feat(helm): update chart kyverno ( 3.1.1 → 3.5.2 ) #5141
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=80&v=4){kind=small}
🦙 MegaLinter status: ❌ ERROR
See detailed report in MegaLinter reports
|
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-cleanup-jobs
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-cleanup-jobs
@@ -1,11 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: kyverno-cleanup-jobs
- namespace: kyverno
- labels:
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-
--- HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-grafana-grafana
+++ HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-grafana-grafana
@@ -6,2884 +6,3447 @@
namespace: kyverno
annotations:
grafana_folder: Kyverno
labels:
grafana_dashboard: '1'
data:
- dashboard.json: |
+ kyverno-dashboard.json: |
{
- "__inputs": [
+ "annotations": {
+ "list": [
{
- "name": "DS_PROMETHEUS_KYVERNO",
- "label": "Prometheus Data Source exposing Kyverno's metrics",
- "description": "Prometheus Data Source exposing Kyverno's metrics",
- "type": "datasource"
+ "builtIn": 1,
+ "datasource": {
+ "type": "datasource",
+ "uid": "grafana"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "target": {
+ "limit": 100,
+ "matchAny": false,
+ "tags": [],
+ "type": "dashboard"
+ },
+ "type": "dashboard"
}
- ],
- "annotations": {
- "list": [
- {
- "builtIn": 1,
- "datasource": "-- Grafana --",
- "enable": true,
- "hide": true,
- "iconColor": "rgba(0, 211, 255, 1)",
- "name": "Annotations & Alerts",
- "target": {
- "limit": 100,
- "matchAny": false,
- "tags": [],
- "type": "dashboard"
- },
- "type": "dashboard"
- }
- ]
+ ]
},
"description": "",
"editable": true,
- "gnetId": null,
+ "fiscalYearStartMonth": 0,
"graphTooltip": 0,
- "id": 2,
- "iteration": 1628375170149,
+ "id": 472,
"links": [],
"panels": [
- {
- "datasource": "${DS_PROMETHEUS_KYVERNO}",
- "gridPos": {
- "h": 6,
- "w": 24,
- "x": 0,
- "y": 0
- },
- "id": 42,
- "options": {
- "content": "# Kyverno\nA Kubernetes-native policy management engine\n\n#### About this dashboard\n\nThis dashboard represents generic insights that can be extracted from a cluster with Kyverno running.\n\n#### For more details around the metrics\n\nCheckout the [official docs of Kyverno metrics](https://kyverno.io/docs/monitoring/)",
- "mode": "markdown"
- },
- "pluginVersion": "8.1.0",
- "timeFrom": null,
- "timeShift": null,
- "transparent": true,
- "type": "text"
- },
- {
- "collapsed": false,
- "datasource": "${DS_PROMETHEUS_KYVERNO}",
- "fieldConfig": {
- "defaults": {},
- "overrides": []
- },
- "gridPos": {
- "h": 1,
- "w": 24,
- "x": 0,
- "y": 6
- },
- "id": 12,
- "panels": [],
- "title": "Latest Status",
- "type": "row"
- },
- {
- "datasource": "${DS_PROMETHEUS_KYVERNO}",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "max": 100,
- "min": 0,
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "text",
- "value": null
- },
- {
- "value": 0,
- "color": "green"
- },
- {
- "color": "#eab839",
- "value": 25
- },
- {
- "color": "red",
- "value": 50
- },
- {
- "color": "red",
- "value": 100
- }
- ]
- },
- "unit": "percent"
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "gridPos": {
+ "h": 6,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 42,
+ "options": {
+ "code": {
+ "language": "plaintext",
+ "showLineNumbers": false,
+ "showMiniMap": false
+ },
+ "content": "# Kyverno\nA Kubernetes-native policy management engine\n\n#### About this dashboard\n\nThis dashboard represents generic insights that can be extracted from a cluster with Kyverno running.\n\n#### For more details around the metrics\n\nCheckout the [official docs of Kyverno metrics](https://kyverno.io/docs/monitoring/)",
+ "mode": "markdown"
+ },
+ "pluginVersion": "11.2.0",
+ "targets": [
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "refId": "A"
+ }
+ ],
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "collapsed": false,
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 6
+ },
+ "id": 12,
+ "panels": [],
+ "targets": [
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "refId": "A"
+ }
+ ],
+ "title": "Latest Status",
+ "type": "row"
+ },
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "mappings": [],
+ "max": 100,
+ "min": 0,
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "text",
+ "value": null
},
- "overrides": []
- },
- "gridPos": {
- "h": 6,
- "w": 6,
- "x": 0,
- "y": 7
- },
- "id": 29,
- "options": {
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
+ {
+ "color": "green",
+ "value": 0
+ },
+ {
+ "color": "#eab839",
+ "value": 25
+ },
+ {
+ "color": "red",
+ "value": 50
+ },
+ {
+ "color": "red",
+ "value": 100
+ }
+ ]
+ },
+ "unit": "percent"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 6,
+ "w": 6,
+ "x": 0,
+ "y": 7
+ },
+ "id": 29,
+ "options": {
+ "minVizHeight": 75,
+ "minVizWidth": 75,
+ "orientation": "auto",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showThresholdLabels": false,
+ "showThresholdMarkers": true,
+ "sizing": "auto",
+ "text": {}
+ },
+ "pluginVersion": "11.2.0",
+ "targets": [
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "exemplar": true,
+ "expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\", cluster=~\"$cluster\"}[24h]) or vector(0))*100/sum(increase(kyverno_policy_results_total{cluster=~\"$cluster\"}[24h]))",
+ "interval": "",
+ "legendFormat": "",
+ "refId": "A"
+ }
+ ],
+ "title": "Rule Execution Failure Rate (Last 24 Hours)",
+ "transparent": true,
+ "type": "gauge"
+ },
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "mappings": [],
+ "noValue": "0",
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
[Diff truncated by flux-local]
--- HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno
+++ HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno
@@ -6,23 +6,23 @@
namespace: kyverno
labels:
app.kubernetes.io/component: config
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
+ annotations:
+ helm.sh/resource-policy: keep
data:
enableDefaultRegistryMutation: 'true'
defaultRegistry: docker.io
generateSuccessEvents: 'false'
excludeGroups: system:nodes
resourceFilters: '[*/*,kyverno,*] [Event,*,*] [*/*,kube-system,*] [*/*,kube-public,*]
[*/*,kube-node-lease,*] [Node,*,*] [Node/*,*,*] [APIService,*,*] [APIService/*,*,*]
[TokenReview,*,*] [SubjectAccessReview,*,*] [SelfSubjectAccessReview,*,*] [Binding,*,*]
- [Pod/binding,*,*] [ReplicaSet,*,*] [ReplicaSet/*,*,*] [AdmissionReport,*,*] [AdmissionReport/*,*,*]
- [ClusterAdmissionReport,*,*] [ClusterAdmissionReport/*,*,*] [BackgroundScanReport,*,*]
- [BackgroundScanReport/*,*,*] [ClusterBackgroundScanReport,*,*] [ClusterBackgroundScanReport/*,*,*]
+ [Pod/binding,*,*] [ReplicaSet,*,*] [ReplicaSet/*,*,*] [EphemeralReport,*,*] [ClusterEphemeralReport,*,*]
[ClusterRole,*,kyverno:admission-controller] [ClusterRole,*,kyverno:admission-controller:core]
[ClusterRole,*,kyverno:admission-controller:additional] [ClusterRole,*,kyverno:background-controller]
[ClusterRole,*,kyverno:background-controller:core] [ClusterRole,*,kyverno:background-controller:additional]
[ClusterRole,*,kyverno:cleanup-controller] [ClusterRole,*,kyverno:cleanup-controller:core]
[ClusterRole,*,kyverno:cleanup-controller:additional] [ClusterRole,*,kyverno:reports-controller]
[ClusterRole,*,kyverno:reports-controller:core] [ClusterRole,*,kyverno:reports-controller:additional]
@@ -59,8 +59,10 @@
[Service,kyverno,kyverno-cleanup-controller] [Service/*,kyverno,kyverno-cleanup-controller]
[Service,kyverno,kyverno-cleanup-controller-metrics] [Service/*,kyverno,kyverno-cleanup-controller-metrics]
[Service,kyverno,kyverno-reports-controller-metrics] [Service/*,kyverno,kyverno-reports-controller-metrics]
[ServiceMonitor,kyverno,kyverno-admission-controller] [ServiceMonitor,kyverno,kyverno-background-controller]
[ServiceMonitor,kyverno,kyverno-cleanup-controller] [ServiceMonitor,kyverno,kyverno-reports-controller]
[Secret,kyverno,kyverno-svc.kyverno.svc.*] [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]'
- webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]'
+ updateRequestThreshold: '1000'
+ webhooks: '{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]},{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}],"matchLabels":null}}'
+ webhookAnnotations: '{"admissions.enforcer/disabled":"true"}'
--- HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-metrics
+++ HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-metrics
@@ -8,9 +8,10 @@
app.kubernetes.io/component: config
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
data:
namespaces: '{"exclude":[],"include":[]}'
+ metricsExposure: '{"kyverno_admission_requests_total":{"disabledLabelDimensions":["resource_namespace"]},"kyverno_admission_review_duration_seconds":{"disabledLabelDimensions":["resource_namespace"]},"kyverno_cleanup_controller_deletedobjects_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]},"kyverno_policy_execution_duration_seconds":{"disabledLabelDimensions":["resource_namespace","resource_request_operation"]},"kyverno_policy_results_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]},"kyverno_policy_rule_info_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]}}'
bucketBoundaries: 0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20,
25, 30
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller
@@ -8,10 +8,12 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-admission-controller: 'true'
+ - matchLabels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller:core
@@ -6,12 +6,18 @@
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
rules:
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
@@ -39,16 +45,29 @@
- policies
- policies/status
- clusterpolicies
- clusterpolicies/status
- updaterequests
- updaterequests/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
+ - globalcontextentries
+ - globalcontextentries/status
+ - policyexceptions
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+- apiGroups:
+ - reports.kyverno.io
+ resources:
+ - ephemeralreports
+ - clusterephemeralreports
verbs:
- create
- delete
- get
- list
- patch
@@ -84,14 +103,26 @@
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- - '*'
+ - ''
resources:
- - '*'
+ - configmaps
+ - namespaces
verbs:
- get
- list
- watch
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - create
+ - update
+ - patch
+ - get
+ - list
+ - watch
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller
@@ -8,10 +8,12 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-background-controller: 'true'
+ - matchLabels:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller:core
@@ -7,19 +7,29 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
rules:
- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+- apiGroups:
- kyverno.io
resources:
- policies
+ - policies/status
- clusterpolicies
+ - clusterpolicies/status
- policyexceptions
- updaterequests
- updaterequests/status
+ - globalcontextentries
+ - globalcontextentries/status
verbs:
- create
- delete
- get
- list
- patch
@@ -45,19 +55,25 @@
- get
- list
- patch
- update
- watch
- apiGroups:
- - '*'
+ - reports.kyverno.io
resources:
- - '*'
+ - ephemeralreports
+ - clusterephemeralreports
verbs:
+ - create
+ - delete
- get
- list
+ - patch
+ - update
- watch
+ - deletecollection
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
@@ -77,13 +93,12 @@
- patch
- delete
- apiGroups:
- ''
resources:
- configmaps
- - secrets
- resourcequotas
- limitranges
verbs:
- create
- update
- patch
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-controller
@@ -8,10 +8,12 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-cleanup-controller: 'true'
+ - matchLabels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-controller:core
@@ -6,12 +6,18 @@
labels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
rules:
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- create
@@ -33,12 +39,26 @@
resources:
- clustercleanuppolicies
- cleanuppolicies
verbs:
- list
- watch
+- apiGroups:
+ - kyverno.io
+ resources:
+ - globalcontextentries
+ - globalcontextentries/status
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
- apiGroups:
- kyverno.io
resources:
- clustercleanuppolicies/status
- cleanuppolicies/status
verbs:
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno-cleanup-jobs
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno-cleanup-jobs
@@ -1,20 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno-cleanup-jobs
- labels:
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-rules:
-- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- verbs:
- - list
- - deletecollection
- - delete
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:admin:reports
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:admin:reports
@@ -8,18 +8,16 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
rbac.authorization.k8s.io/aggregate-to-admin: 'true'
rules:
- apiGroups:
- - kyverno.io
+ - reports.kyverno.io
resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
+ - ephemeralreports
+ - clusterephemeralreports
verbs:
- create
- delete
- get
- list
- patch
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:view:reports
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:view:reports
@@ -8,17 +8,15 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
rbac.authorization.k8s.io/aggregate-to-view: 'true'
rules:
- apiGroups:
- - kyverno.io
+ - reports.kyverno.io
resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
+ - ephemeralreports
+ - clusterephemeralreports
verbs:
- get
- list
- watch
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller
@@ -8,10 +8,12 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-reports-controller: 'true'
+ - matchLabels:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller:core
@@ -7,26 +7,48 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
rules:
- apiGroups:
- - '*'
+ - apiextensions.k8s.io
resources:
- - '*'
+ - customresourcedefinitions
+ verbs:
+ - get
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - namespaces
verbs:
- get
- list
- watch
- apiGroups:
- kyverno.io
resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
+ - globalcontextentries
+ - globalcontextentries/status
+ - policyexceptions
+ - policies
+ - clusterpolicies
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+- apiGroups:
+ - reports.kyverno.io
+ resources:
+ - ephemeralreports
+ - clusterephemeralreports
verbs:
- create
- delete
- get
- list
- patch
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno-cleanup-jobs
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno-cleanup-jobs
@@ -1,18 +0,0 @@
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno-cleanup-jobs
- labels:
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kyverno-cleanup-jobs
-subjects:
-- kind: ServiceAccount
- name: kyverno-cleanup-jobs
- namespace: kyverno
-
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:admission-controller
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:admission-controller
@@ -11,16 +11,18 @@
app.kubernetes.io/part-of: kyverno
rules:
- apiGroups:
- ''
resources:
- secrets
+ - serviceaccounts
verbs:
- get
- list
- watch
+ - patch
- create
- update
- delete
- apiGroups:
- ''
resources:
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:cleanup-controller
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:cleanup-controller
@@ -54,7 +54,15 @@
- delete
- get
- patch
- update
resourceNames:
- kyverno-cleanup-controller
+- apiGroups:
+ - apps
+ resources:
+ - deployments
+ verbs:
+ - get
+ - list
+ - watch
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:reports-controller
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:reports-controller
@@ -19,12 +19,20 @@
- list
- watch
resourceNames:
- kyverno
- kyverno-metrics
- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
--- HelmRelease: kyverno/kyverno Service: kyverno/kyverno-svc
+++ HelmRelease: kyverno/kyverno Service: kyverno/kyverno-svc
@@ -12,12 +12,13 @@
spec:
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
+ appProtocol: https
selector:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
type: ClusterIP
--- HelmRelease: kyverno/kyverno Service: kyverno/kyverno-cleanup-controller
+++ HelmRelease: kyverno/kyverno Service: kyverno/kyverno-cleanup-controller
@@ -12,12 +12,13 @@
spec:
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
+ appProtocol: https
selector:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
type: ClusterIP
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-admission-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-admission-controller
@@ -8,12 +8,13 @@
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
spec:
replicas: 3
+ revisionHistoryLimit: 10
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 40%
type: RollingUpdate
selector:
@@ -50,13 +51,13 @@
- admission-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-admission-controller
initContainers:
- name: kyverno-pre
- image: ghcr.io/kyverno/kyvernopre:v1.11.1
+ image: ghcr.io/kyverno/kyvernopre:v1.13.4
imagePullPolicy: IfNotPresent
args:
- --loggingFormat=text
- --v=2
resources:
limits:
@@ -75,12 +76,14 @@
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-admission-controller
+ - name: KYVERNO_ROLE_NAME
+ value: kyverno:admission-controller
- name: INIT_CONFIG
value: kyverno
- name: METRICS_CONFIG
value: kyverno-metrics
- name: KYVERNO_NAMESPACE
valueFrom:
@@ -93,35 +96,43 @@
- name: KYVERNO_DEPLOYMENT
value: kyverno-admission-controller
- name: KYVERNO_SVC
value: kyverno-svc
containers:
- name: kyverno
- image: ghcr.io/kyverno/kyverno:v1.11.1
+ image: ghcr.io/kyverno/kyverno:v1.13.4
imagePullPolicy: IfNotPresent
args:
- --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca
- --tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair
- --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
+ - --reportsServiceAccountName=system:serviceaccount:kyverno:kyverno-reports-controller
- --servicePort=443
+ - --webhookServerPort=9443
+ - --resyncPeriod=15m
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --admissionReports=true
+ - --maxAdmissionReports=1000
- --autoUpdateWebhooks=true
- --enableConfigMapCaching=true
- --enableDeferredLoading=true
- --dumpPayload=false
- --forceFailurePolicyIgnore=false
- --generateValidatingAdmissionPolicy=false
+ - --dumpPatches=false
+ - --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- - --enablePolicyException=true
+ - --omitEvents=PolicyApplied,PolicySkipped
+ - --enablePolicyException=false
- --protectManagedResources=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
resources:
limits:
memory: 384Mi
requests:
cpu: 100m
memory: 128Mi
@@ -154,12 +165,14 @@
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-admission-controller
+ - name: KYVERNO_ROLE_NAME
+ value: kyverno:admission-controller
- name: KYVERNO_SVC
value: kyverno-svc
- name: TUF_ROOT
value: /.sigstore
- name: KYVERNO_DEPLOYMENT
value: kyverno-admission-controller
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-background-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-background-controller
@@ -8,12 +8,13 @@
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
spec:
replicas: null
+ revisionHistoryLimit: 10
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 40%
type: RollingUpdate
selector:
@@ -42,30 +43,34 @@
- background-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-background-controller
containers:
- name: controller
- image: ghcr.io/kyverno/background-controller:v1.11.1
+ image: ghcr.io/kyverno/background-controller:v1.13.4
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics
protocol: TCP
args:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
+ - --resyncPeriod=15m
- --enableConfigMapCaching=true
- --enableDeferredLoading=true
+ - --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- - --enablePolicyException=true
+ - --omitEvents=PolicyApplied,PolicySkipped
+ - --enablePolicyException=false
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-background-controller
- name: KYVERNO_DEPLOYMENT
value: kyverno-background-controller
- name: INIT_CONFIG
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-cleanup-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-cleanup-controller
@@ -8,12 +8,13 @@
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
spec:
replicas: null
+ revisionHistoryLimit: 10
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 40%
type: RollingUpdate
selector:
@@ -42,32 +43,37 @@
- cleanup-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-cleanup-controller
containers:
- name: controller
- image: ghcr.io/kyverno/cleanup-controller:v1.11.1
+ image: ghcr.io/kyverno/cleanup-controller:v1.13.4
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics
protocol: TCP
args:
- --caSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca
- --tlsSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair
- --servicePort=443
+ - --cleanupServerPort=9443
+ - --webhookServerPort=9443
+ - --resyncPeriod=15m
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --enableDeferredLoading=true
- --dumpPayload=false
+ - --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
+ - --protectManagedResources=false
- --ttlReconciliationInterval=1m
env:
- name: KYVERNO_DEPLOYMENT
value: kyverno-cleanup-controller
- name: INIT_CONFIG
value: kyverno
@@ -76,12 +82,14 @@
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-cleanup-controller
+ - name: KYVERNO_ROLE_NAME
+ value: kyverno:cleanup-controller
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-cleanup-controller
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-reports-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-reports-controller
@@ -8,12 +8,13 @@
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
spec:
replicas: null
+ revisionHistoryLimit: 10
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 40%
type: RollingUpdate
selector:
@@ -42,41 +43,44 @@
- reports-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-reports-controller
containers:
- name: controller
- image: ghcr.io/kyverno/reports-controller:v1.11.1
+ image: ghcr.io/kyverno/reports-controller:v1.13.4
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics
protocol: TCP
args:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
+ - --resyncPeriod=15m
- --admissionReports=true
- --aggregateReports=true
- --policyReports=true
- --validatingAdmissionPolicyReports=false
- --backgroundScan=true
- --backgroundScanWorkers=2
- --backgroundScanInterval=1h
- --skipResourceFilters=true
- --enableConfigMapCaching=true
- --enableDeferredLoading=true
+ - --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- - --enablePolicyException=true
- - --reportsChunkSize=1000
+ - --omitEvents=PolicyApplied,PolicySkipped
+ - --enablePolicyException=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-reports-controller
- name: KYVERNO_DEPLOYMENT
value: kyverno-reports-controller
- name: INIT_CONFIG
--- HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-admission-reports
+++ HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-admission-reports
@@ -1,49 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-admission-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- schedule: '*/10 * * * *'
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- template:
- metadata: null
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: bitnami/kubectl:1.26.10
- imagePullPolicy: null
- command:
- - /bin/sh
- - -c
- - |
- COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many reports found ($COUNT), cleaning up..."
- kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
-
--- HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-cluster-admission-reports
+++ HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-cluster-admission-reports
@@ -1,49 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-cluster-admission-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- schedule: '*/10 * * * *'
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- template:
- metadata: null
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: bitnami/kubectl:1.26.4
- imagePullPolicy: null
- command:
- - /bin/sh
- - -c
- - |
- COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many reports found ($COUNT), cleaning up..."
- kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
-
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-hook-post-upgrade
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-hook-post-upgrade
@@ -1,52 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: kyverno-hook-post-upgrade
- namespace: kyverno
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: post-upgrade
- helm.sh/hook-delete-policy: hook-succeeded,hook-failed
-spec:
- backoffLimit: 2
- template:
- spec:
- serviceAccount: kyverno-admission-controller
- restartPolicy: Never
- containers:
- - name: kubectl
- image: bitnami/kubectl:1.28.4
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - "NAMESPACES=$(kubectl get namespaces --no-headers=true | awk '{print $1}')\n\
- \nfor ns in ${NAMESPACES[@]};\ndo\n COUNT=$(kubectl get policyreports.wgpolicyk8s.io\
- \ -n $ns --no-headers=true | awk '/pol/{print $1}' | wc -l)\n\n if [ $COUNT\
- \ -gt 0 ]; then\n echo \"deleting $COUNT policyreports in namespace $ns\"\
- \n kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true\
- \ | awk '/pol/{print $1}' | xargs kubectl delete -n $ns policyreports.wgpolicyk8s.io\n\
- \ else\n echo \"no policyreports in namespace $ns\"\n fi\ndone\n\n\
- COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true\
- \ | awk '/pol/{print $1}' | wc -l)\n \nif [ $COUNT -gt 0 ]; then\n echo\
- \ \"deleting $COUNT clusterpolicyreports\"\n kubectl get clusterpolicyreports.wgpolicyk8s.io\
- \ --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io\n\
- else\n echo \"no clusterpolicyreports\"\nfi\n"
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
-
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-hook-pre-delete
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-hook-pre-delete
@@ -1,45 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: kyverno-hook-pre-delete
- namespace: kyverno
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: pre-delete
- helm.sh/hook-delete-policy: hook-succeeded,hook-failed
-spec:
- backoffLimit: 2
- template:
- spec:
- serviceAccount: kyverno-admission-controller
- restartPolicy: Never
- containers:
- - name: kubectl
- image: bitnami/kubectl:1.26.4
- imagePullPolicy: null
- command:
- - sh
- - -c
- - |-
- kubectl scale -n kyverno deployment -l app.kubernetes.io/part-of=kyverno --replicas=0
- sleep 30
- kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
- kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
-
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:admission-controller:view
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:admission-controller:view
@@ -0,0 +1,19 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:admission-controller:view
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+- kind: ServiceAccount
+ name: kyverno-admission-controller
+ namespace: kyverno
+
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:background-controller:view
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:background-controller:view
@@ -0,0 +1,19 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:background-controller:view
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+- kind: ServiceAccount
+ name: kyverno-background-controller
+ namespace: kyverno
+
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:reports-controller:view
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:reports-controller:view
@@ -0,0 +1,19 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:reports-controller:view
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+- kind: ServiceAccount
+ name: kyverno-reports-controller
+ namespace: kyverno
+
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-remove-configmap
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-remove-configmap
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: kyverno-remove-configmap
+ namespace: kyverno
+ labels:
+ app.kubernetes.io/component: hooks
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ annotations:
+ helm.sh/hook: post-delete
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ helm.sh/hook-weight: '0'
+
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-migrate-resources
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-migrate-resources
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: kyverno-migrate-resources
+ namespace: kyverno
+ labels:
+ app.kubernetes.io/component: hooks
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ annotations:
+ helm.sh/hook: post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+ helm.sh/hook-weight: '100'
+
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:migrate-resources
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:migrate-resources
@@ -0,0 +1,36 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:migrate-resources
+ labels:
+ app.kubernetes.io/component: hooks
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ annotations:
+ helm.sh/hook: post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+ helm.sh/hook-weight: '100'
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - '*'
+ verbs:
+ - get
+ - list
+ - update
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions/status
+ verbs:
+ - update
+
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:migrate-resources
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:migrate-resources
@@ -0,0 +1,23 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:migrate-resources
+ labels:
+ app.kubernetes.io/component: hooks
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ annotations:
+ helm.sh/hook: post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+ helm.sh/hook-weight: '100'
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:migrate-resources
+subjects:
+- kind: ServiceAccount
+ name: kyverno-migrate-resources
+ namespace: kyverno
+
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:remove-configmap
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:remove-configmap
@@ -0,0 +1,25 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: kyverno:remove-configmap
+ namespace: kyverno
+ labels:
+ app.kubernetes.io/component: hooks
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ annotations:
+ helm.sh/hook: post-delete
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+ helm.sh/hook-weight: '0'
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ verbs:
+ - list
+ - get
+ - delete
+
--- HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:remove-configmap
+++ HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:remove-configmap
@@ -0,0 +1,24 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:remove-configmap
+ namespace: kyverno
+ labels:
+ app.kubernetes.io/component: hooks
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ annotations:
+ helm.sh/hook: post-delete
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+ helm.sh/hook-weight: '0'
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: kyverno:remove-configmap
+subjects:
+- kind: ServiceAccount
+ name: kyverno-remove-configmap
+ namespace: kyverno
+
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-remove-configmap
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-remove-configmap
@@ -0,0 +1,45 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: kyverno-remove-configmap
+ namespace: kyverno
+ labels:
+ app.kubernetes.io/component: hooks
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ annotations:
+ helm.sh/hook: post-delete
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+ helm.sh/hook-weight: '10'
+spec:
+ backoffLimit: 2
+ template:
+ metadata: null
+ spec:
+ serviceAccount: kyverno-remove-configmap
+ restartPolicy: Never
+ containers:
+ - name: kubectl
+ image: bitnami/kubectl:1.30.2
+ imagePullPolicy: null
+ command:
+ - /bin/bash
+ - -c
+ - |-
+ set -euo pipefail
+ kubectl delete cm -n kyverno kyverno
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-clean-reports
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-clean-reports
@@ -0,0 +1,65 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: kyverno-clean-reports
+ namespace: kyverno
+ labels:
+ app.kubernetes.io/component: hooks
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ annotations:
+ helm.sh/hook: post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+spec:
+ backoffLimit: 2
+ template:
+ metadata: null
+ spec:
+ serviceAccount: kyverno-admission-controller
+ restartPolicy: Never
+ containers:
+ - name: kubectl
+ image: bitnami/kubectl:1.30.2
+ imagePullPolicy: null
+ command:
+ - /bin/bash
+ - -c
+ - |
+ set -euo pipefail
+ NAMESPACES=$(kubectl get namespaces --no-headers=true | awk '{print $1}')
+
+ for ns in ${NAMESPACES[@]};
+ do
+ COUNT=$(kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | wc -l)
+
+ if [ $COUNT -gt 0 ]; then
+ echo "deleting $COUNT policyreports in namespace $ns"
+ kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete -n $ns policyreports.wgpolicyk8s.io
+ else
+ echo "no policyreports in namespace $ns"
+ fi
+ done
+
+ COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | wc -l)
+
