mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/definitions/manifest/deployment.yaml
James Callahan 95786f5033
Cleanup kustomizations (#2274) 
- Remove dead newName specification
  - Un-hardcode namespace from resources
  - Create 'bundle' kustomization that keeps namespace hardcoding
    This should be used (as a base) to generate static manifests
  - Turn 'release' directory into kustomization that is only place with version numbers

Signed-off-by: James Callahan <jamescallahan@bitgo.com>
2021-09-01 18:53:28 -07:00

113 lines
3.2 KiB
YAML
Executable file
Raw Blame History

---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: kyverno
# do not remove
app.kubernetes.io/name: kyverno
name: kyverno
spec:
selector:
matchLabels:
app: kyverno
# do not remove
app.kubernetes.io/name: kyverno
replicas: 1
template:
metadata:
labels:
app: kyverno
# do not remove
app.kubernetes.io/name: kyverno
spec:
serviceAccountName: kyverno-service-account
securityContext:
runAsNonRoot: true
initContainers:
- name: kyverno-pre
image: ghcr.io/kyverno/kyvernopre:latest
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 10m
memory: 64Mi
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- all
containers:
- name: kyverno
image: ghcr.io/kyverno/kyverno:latest
imagePullPolicy: IfNotPresent
args:
- "--filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]"
# customize webhook timeout
#- "--webhooktimeout=4"
# enable profiling
# - "--profile"
# configure the workers for generate controller
# - --gen-workers=20
- "-v=2"
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics-port
protocol: TCP
env:
- name: INIT_CONFIG
value: init-config
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- all
resources:
requests:
memory: "50Mi"
cpu: "100m"
limits:
memory: "256Mi"
livenessProbe:
httpGet:
path: /health/liveness
port: 9443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 2
successThreshold: 1
readinessProbe:
httpGet:
path: /health/readiness
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 4
successThreshold: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 40%
maxSurge: 1
View git blame Copy permalink