mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

refactor: helm admission controller part 2 (#6130)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-01-27 14:52:26 +01:00 committed by GitHub
parent d29ada1c4d
commit e4b19ebb25
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
22 changed files with 265 additions and 288 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
charts/kyverno/README.md
View file

@ -124,6 +124,8 @@ In `v3` chart values changed significantly, please read the instructions below t
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
- Image tags are now validated and must be strings, if you use image tags in the `1.35` form please add quotes around the tag value.
## Uninstalling the Chart
To uninstall/delete the `kyverno` deployment:
@ -163,7 +165,7 @@ The command removes all the Kubernetes components associated with the chart and
| existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
| test.image.registry | string | `nil` | Image registry |
| test.image.repository | string | `"busybox"` | Image repository |
| test.image.tag | float | `1.35` | Image tag Defaults to `latest` if omitted |
| test.image.tag | string | `"1.35"` | Image tag Defaults to `latest` if omitted |
| test.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
| test.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
| test.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |

2
charts/kyverno/README.md.gotmpl
View file

@ -124,6 +124,8 @@ In `v3` chart values changed significantly, please read the instructions below t
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
- Image tags are now validated and must be strings, if you use image tags in the `1.35` form please add quotes around the tag value.
## Uninstalling the Chart
To uninstall/delete the `kyverno` deployment:

26
charts/kyverno/templates/_helpers.tpl
View file

@ -33,24 +33,6 @@
{{ default .Release.Namespace .Values.namespaceOverride }}
{{- end -}}
{{/* Create the name of the service to use */}}
{{- define "kyverno.serviceName" -}}
{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* Create the default PodDisruptionBudget to use */}}
{{- define "kyverno.podDisruptionBudget.spec" -}}
{{- if and .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable }}
{{- fail "Cannot set both .Values.podDisruptionBudget.minAvailable and .Values.podDisruptionBudget.maxUnavailable" -}}
{{- end }}
{{- if not .Values.podDisruptionBudget.maxUnavailable }}
minAvailable: {{ default 1 .Values.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- end }}
{{- define "kyverno.securityContext" -}}
{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
{{ toYaml (omit .Values.securityContext "seccompProfile") }}
@ -58,11 +40,3 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{ toYaml .Values.securityContext }}
{{- end }}
{{- end }}
{{- define "kyverno.image" -}}
{{- if .image.registry -}}
{{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
{{- else -}}
{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
{{- end -}}
{{- end }}

13
charts/kyverno/templates/_helpers/_image.tpl Normal file
View file

@ -0,0 +1,13 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.image" -}}
{{- $tag := default .defaultTag .image.tag -}}
{{- if not (typeIs "string" $tag) -}}
{{ fail "Image tags must be strings." }}
{{- end -}}
{{- if .image.registry -}}
{{- print .image.registry "/" (required "An image repository is required" .image.repository) ":" $tag -}}
{{- else -}}
{{- print (required "An image repository is required" .image.repository) ":" $tag -}}
{{- end -}}
{{- end -}}

21
charts/kyverno/templates/_helpers/_pdb.tpl Normal file
View file

@ -0,0 +1,21 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.pdb.apiVersion" -}}
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
policy/v1
{{- else -}}
policy/v1beta1
{{- end -}}
{{- end -}}
{{- define "kyverno.pdb.spec" -}}
{{- if and .minAvailable .maxUnavailable -}}
{{- fail "Cannot set both .minAvailable and .maxUnavailable" -}}
{{- end -}}
{{- if not .maxUnavailable }}
minAvailable: {{ default 1 .minAvailable }}
{{- end }}
{{- if .maxUnavailable }}
maxUnavailable: {{ .maxUnavailable }}
{{- end }}
{{- end -}}

4
charts/kyverno/templates/admission-controller/_helpers.tpl
View file

@ -29,3 +29,7 @@
{{ default "default" .Values.rbac.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{- define "kyverno.admission-controller.serviceName" -}}
{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}

4
charts/kyverno/templates/deployment.yaml → charts/kyverno/templates/admission-controller/deployment.yaml
View file

@ -3,9 +3,9 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "kyverno.fullname" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
spec:
{{- with .Values.replicaCount }}
replicas: {{ . }}
@ -148,7 +148,7 @@ spec:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: {{ template "kyverno.admission-controller.serviceAccountName" . }}
- name: KYVERNO_SVC
value: {{ template "kyverno.serviceName" . }}
value: {{ template "kyverno.admission-controller.serviceName" . }}
- name: TUF_ROOT
value: {{ .Values.tufRootMountPath }}
{{- with .Values.envVars }}

14
charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml Normal file
View file

@ -0,0 +1,14 @@
{{- if (gt (int .Values.replicaCount) 1) -}}
apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ template "kyverno.admission-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
spec:
{{- include "kyverno.pdb.spec" .Values.podDisruptionBudget | nindent 2 }}
selector:
matchLabels:
{{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
{{- end -}}

8
charts/kyverno/templates/secret.yaml → charts/kyverno/templates/admission-controller/secret.yaml
View file

@ -1,11 +1,11 @@
{{- if .Values.createSelfSignedCert }}
{{- if .Values.createSelfSignedCert -}}
{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}}
{{- $svcName := (printf "%s.%s.svc" (include "kyverno.serviceName" .) (include "kyverno.namespace" .)) -}}
{{- $svcName := (printf "%s.%s.svc" (include "kyverno.admission-controller.serviceName" .) (include "kyverno.namespace" .)) -}}
{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
name: {{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
@ -17,7 +17,7 @@ data:
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
name: {{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}

8
charts/kyverno/templates/service.yaml → charts/kyverno/templates/admission-controller/service.yaml
View file

@ -1,10 +1,10 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "kyverno.serviceName" . }}
name: {{ template "kyverno.admission-controller.serviceName" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
{{- with .Values.service.annotations }}
annotations: {{ tpl (toYaml .) $ | nindent 4 }}
{{- end }}
@ -25,10 +25,10 @@ spec:
apiVersion: v1
kind: Service
metadata:
name: {{ template "kyverno.serviceName" . }}-metrics
name: {{ template "kyverno.admission-controller.serviceName" . }}-metrics
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
{{- with .Values.metricsService.annotations }}
annotations: {{ tpl (toYaml .) $ | nindent 4 }}
{{- end }}

18
charts/kyverno/templates/servicemonitor.yaml → charts/kyverno/templates/admission-controller/servicemonitor.yaml
View file

@ -2,17 +2,17 @@
apiVersion: "monitoring.coreos.com/v1"
kind: ServiceMonitor
metadata:
name: {{ template "kyverno.admission-controller.name" . }}
{{- if .Values.serviceMonitor.namespace }}
namespace: {{ .Values.serviceMonitor.namespace }}
{{- else }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
{{- if .Values.serviceMonitor.additionalLabels }}
{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
name: {{ template "kyverno.serviceName" . }}-service-monitor
{{- if .Values.serviceMonitor.namespace }}
namespace: {{ .Values.serviceMonitor.namespace }}
{{- else }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}
{{- if .Values.serviceMonitor.additionalLabels }}
{{- toYaml .Values.serviceMonitor.additionalLabels | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:

13
charts/kyverno/templates/cleanup-controller/_helpers.tpl
View file

@ -45,16 +45,3 @@
{{- toYaml .Values.cleanupController.securityContext -}}
{{- end }}
{{- end }}
{{/* Create the default PodDisruptionBudget to use */}}
{{- define "kyverno.cleanup-controller.podDisruptionBudget.spec" -}}
{{- if and .Values.cleanupController.podDisruptionBudget.minAvailable .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
{{- fail "Cannot set both .Values.cleanupController.podDisruptionBudget.minAvailable and .Values.cleanupController.podDisruptionBudget.maxUnavailable" -}}
{{- end }}
{{- if not .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
minAvailable: {{ default 1 .Values.cleanupController.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- end }}