+ if [ $COUNT -gt 0 ]; then
+ echo "deleting $COUNT clusterpolicyreports"
+ kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io
+ else
+ echo "no clusterpolicyreports"
+ fi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-migrate-resources
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-migrate-resources
@@ -0,0 +1,55 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: kyverno-migrate-resources
+ namespace: kyverno
+ labels:
+ app.kubernetes.io/component: hooks
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ annotations:
+ helm.sh/hook: post-upgrade
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+ helm.sh/hook-weight: '200'
+spec:
+ backoffLimit: 2
+ template:
+ metadata: null
+ spec:
+ serviceAccount: kyverno-migrate-resources
+ restartPolicy: Never
+ containers:
+ - name: kubectl
+ image: ghcr.io/kyverno/kyverno-cli:v1.13.4
+ imagePullPolicy: IfNotPresent
+ args:
+ - migrate
+ - --resource
+ - cleanuppolicies.kyverno.io
+ - --resource
+ - clustercleanuppolicies.kyverno.io
+ - --resource
+ - clusterpolicies.kyverno.io
+ - --resource
+ - globalcontextentries.kyverno.io
+ - --resource
+ - policies.kyverno.io
+ - --resource
+ - policyexceptions.kyverno.io
+ - --resource
+ - updaterequests.kyverno.io
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-scale-to-zero
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-scale-to-zero
@@ -0,0 +1,48 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: kyverno-scale-to-zero
+ namespace: kyverno
+ labels:
+ app.kubernetes.io/component: hooks
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ annotations:
+ helm.sh/hook: pre-delete
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+ helm.sh/hook-weight: '100'
+spec:
+ backoffLimit: 2
+ template:
+ metadata: null
+ spec:
+ serviceAccount: kyverno-admission-controller
+ restartPolicy: Never
+ containers:
+ - name: kubectl
+ image: bitnami/kubectl:1.30.2
+ imagePullPolicy: null
+ command:
+ - /bin/bash
+ - -c
+ - |-
+ set -euo pipefail
+ kubectl scale -n kyverno deployment -l app.kubernetes.io/part-of=kyverno --replicas=0
+ sleep 30
+ kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
+ kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ |
--- kubernetes/cluster-0/apps/kyverno/kyverno/app Kustomization: flux-system/cluster-apps-kyverno HelmRelease: kyverno/kyverno
+++ kubernetes/cluster-0/apps/kyverno/kyverno/app Kustomization: flux-system/cluster-apps-kyverno HelmRelease: kyverno/kyverno
@@ -13,13 +13,13 @@
chart: kyverno
interval: 30m
sourceRef:
kind: HelmRepository
name: kyverno
namespace: flux-system
- version: 3.1.1
+ version: 3.3.7
interval: 30m
values:
admissionController:
rbac:
clusterRole:
extraResources: |
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
4 times, most recently
from
997a6a2 to
00ec1a6
Compare
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
00ec1a6 to
87d790a
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
87d790a to
8c61607
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
8c61607 to
d3b2b29
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
d3b2b29 to
31dcbbe
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
31dcbbe to
76d5c7d
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
76d5c7d to
b515f79
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
b515f79 to
5719674
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
5719674 to
ab961a3
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
ab961a3 to
71edc51
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
71edc51 to
e9f4db8
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
e9f4db8 to
ae28e35
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
ae28e35 to
a11f8e7
Compare
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
a11f8e7 to
70845f5
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
70845f5 to
1da4b6a
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
1da4b6a to
ca7de24
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
ca7de24 to
9d913dc
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
9d913dc to
a56b316
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
a56b316 to
8da0420
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
8da0420 to
45a5935
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
45a5935 to
cb9a719
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
cb9a719 to
2153f59
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
2153f59 to
75b24e8
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
75b24e8 to
b964f3c
Compare
renovate
bot
changed the title
| datasource | package | from | to | | ---------- | ------- | ----- | ----- | | helm | kyverno | 3.1.1 | 3.5.2 |
renovate
bot
force-pushed
the
renovate/cluster-0-kyverno-3.x
branch
from
b964f3c to
2105d4e
Compare
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.1.1->3.5.2Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.