--- apiVersion: apps/v1 kind: Deployment metadata: namespace: kyverno name: kyverno labels: app: kyverno spec: selector: matchLabels: app: kyverno replicas: 1 template: metadata: labels: app: kyverno spec: serviceAccountName: kyverno-service-account securityContext: runAsNonRoot: true initContainers: - name: kyverno-pre image: nirmata/kyvernopre:v1.1.9 imagePullPolicy: Always securityContext: runAsUser: 1000 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - all containers: - name: kyverno image: nirmata/kyverno:latest imagePullPolicy: Always args: - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]" # customize webhook timeout #- "--webhooktimeout=4" # enable profiling # - "--profile" - "-v=2" ports: - containerPort: 9443 name: https protocol: TCP env: - name: INIT_CONFIG value: init-config - name: KYVERNO_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: KYVERNO_SVC value: kyverno-svc securityContext: runAsUser: 1000 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - all resources: requests: memory: "50Mi" cpu: "100m" limits: memory: "128Mi" livenessProbe: httpGet: path: /health/liveness port: 9443 scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 4 successThreshold: 1 readinessProbe: httpGet: path: /health/readiness port: 9443 scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 4 successThreshold: 1