudget.spec" -}} -{{- if and .Values.cleanupController.podDisruptionBudget.minAvailable .Values.cleanupController.podDisruptionBudget.maxUnavailable }} -{{- fail "Cannot set both .Values.cleanupController.podDisruptionBudget.minAvailable and .Values.cleanupController.podDisruptionBudget.maxUnavailable" -}} -{{- end }} -{{- if not .Values.cleanupController.podDisruptionBudget.maxUnavailable }} -minAvailable: {{ default 1 .Values.cleanupController.podDisruptionBudget.minAvailable }} -{{- end }} -{{- if .Values.cleanupController.podDisruptionBudget.maxUnavailable }} -maxUnavailable: {{ .Values.cleanupController.podDisruptionBudget.maxUnavailable }} -{{- end }} -{{- end }} diff --git a/charts/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml b/charts/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml index 30b942c4e9..4cf02be138 100644 --- a/charts/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml +++ b/charts/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml @@ -1,18 +1,14 @@ {{- if .Values.cleanupController.enabled -}} {{- if (gt (int .Values.cleanupController.replicas) 1) -}} -{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} -apiVersion: policy/v1 -{{- else -}} -apiVersion: policy/v1beta1 -{{- end }} +apiVersion: {{ template "kyverno.pdb.apiVersion" . }} kind: PodDisruptionBudget metadata: name: {{ template "kyverno.cleanup-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} - namespace: {{ template "kyverno.namespace" . }} spec: - {{- include "kyverno.cleanup-controller.podDisruptionBudget.spec" . | indent 2 }} + {{- include "kyverno.pdb.spec" .Values.cleanupController.podDisruptionBudget | nindent 2 }} selector: matchLabels: {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }} diff --git a/charts/kyverno/templates/hooks/pre-delete.yaml b/charts/kyverno/templates/hooks/pre-delete.yaml index 5ce1e46ad8..18eb7b1378 100644 --- a/charts/kyverno/templates/hooks/pre-delete.yaml +++ b/charts/kyverno/templates/hooks/pre-delete.yaml @@ -10,9 +10,11 @@ metadata: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded,hook-failed spec: + backoffLimit: 2 template: spec: serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }} + restartPolicy: Never containers: - name: kubectl image: {{ .Values.webhooksCleanup.image }} @@ -24,6 +26,4 @@ spec: sleep 30 kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno - restartPolicy: Never - backoffLimit: 2 {{- end -}} diff --git a/charts/kyverno/templates/poddisruptionbudget.yaml b/charts/kyverno/templates/poddisruptionbudget.yaml deleted file mode 100644 index 8cadcc60dc..0000000000 --- a/charts/kyverno/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if (gt (int .Values.replicaCount) 1) }} -{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} -apiVersion: policy/v1 -{{- else }} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: {{ template "kyverno.fullname" . }} - labels: - {{- include "kyverno.admission-controller.labels" . | nindent 4 }} - namespace: {{ template "kyverno.namespace" . }} -spec: - {{- include "kyverno.podDisruptionBudget.spec" . | indent 2 }} - selector: - matchLabels: - {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }} -{{- end }} diff --git a/charts/kyverno/templates/reports-controller/_helpers.tpl b/charts/kyverno/templates/reports-controller/_helpers.tpl index 96f3220125..dafe29b74c 100644 --- a/charts/kyverno/templates/reports-controller/_helpers.tpl +++ b/charts/kyverno/templates/reports-controller/_helpers.tpl @@ -46,17 +46,3 @@ {{ toYaml .Values.reportsController.securityContext }} {{- end }} {{- end }} - -{{/* Create the default PodDisruptionBudget to use */}} -{{- define "kyverno.reports-controller.podDisruptionBudget.spec" -}} -{{- if and .Values.reportsController.podDisruptionBudget.minAvailable .Values.reportsController.podDisruptionBudget.maxUnavailable }} -{{- fail "Cannot set both .Values.reportsController.podDisruptionBudget.minAvailable and .Values.reportsController.podDisruptionBudget.maxUnavailable" -}} -{{- end }} -{{- if not .Values.reportsController.podDisruptionBudget.maxUnavailable }} -minAvailable: {{ default 1 .Values.reportsController.podDisruptionBudget.minAvailable }} -{{- end }} -{{- if .Values.reportsController.podDisruptionBudget.maxUnavailable }} -maxUnavailable: {{ .Values.reportsController.podDisruptionBudget.maxUnavailable }} -{{- end }} -{{- end }} - diff --git a/charts/kyverno/templates/reports-controller/poddisruptionbudget.yaml b/charts/kyverno/templates/reports-controller/poddisruptionbudget.yaml index a1321a2f8c..b1fdc7a505 100644 --- a/charts/kyverno/templates/reports-controller/poddisruptionbudget.yaml +++ b/charts/kyverno/templates/reports-controller/poddisruptionbudget.yaml @@ -1,18 +1,14 @@ {{- if .Values.reportsController.enabled -}} {{- if (gt (int .Values.reportsController.replicas) 1) -}} -{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} -apiVersion: policy/v1 -{{- else -}} -apiVersion: policy/v1beta1 -{{- end }} +apiVersion: {{ template "kyverno.pdb.apiVersion" . }} kind: PodDisruptionBudget metadata: name: {{ template "kyverno.reports-controller.name" . }} + namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.reports-controller.labels" . | nindent 4 }} - namespace: {{ template "kyverno.namespace" . }} spec: - {{- include "kyverno.reports-controller.podDisruptionBudget.spec" . | indent 2 }} + {{- include "kyverno.pdb.spec" .Values.reportsController.podDisruptionBudget | nindent 2 }} selector: matchLabels: {{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }} diff --git a/charts/kyverno/templates/tests/admission-controller-liveness.yaml b/charts/kyverno/templates/tests/admission-controller-liveness.yaml index aa1fe77997..da31f5add6 100644 --- a/charts/kyverno/templates/tests/admission-controller-liveness.yaml +++ b/charts/kyverno/templates/tests/admission-controller-liveness.yaml @@ -22,4 +22,4 @@ spec: command: - /bin/sh - -c - - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.service.port }}/health/liveness + - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.service.port }}/health/liveness diff --git a/charts/kyverno/templates/tests/admission-controller-metrics.yaml b/charts/kyverno/templates/tests/admission-controller-metrics.yaml index 2f187cbec7..91c4841593 100644 --- a/charts/kyverno/templates/tests/admission-controller-metrics.yaml +++ b/charts/kyverno/templates/tests/admission-controller-metrics.yaml @@ -23,5 +23,5 @@ spec: command: - /bin/sh - -c - - sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.serviceName" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.metricsService.port }}/metrics + - sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.admission-controller.serviceName" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.metricsService.port }}/metrics {{- end -}} diff --git a/charts/kyverno/templates/tests/admission-controller-readiness.yaml b/charts/kyverno/templates/tests/admission-controller-readiness.yaml index 38e4265a42..42b672ae3c 100644 --- a/charts/kyverno/templates/tests/admission-controller-readiness.yaml +++ b/charts/kyverno/templates/tests/admission-controller-readiness.yaml @@ -22,4 +22,4 @@ spec: command: - /bin/sh - -c - - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.service.port }}/health/readiness + - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.service.port }}/health/readiness diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 132172bbc8..c8e78fcfbe 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -84,10 +84,10 @@ config: - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]' - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]' - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]' - - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]' - - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}]' - - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}-metrics]' - - '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.serviceName" . }}-service-monitor]' + - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]' + - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]' + - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]' + - '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.serviceName" . }}-service-monitor]' - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-*]' # -- Defines the `namespaceSelector` in the webhook configurations. @@ -153,16 +153,16 @@ existingImagePullSecrets: [] test: image: - # -- Image registry - registry: + # -- (string) Image registry + registry: ~ # -- Image repository repository: busybox # -- Image tag # Defaults to `latest` if omitted - tag: 1.35 - # -- Image pull policy + tag: '1.35' + # -- (string) Image pull policy # Defaults to image.pullPolicy if omitted - pullPolicy: + pullPolicy: ~ resources: # -- Pod resource limits @@ -204,8 +204,8 @@ rbac: # example.com/annotation: value image: - # -- Image registry - registry: + # -- (string) Image registry + registry: ~ # If you want to manage the registry you should remove it from the repository # registry: ghcr.io # repository: kyverno/kyverno @@ -221,8 +221,8 @@ image: # - secretName initImage: - # -- Image registry - registry: + # -- (string) Image registry + registry: ~ # If you want to manage the registry you should remove it from the repository # registry: ghcr.io # repository: kyverno/kyvernopre @@ -536,8 +536,8 @@ cleanupController: createSelfSignedCert: false image: - # -- Image registry - registry: + # -- (string) Image registry + registry: ~ # If you want to manage the registry you should remove it from the repository # registry: ghcr.io # repository: kyverno/kyverno @@ -780,8 +780,8 @@ reportsController: # - pods image: - # -- Image registry - registry: + # -- (string) Image registry + registry: ~ # If you want to manage the registry you should remove it from the repository # registry: ghcr.io # repository: kyverno/kyverno diff --git a/config/install.yaml b/config/install.yaml index 4fe3646069..1dd55cfabf 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -31997,6 +31997,50 @@ subjects: --- apiVersion: v1 kind: Service +metadata: + name: kyverno-svc + namespace: kyverno + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest +spec: + ports: + - port: 443 + targetPort: https + protocol: TCP + name: https + selector: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: kyverno-svc-metrics + namespace: kyverno + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest +spec: + ports: + - port: 8000 + targetPort: 8000 + protocol: TCP + name: metrics-port + selector: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + type: ClusterIP +--- +apiVersion: v1 +kind: Service metadata: name: kyverno-cleanup-controller namespace: kyverno @@ -32061,176 +32105,16 @@ spec: app.kubernetes.io/part-of: kyverno type: ClusterIP --- -apiVersion: v1 -kind: Service -metadata: - name: kyverno-svc - labels: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest - namespace: kyverno -spec: - ports: - - port: 443 - targetPort: https - protocol: TCP - name: https - selector: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: kyverno-svc-metrics - labels: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest - namespace: kyverno -spec: - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP - name: metrics-port - selector: - app.kubernetes.io/component: admission-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: kyverno-cleanup-controller - labels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest - namespace: kyverno -spec: - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 40% - type: RollingUpdate - selector: - matchLabels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - template: - metadata: - labels: - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest - spec: - dnsPolicy: ClusterFirst - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - cleanup-controller - topologyKey: kubernetes.io/hostname - weight: 1 - serviceAccountName: kyverno-cleanup-controller - containers: - - name: controller - image: "ghcr.io/kyverno/cleanup-controller:latest" - ports: - - containerPort: 9443 - name: https - protocol: TCP - - containerPort: 8000 - name: metrics - protocol: TCP - args: - - --loggingFormat=text - - --disableMetrics=false - - --otelConfig=prometheus - - --metricsPort=8000 - env: - - name: METRICS_CONFIG - value: kyverno-metrics - - name: KYVERNO_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KYVERNO_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KYVERNO_SVC - value: kyverno-cleanup-controller - resources: - limits: - memory: 128Mi - requests: - cpu: 100m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 20 - httpGet: - path: /health/liveness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 2 - periodSeconds: 6 - livenessProbe: - failureThreshold: 2 - httpGet: - path: /health/liveness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - failureThreshold: 6 - httpGet: - path: /health/readiness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 ---- apiVersion: apps/v1 kind: Deployment metadata: name: kyverno + namespace: kyverno labels: app.kubernetes.io/component: admission-controller app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: latest - namespace: kyverno spec: selector: matchLabels: @@ -32399,6 +32283,122 @@ spec: --- apiVersion: apps/v1 kind: Deployment +metadata: + name: kyverno-cleanup-controller + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest + namespace: kyverno +spec: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + template: + metadata: + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest + spec: + dnsPolicy: ClusterFirst + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - cleanup-controller + topologyKey: kubernetes.io/hostname + weight: 1 + serviceAccountName: kyverno-cleanup-controller + containers: + - name: controller + image: "ghcr.io/kyverno/cleanup-controller:latest" + ports: + - containerPort: 9443 + name: https + protocol: TCP + - containerPort: 8000 + name: metrics + protocol: TCP + args: + - --loggingFormat=text + - --disableMetrics=false + - --otelConfig=prometheus + - --metricsPort=8000 + env: + - name: METRICS_CONFIG + value: kyverno-metrics + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KYVERNO_SVC + value: kyverno-cleanup-controller + resources: + limits: + memory: 128Mi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + startupProbe: + failureThreshold: 20 + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 2 + periodSeconds: 6 + livenessProbe: + failureThreshold: 2 + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + httpGet: + path: /health/readiness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 +--- +apiVersion: apps/v1 +kind: Deployment metadata: name: kyverno-reports-controller labels: