mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-15 17:51:20 +00:00
a191fa567d
* added comma seperated flag Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * reason added in logs Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added requested changes Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * kuttl test init Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated kuttl tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated behavior Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fixed flawed behavior Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated test location and added readme Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated step Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * omit events Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
170 lines
No EOL
5.1 KiB
YAML
170 lines
No EOL
5.1 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: kyverno-admission-controller
|
|
namespace: kyverno
|
|
labels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
replicas:
|
|
strategy:
|
|
rollingUpdate:
|
|
maxSurge: 1
|
|
maxUnavailable: 40%
|
|
type: RollingUpdate
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: latest
|
|
spec:
|
|
dnsPolicy: ClusterFirst
|
|
serviceAccountName: kyverno-admission-controller
|
|
initContainers:
|
|
- name: kyverno-pre
|
|
image: "ghcr.io/kyverno/kyvernopre:latest"
|
|
imagePullPolicy: IfNotPresent
|
|
args:
|
|
- --loggingFormat=text
|
|
- --v=2
|
|
resources:
|
|
limits:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
requests:
|
|
cpu: 10m
|
|
memory: 64Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
env:
|
|
- name: METRICS_CONFIG
|
|
value: kyverno-metrics
|
|
- name: KYVERNO_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: KYVERNO_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: KYVERNO_DEPLOYMENT
|
|
value: kyverno
|
|
containers:
|
|
- name: kyverno
|
|
image: "ghcr.io/kyverno/kyverno:latest"
|
|
imagePullPolicy: IfNotPresent
|
|
args:
|
|
- --omit-events=PolicyViolation
|
|
- --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
|
|
- --servicePort=443
|
|
- --loggingFormat=text
|
|
- --v=2
|
|
- --disableMetrics=false
|
|
- --otelConfig=prometheus
|
|
- --metricsPort=8000
|
|
- --admissionReports=true
|
|
- --autoUpdateWebhooks=true
|
|
- --enableConfigMapCaching=true
|
|
- --dumpPayload=false
|
|
- --forceFailurePolicyIgnore=false
|
|
- --enablePolicyException=false
|
|
- --exceptionNamespace=
|
|
- --protectManagedResources=false
|
|
- --allowInsecureRegistry=false
|
|
- --registryCredentialHelpers=default,google,amazon,azure,github
|
|
resources:
|
|
limits:
|
|
memory: 384Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
ports:
|
|
- containerPort: 9443
|
|
name: https
|
|
protocol: TCP
|
|
- containerPort: 8000
|
|
name: metrics-port
|
|
protocol: TCP
|
|
env:
|
|
- name: INIT_CONFIG
|
|
value: kyverno
|
|
- name: METRICS_CONFIG
|
|
value: kyverno-metrics
|
|
- name: KYVERNO_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: KYVERNO_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: KYVERNO_SERVICEACCOUNT_NAME
|
|
value: kyverno-admission-controller
|
|
- name: KYVERNO_SVC
|
|
value: kyverno-svc
|
|
- name: TUF_ROOT
|
|
value: /.sigstore
|
|
- name: KYVERNO_DEPLOYMENT
|
|
value: kyverno-admission-controller
|
|
startupProbe:
|
|
failureThreshold: 20
|
|
httpGet:
|
|
path: /health/liveness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 2
|
|
periodSeconds: 6
|
|
livenessProbe:
|
|
failureThreshold: 2
|
|
httpGet:
|
|
path: /health/liveness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 30
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
readinessProbe:
|
|
failureThreshold: 6
|
|
httpGet:
|
|
path: /health/readiness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
volumeMounts:
|
|
- mountPath: /.sigstore
|
|
name: sigstore
|
|
volumes:
|
|
- name: sigstore
|
|
emptyDir: {} |