10
charts/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml
View file

@ -1,18 +1,14 @@
{{- if .Values.cleanupController.enabled -}}
{{- if (gt (int .Values.cleanupController.replicas) 1) -}}
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
apiVersion: policy/v1
{{- else -}}
apiVersion: policy/v1beta1
{{- end }}
apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ template "kyverno.cleanup-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
spec:
{{- include "kyverno.cleanup-controller.podDisruptionBudget.spec" . | indent 2 }}
{{- include "kyverno.pdb.spec" .Values.cleanupController.podDisruptionBudget | nindent 2 }}
selector:
matchLabels:
{{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }}

4
charts/kyverno/templates/hooks/pre-delete.yaml
View file

@ -10,9 +10,11 @@ metadata:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
spec:
backoffLimit: 2
template:
spec:
serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }}
restartPolicy: Never
containers:
- name: kubectl
image: {{ .Values.webhooksCleanup.image }}
@ -24,6 +26,4 @@ spec:
sleep 30
kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
restartPolicy: Never
backoffLimit: 2
{{- end -}}

18
charts/kyverno/templates/poddisruptionbudget.yaml
View file

@ -1,18 +0,0 @@
{{- if (gt (int .Values.replicaCount) 1) }}
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ template "kyverno.fullname" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
spec:
{{- include "kyverno.podDisruptionBudget.spec" . | indent 2 }}
selector:
matchLabels:
{{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
{{- end }}

14
charts/kyverno/templates/reports-controller/_helpers.tpl
View file

@ -46,17 +46,3 @@
{{ toYaml .Values.reportsController.securityContext }}
{{- end }}
{{- end }}
{{/* Create the default PodDisruptionBudget to use */}}
{{- define "kyverno.reports-controller.podDisruptionBudget.spec" -}}
{{- if and .Values.reportsController.podDisruptionBudget.minAvailable .Values.reportsController.podDisruptionBudget.maxUnavailable }}
{{- fail "Cannot set both .Values.reportsController.podDisruptionBudget.minAvailable and .Values.reportsController.podDisruptionBudget.maxUnavailable" -}}
{{- end }}
{{- if not .Values.reportsController.podDisruptionBudget.maxUnavailable }}
minAvailable: {{ default 1 .Values.reportsController.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.reportsController.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.reportsController.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- end }}

10
charts/kyverno/templates/reports-controller/poddisruptionbudget.yaml
View file

@ -1,18 +1,14 @@
{{- if .Values.reportsController.enabled -}}
{{- if (gt (int .Values.reportsController.replicas) 1) -}}
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
apiVersion: policy/v1
{{- else -}}
apiVersion: policy/v1beta1
{{- end }}
apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ template "kyverno.reports-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
spec:
{{- include "kyverno.reports-controller.podDisruptionBudget.spec" . | indent 2 }}
{{- include "kyverno.pdb.spec" .Values.reportsController.podDisruptionBudget | nindent 2 }}
selector:
matchLabels:
{{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }}

2
charts/kyverno/templates/tests/admission-controller-liveness.yaml
View file

@ -22,4 +22,4 @@ spec:
command:
- /bin/sh
- -c
- sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.service.port }}/health/liveness
- sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.service.port }}/health/liveness

2
charts/kyverno/templates/tests/admission-controller-metrics.yaml
View file

@ -23,5 +23,5 @@ spec:
command:
- /bin/sh
- -c
- sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.serviceName" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.metricsService.port }}/metrics
- sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.admission-controller.serviceName" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.metricsService.port }}/metrics
{{- end -}}

2
charts/kyverno/templates/tests/admission-controller-readiness.yaml
View file

@ -22,4 +22,4 @@ spec:
command:
- /bin/sh
- -c
- sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.service.port }}/health/readiness
- sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.service.port }}/health/readiness

34
charts/kyverno/values.yaml
View file

@ -84,10 +84,10 @@ config:
- '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
- '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
- '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}-metrics]'
- '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.serviceName" . }}-service-monitor]'
- '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
- '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
- '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.serviceName" . }}-service-monitor]'
- '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-*]'
# -- Defines the `namespaceSelector` in the webhook configurations.
@ -153,16 +153,16 @@ existingImagePullSecrets: []
test:
image:
# -- Image registry
registry:
# -- (string) Image registry
registry: ~
# -- Image repository
repository: busybox
# -- Image tag
# Defaults to `latest` if omitted
tag: 1.35
# -- Image pull policy
tag: '1.35'
# -- (string) Image pull policy
# Defaults to image.pullPolicy if omitted
pullPolicy:
pullPolicy: ~
resources:
# -- Pod resource limits
@ -204,8 +204,8 @@ rbac:
# example.com/annotation: value
image:
# -- Image registry
registry:
# -- (string) Image registry
registry: ~
# If you want to manage the registry you should remove it from the repository
# registry: ghcr.io
# repository: kyverno/kyverno
@ -221,8 +221,8 @@ image:
# - secretName
initImage:
# -- Image registry
registry:
# -- (string) Image registry
registry: ~
# If you want to manage the registry you should remove it from the repository
# registry: ghcr.io
# repository: kyverno/kyvernopre
@ -536,8 +536,8 @@ cleanupController:
createSelfSignedCert: false
image:
# -- Image registry
registry:
# -- (string) Image registry
registry: ~
# If you want to manage the registry you should remove it from the repository
# registry: ghcr.io
# repository: kyverno/kyverno
@ -780,8 +780,8 @@ reportsController:
# - pods
image:
# -- Image registry
registry:
# -- (string) Image registry
registry: ~
# If you want to manage the registry you should remove it from the repository
# registry: ghcr.io
# repository: kyverno/kyverno

322
config/install.yaml
View file

@ -31997,6 +31997,50 @@ subjects:
---
apiVersion: v1
kind: Service
metadata:
name: kyverno-svc
namespace: kyverno
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
spec:
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
selector:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: kyverno-svc-metrics
namespace: kyverno
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
spec:
ports:
- port: 8000
targetPort: 8000
protocol: TCP
name: metrics-port
selector:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: kyverno-cleanup-controller
namespace: kyverno
@ -32061,176 +32105,16 @@ spec:
app.kubernetes.io/part-of: kyverno
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: kyverno-svc
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
namespace: kyverno
spec:
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
selector:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: kyverno-svc-metrics
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
namespace: kyverno
spec:
ports:
- port: 8000
targetPort: 8000
protocol: TCP
name: metrics-port
selector:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kyverno-cleanup-controller
labels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
namespace: kyverno
spec:
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 40%
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
template:
metadata:
labels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
spec:
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- cleanup-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-cleanup-controller
containers:
- name: controller
image: "ghcr.io/kyverno/cleanup-controller:latest"
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics
protocol: TCP
args:
- --loggingFormat=text
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
env:
- name: METRICS_CONFIG
value: kyverno-metrics
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-cleanup-controller
resources:
limits:
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
startupProbe:
failureThreshold: 20
httpGet:
path: /health/liveness
port: 9443
scheme: HTTPS
initialDelaySeconds: 2
periodSeconds: 6
livenessProbe:
failureThreshold: 2
httpGet:
path: /health/liveness
port: 9443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
failureThreshold: 6
httpGet:
path: /health/readiness
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kyverno
namespace: kyverno
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
namespace: kyverno
spec:
selector:
matchLabels:
@ -32399,6 +32283,122 @@ spec:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kyverno-cleanup-controller
labels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
namespace: kyverno
spec:
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 40%
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
template:
metadata:
labels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
spec:
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- cleanup-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-cleanup-controller
containers:
- name: controller
image: "ghcr.io/kyverno/cleanup-controller:latest"
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics
protocol: TCP
args:
- --loggingFormat=text
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
env:
- name: METRICS_CONFIG
value: kyverno-metrics
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-cleanup-controller
resources:
limits:
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
startupProbe:
failureThreshold: 20
httpGet:
path: /health/liveness
port: 9443
scheme: HTTPS
initialDelaySeconds: 2
periodSeconds: 6
livenessProbe:
failureThreshold: 2
httpGet:
path: /health/liveness
port: 9443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
failureThreshold: 6
httpGet:
path: /health/readiness
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kyverno-reports-controller
labels: