feat: migrate existing policy exceptions to the new storage version in helm hook (#9412)

* feat: migrate existing policy exceptions to the new storage version in helm Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix: add permissions for the admission controller to patch exceptions Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix codegen Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * move migration hook to a separate directory Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * use cli Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: update admission controller permissions Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-04-18 02:06:52 +00:00 · 2024-01-21 22:13:56 +02:00 · 2024-01-21 22:13:56 +02:00 · ea748276bb
commit ea748276bb
parent 3145b96f57
6 changed files with 175 additions and 6 deletions
--- a/16
+++ b/16
@ -839,12 +839,13 @@ test-perf: $(PACKAGE_SHIM) ## Run perf tests

 .PHONY: docker-save-image-all
 docker-save-image-all: $(KIND) image-build-all ## Save docker images in archive
-	docker save 												\
-		$(LOCAL_REGISTRY)/$(LOCAL_KYVERNOPRE_REPO):$(GIT_SHA) 	\
-		$(LOCAL_REGISTRY)/$(LOCAL_KYVERNO_REPO):$(GIT_SHA) 		\
-		$(LOCAL_REGISTRY)/$(LOCAL_CLEANUP_REPO):$(GIT_SHA) 		\
-		$(LOCAL_REGISTRY)/$(LOCAL_REPORTS_REPO):$(GIT_SHA) 		\
-		$(LOCAL_REGISTRY)/$(LOCAL_BACKGROUND_REPO):$(GIT_SHA) 	\
+	docker save \
+		$(LOCAL_REGISTRY)/$(LOCAL_KYVERNOPRE_REPO):$(GIT_SHA) \
+		$(LOCAL_REGISTRY)/$(LOCAL_KYVERNO_REPO):$(GIT_SHA) \
+		$(LOCAL_REGISTRY)/$(LOCAL_CLEANUP_REPO):$(GIT_SHA) \
+		$(LOCAL_REGISTRY)/$(LOCAL_REPORTS_REPO):$(GIT_SHA) \
+		$(LOCAL_REGISTRY)/$(LOCAL_BACKGROUND_REPO):$(GIT_SHA) \
+		$(LOCAL_REGISTRY)/$(LOCAL_CLI_REPO):$(GIT_SHA) \
 	> kyverno.tar

 ########
@ -924,6 +925,9 @@ kind-install-kyverno: $(HELM) ## Install kyverno helm chart
 		--set backgroundController.image.registry=$(LOCAL_REGISTRY) \
 		--set backgroundController.image.repository=$(LOCAL_BACKGROUND_REPO) \
 		--set backgroundController.image.tag=$(GIT_SHA) \
+		--set crdsMigration.image.registry=$(LOCAL_REGISTRY) \
+		--set crdsMigration.image.repository=$(LOCAL_CLI_REPO) \
+		--set crdsMigration.image.tag=$(GIT_SHA) \
 		$(foreach CONFIG,$(subst $(COMMA), ,$(USE_CONFIG)),--values ./scripts/config/$(CONFIG)/kyverno.yaml)

 .PHONY: kind-deploy-kyverno
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -751,6 +751,20 @@ The chart values are organised per component.
 | policyReportsCleanup.podLabels | object | `{}` | Pod labels. |
 | policyReportsCleanup.nodeAffinity | object | `{}` | Node affinity constraints. |
 | policyReportsCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
+| crdsMigration.exceptions | object | `{"enabled":true}` | Create a helm post-upgrade hook to migrate the existing CRDs to the stored version |
+| crdsMigration.image.registry | string | `"ghcr.io"` | Image registry |
+| crdsMigration.image.repository | string | `"kyverno/kyverno-cli"` | Image repository |
+| crdsMigration.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
+| crdsMigration.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| crdsMigration.imagePullSecrets | list | `[]` | Image pull secrets |
+| crdsMigration.podSecurityContext | object | `{}` | Security context for the pod |
+| crdsMigration.nodeSelector | object | `{}` | Node labels for pod assignment |
+| crdsMigration.tolerations | list | `[]` | List of node taints to tolerate |
+| crdsMigration.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
+| crdsMigration.podAffinity | object | `{}` | Pod affinity constraints. |
+| crdsMigration.podLabels | object | `{}` | Pod labels. |
+| crdsMigration.nodeAffinity | object | `{}` | Node affinity constraints. |
+| crdsMigration.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |

 ## TLS Configuration

--- a/charts/kyverno/templates/admission-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml
@ -98,6 +98,20 @@ rules:
      - subjectaccessreviews
    verbs:
      - create
+  {{- if .Values.crdsMigration.exceptions.enabled }}
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - policyexceptions
+    verbs:
+      - update
+  - apiGroups:
+    - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions/status
+    verbs:
+      - update
+{{- end }}
  - apiGroups:
      - '*'
    resources:
--- a/charts/kyverno/templates/hooks/crds-migration/exceptions-post-upgrade.yaml
+++ b/charts/kyverno/templates/hooks/crds-migration/exceptions-post-upgrade.yaml
@ -0,0 +1,66 @@
+{{- if and .Values.crdsMigration.exceptions.enabled (not .Values.templating.enabled) -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "kyverno.fullname" . }}-hook-post-upgrade-exceptions-migration
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.hooks.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+spec:
+  backoffLimit: 2
+  template:
+    metadata:
+      {{- with .Values.crdsMigration.podLabels }}
+      labels:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+      {{- with .Values.crdsMigration.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      containers:
+        - name: kubectl
+          image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.crdsMigration.image "defaultTag" (default .Chart.AppVersion .Values.crdsMigration.image.tag))) | quote }}
+          imagePullPolicy: {{ .Values.crdsMigration.image.pullPolicy }}
+          args:
+            - migrate
+            - --resource
+            - policyexceptions.kyverno.io
+          {{- with .Values.crdsMigration.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.crdsMigration.imagePullSecrets }}
+      imagePullSecrets:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.crdsMigration.tolerations }}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.crdsMigration.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.crdsMigration.podAntiAffinity .Values.crdsMigration.podAffinity .Values.crdsMigration.nodeAffinity }}
+      affinity:
+        {{- with .Values.crdsMigration.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.crdsMigration.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.crdsMigration.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+{{- end -}}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -10,11 +10,13 @@ global:
    # -- (string) Global value that allows to set a single image registry across all deployments.
    # When set, it will override any values set under `.image.registry` across the chart.
    registry: ~
+
  caCertificates:
    # -- Global CA certificates to use with Kyverno deployments
    # This value is expected to be one large string of CA certificates
    # Individual controller values will override this global value
    data: ~
+
    # -- Global value to set single volume to be mounted for CA certificates for all deployments.
    # Not used when `.Values.global.caCertificates.data` is defined
    # Individual  controller values will override this global value
@ -23,12 +25,14 @@ global:
    # hostPath:
    #   path: /etc/pki/tls/ca-certificates.crt
    #   type: File
+
  # -- Additional container environment variables to apply to all containers and init containers
  extraEnvVars: []
  # Example setting proxy
  # extraEnvVars:
  # - name: HTTPS_PROXY
  #   value: 'https://proxy.example.com:3128'
+
  # -- Global node labels for pod assignment. Non-global values will override the global value.
  nodeSelector: {}

@ -463,6 +467,61 @@ policyReportsCleanup:
    seccompProfile:
      type: RuntimeDefault

+crdsMigration:
+  # -- Create a helm post-upgrade hook to migrate the existing CRDs to the stored version
+  exceptions:
+    enabled: true
+
+  image:
+    # -- (string) Image registry
+    registry: ghcr.io
+    # -- (string) Image repository
+    repository: kyverno/kyverno-cli
+    # -- (string) Image tag
+    # Defaults to appVersion in Chart.yaml if omitted
+    tag: ~
+    # -- (string) Image pull policy
+    pullPolicy: IfNotPresent
+
+  # -- Image pull secrets
+  imagePullSecrets: []
+  # - name: secretName
+
+  # -- Security context for the pod
+  podSecurityContext: {}
+
+  # -- Node labels for pod assignment
+  nodeSelector: {}
+
+  # -- List of node taints to tolerate
+  tolerations: []
+
+  # -- Pod anti affinity constraints.
+  podAntiAffinity: {}
+
+  # -- Pod affinity constraints.
+  podAffinity: {}
+
+  # -- Pod labels.
+  podLabels: {}
+
+  # -- Node affinity constraints.
+  nodeAffinity: {}
+
+  # -- Security context for the hook containers
+  securityContext:
+    runAsUser: 65534
+    runAsGroup: 65534
+    runAsNonRoot: true
+    privileged: false
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+
 grafana:
  # -- Enable grafana dashboard creation.
  enabled: false
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@ -49217,6 +49217,18 @@ rules:
      - subjectaccessreviews
    verbs:
      - create
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - policyexceptions
+    verbs:
+      - update
+  - apiGroups:
+    - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions/status
+    verbs:
+      - update
  - apiGroups:
      - '*'
    resources: