mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/config/manifest/deployment.yaml
Jim Bugwadia 9834feea74
update image pull policy for YAML install which uses :latest (#3565) 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2022-04-07 21:31:14 +00:00

144 lines
4.2 KiB
YAML
Executable file
Raw Blame History

---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: kyverno
# do not remove
app.kubernetes.io/name: kyverno
name: kyverno
spec:
selector:
matchLabels:
app: kyverno
# do not remove
app.kubernetes.io/name: kyverno
replicas: 1
template:
metadata:
labels:
app: kyverno
# do not remove
app.kubernetes.io/name: kyverno
spec:
volumes:
- name: sigstore
emptyDir: {}
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- kyverno
topologyKey: "kubernetes.io/hostname"
serviceAccountName: kyverno-service-account
securityContext:
runAsNonRoot: true
initContainers:
- name: kyverno-pre
image: ghcr.io/kyverno/kyvernopre:latest
imagePullPolicy: Always
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 10m
memory: 64Mi
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
env:
- name: METRICS_CONFIG
value: kyverno-metrics
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
containers:
- name: kyverno
image: ghcr.io/kyverno/kyverno:latest
imagePullPolicy: Always
args:
- "--filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,kyverno*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]"
# customize webhook timeout
#- "--webhookTimeout=4"
# enable profiling
# - "--profile"
# configure the workers for generate controller
# - --genWorkers=20
- "-v=2"
- --autogenInternals=false
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics-port
protocol: TCP
env:
- name: INIT_CONFIG
value: kyverno
- name: METRICS_CONFIG
value: kyverno-metrics
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
- name: TUF_ROOT
value: /.sigstore
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
resources:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 384Mi
livenessProbe:
httpGet:
path: /health/liveness
port: 9443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 2
successThreshold: 1
readinessProbe:
httpGet:
path: /health/readiness
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 4
successThreshold: 1
# Failing to provide a writable $TUF_ROOT can cause TUF client initialization to panic
volumeMounts:
- mountPath: /.sigstore
name: sigstore
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 40%
maxSurge: 1
View git blame Copy permalink