---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: kyverno
    # do not remove
    app.kubernetes.io/name: kyverno
  name: kyverno
spec:
  selector:
    matchLabels:
      app: kyverno
      # do not remove
      app.kubernetes.io/name: kyverno
  replicas: 1
  template:
    metadata:
      labels:
        app: kyverno
        # do not remove
        app.kubernetes.io/name: kyverno
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 1
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                  - kyverno
              topologyKey: "kubernetes.io/hostname"
      serviceAccountName: kyverno-service-account
      securityContext:
        runAsNonRoot: true
      initContainers:
        - name: kyverno-pre
          image: ghcr.io/kyverno/kyvernopre:latest
          imagePullPolicy: IfNotPresent
          resources:
            limits:
              cpu: 100m
              memory: 256Mi
            requests:
              cpu: 10m
              memory: 64Mi
          securityContext:
            runAsNonRoot: true
            privileged: false
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - all
          env:
            - name: METRICS_CONFIG
              value: kyverno-metrics
            - name: KYVERNO_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
      containers:
        - name: kyverno
          image: ghcr.io/kyverno/kyverno:latest
          imagePullPolicy: IfNotPresent
          args:
          - "--filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]"
          # customize webhook timeout
          #- "--webhookTimeout=4"
          # enable profiling
          # - "--profile"
          # configure the workers for generate controller
          # - --genWorkers=20
          - "-v=2"
          ports:
            - containerPort: 9443
              name: https
              protocol: TCP
            - containerPort: 8000
              name: metrics-port
              protocol: TCP
          env:
            - name: INIT_CONFIG
              value: kyverno
            - name: METRICS_CONFIG
              value: kyverno-metrics
            - name: KYVERNO_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: KYVERNO_SVC
              value: kyverno-svc
          securityContext:
            runAsNonRoot: true
            privileged: false
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - all
          resources:
            requests:
              memory: 128Mi
              cpu: 100m
            limits:
              memory: 384Mi
          livenessProbe:
            httpGet:
              path: /health/liveness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 15
            periodSeconds: 30
            timeoutSeconds: 5
            failureThreshold: 2
            successThreshold: 1
          readinessProbe:
            httpGet:
              path: /health/readiness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 4
            successThreshold: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 40%
      maxSurge: 1