apiVersion: apps/v1 kind: Deployment metadata: name: kyverno-admission-controller namespace: kyverno labels: app.kubernetes.io/component: admission-controller app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: latest spec: replicas: strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 40% type: RollingUpdate selector: matchLabels: app.kubernetes.io/component: admission-controller app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno template: metadata: labels: app.kubernetes.io/component: admission-controller app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno app.kubernetes.io/version: latest spec: dnsPolicy: ClusterFirst serviceAccountName: kyverno-admission-controller initContainers: - name: kyverno-pre image: "ghcr.io/kyverno/kyvernopre:latest" imagePullPolicy: IfNotPresent args: - --loggingFormat=text - --v=2 resources: limits: cpu: 100m memory: 256Mi requests: cpu: 10m memory: 64Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault env: - name: METRICS_CONFIG value: kyverno-metrics - name: KYVERNO_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: KYVERNO_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KYVERNO_DEPLOYMENT value: kyverno containers: - name: kyverno image: "ghcr.io/kyverno/kyverno:latest" imagePullPolicy: IfNotPresent args: - --omit-events=PolicyViolation - --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller - --servicePort=443 - --loggingFormat=text - --v=2 - --disableMetrics=false - --otelConfig=prometheus - --metricsPort=8000 - --admissionReports=true - --autoUpdateWebhooks=true - --enableConfigMapCaching=true - --dumpPayload=false - --forceFailurePolicyIgnore=false - --enablePolicyException=false - --exceptionNamespace= - --protectManagedResources=false - --allowInsecureRegistry=false - --registryCredentialHelpers=default,google,amazon,azure,github resources: limits: memory: 384Mi requests: cpu: 100m memory: 128Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault ports: - containerPort: 9443 name: https protocol: TCP - containerPort: 8000 name: metrics-port protocol: TCP env: - name: INIT_CONFIG value: kyverno - name: METRICS_CONFIG value: kyverno-metrics - name: KYVERNO_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: KYVERNO_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: KYVERNO_SERVICEACCOUNT_NAME value: kyverno-admission-controller - name: KYVERNO_SVC value: kyverno-svc - name: TUF_ROOT value: /.sigstore - name: KYVERNO_DEPLOYMENT value: kyverno-admission-controller startupProbe: failureThreshold: 20 httpGet: path: /health/liveness port: 9443 scheme: HTTPS initialDelaySeconds: 2 periodSeconds: 6 livenessProbe: failureThreshold: 2 httpGet: path: /health/liveness port: 9443 scheme: HTTPS initialDelaySeconds: 15 periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 readinessProbe: failureThreshold: 6 httpGet: path: /health/readiness port: 9443 scheme: HTTPS initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 volumeMounts: - mountPath: /.sigstore name: sigstore volumes: - name: sigstore emptyDir: {}