jan/openreplay
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updating kyverno

Browse source
This commit is contained in:
rjshrjndrn 2023-05-04 05:34:50 +02:00
parent 66c4f9c481
commit 158299334e
35 changed files with 24099 additions and 9769 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
scripts/helmcharts/toolings/charts/kyverno/Chart.yaml
View file

@ -1,38 +1,16 @@
annotations:
artifacthub.io/changes: |
- kind: added
description: Added possibility to define additional init and sidecar container.
- kind: added
description: Added ability to remove namespaces from default resourceFilters list.
- kind: added
description: Prevent installing Kyverno in namespace kube-system.
- kind: fixed
description: Docs for generatecontrollerExtraResources.
- kind: changed
description: Enable autogen internals by default.
description: Syntax change for webhooksCleanup switch to match with the rest of the file
- kind: fixed
description: Self signed certificates not using SANs.
- kind: added
description: Extra args support for init container.
- kind: added
description: Allow overriding of test security context and resource block.
- kind: added
description: Added possibility to define custom image registries
- kind: added
description: Enable adding optional annotations to configmaps
- kind: added
description: Add startup probes support
- kind: added
description: Support extra CRD annotations
- kind: added
description: Grafana dashboard.
description: Handle multiple extraArgs in init container
artifacthub.io/links: |
- name: Documentation
url: https://kyverno.io/docs
artifacthub.io/operator: "false"
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: v1.8.5
appVersion: v1.9.2
description: Kubernetes Native Policy Management
home: https://kyverno.io/
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
@ -50,4 +28,4 @@ name: kyverno
sources:
- https://github.com/kyverno/kyverno
type: application
version: 2.6.5
version: 2.7.2

67
scripts/helmcharts/toolings/charts/kyverno/README.md
View file

@ -2,7 +2,7 @@
Kubernetes Native Policy Management
![Version: 2.6.5](https://img.shields.io/badge/Version-2.6.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.8.5](https://img.shields.io/badge/AppVersion-v1.8.5-informational?style=flat-square)
![Version: 2.7.2](https://img.shields.io/badge/Version-2.7.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.9.2](https://img.shields.io/badge/AppVersion-v1.9.2-informational?style=flat-square)
## About
@ -56,7 +56,7 @@ You can do so by following instructions in these pages of ArgoCD documentation:
ArgoCD uses helm only for templating but applies the results with `kubectl`.
Unfortunately `kubectl` adds metadata that will cross the limit allowed by Kuberrnetes. Using `Replace` overcomes this limitation.
Unfortunately `kubectl` adds metadata that will cross the limit allowed by Kubernetes. Using `Replace` overcomes this limitation.
Another option is to use server side apply, this will be supported in ArgoCD v2.5.
@ -139,7 +139,7 @@ The command removes all the Kubernetes components associated with the chart and
| initContainer.extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the kyvernopre binary. |
| testImage.registry | string | `nil` | Image registry |
| testImage.repository | string | `"busybox"` | Image repository |
| testImage.tag | string | `nil` | Image tag Defaults to `latest` if omitted |
| testImage.tag | float | `1.35` | Image tag Defaults to `latest` if omitted |
| testImage.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
| replicaCount | int | `nil` | Desired number of pods |
| podLabels | object | `{}` | Additional labels to add to each pod |
@ -160,10 +160,11 @@ The command removes all the Kubernetes components associated with the chart and
| dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
| envVarsInit | object | `{}` | Env variables for initContainers. |
| envVars | object | `{}` | Env variables for containers. |
| extraArgs | list | `["--autogenInternals=true","--loggingFormat=text"]` | Extra arguments to give to the binary. |
| extraArgs | list | `["--loggingFormat=text","--exceptionNamespace={{ include \"kyverno.namespace\" . }}"]` | Extra arguments to give to the binary. |
| extraInitContainers | list | `[]` | Array of extra init containers |
| extraContainers | list | `[]` | Array of extra containers to run alongside kyverno |
| imagePullSecrets | object | `{}` | Image pull secrets for image verify and imageData policies. This will define the `--imagePullSecrets` Kyverno argument. |
| existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verify and imageData policies. This will define the `--imagePullSecrets` Kyverno argument. |
| resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits |
| resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
| initResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
@ -214,6 +215,64 @@ The command removes all the Kubernetes components associated with the chart and
| grafana.enabled | bool | `false` | Enable grafana dashboard creation. |
| grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. |
| grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. |
| cleanupController.enabled | bool | `true` | Enable cleanup controller. |
| cleanupController.rbac.create | bool | `true` | Create RBAC resources |
| cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name |
| cleanupController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
| cleanupController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. |
| cleanupController.image.registry | string | `nil` | Image registry |
| cleanupController.image.repository | string | `"ghcr.io/kyverno/cleanup-controller"` | Image repository |
| cleanupController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
| cleanupController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| cleanupController.image.pullSecrets | list | `[]` | Image pull secrets |
| cleanupController.replicas | int | `nil` | Desired number of pods |
| cleanupController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
| cleanupController.priorityClassName | string | `""` | Optional priority class |
| cleanupController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
| cleanupController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
| cleanupController.extraArgs | list | `[]` | Extra arguments passed to the container on the command line |
| cleanupController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
| cleanupController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
| cleanupController.startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| cleanupController.livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| cleanupController.readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| cleanupController.nodeSelector | object | `{}` | Node labels for pod assignment |
| cleanupController.tolerations | list | `[]` | List of node taints to tolerate |
| cleanupController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
| cleanupController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
| cleanupController.podAffinity | object | `{}` | Pod affinity constraints. |
| cleanupController.nodeAffinity | object | `{}` | Node affinity constraints. |
| cleanupController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
| cleanupController.podSecurityContext | object | `{}` | Security context for the pod |
| cleanupController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| cleanupController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
| cleanupController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
| cleanupController.service.port | int | `443` | Service port. |
| cleanupController.service.type | string | `"ClusterIP"` | Service type. |
| cleanupController.service.nodePort | string | `nil` | Service node port. Only used if `service.type` is `NodePort`. |
| cleanupController.service.annotations | object | `{}` | Service annotations. |
| cleanupController.metricsService.create | bool | `true` | Create service. |
| cleanupController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. |
| cleanupController.metricsService.type | string | `"ClusterIP"` | Service type. |
| cleanupController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
| cleanupController.metricsService.annotations | object | `{}` | Service annotations. |
| cleanupController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
| cleanupController.serviceMonitor.additionalLabels | string | `nil` | Additional labels |
| cleanupController.serviceMonitor.namespace | string | `nil` | Override namespace (default is the same as kyverno) |
| cleanupController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
| cleanupController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| cleanupController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
| cleanupController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
| cleanupController.tracing.enabled | bool | `false` | Enable tracing |
| cleanupController.tracing.address | string | `nil` | Traces receiver address |
| cleanupController.tracing.port | string | `nil` | Traces receiver port |
| cleanupController.tracing.creds | string | `""` | Traces receiver credentials |
| cleanupController.logging.format | string | `"text"` | Logging format |
| cleanupController.metering.disabled | bool | `false` | Disable metrics export |
| cleanupController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` |
| cleanupController.metering.port | int | `8000` | Prometheus endpoint port |
| cleanupController.metering.collector | string | `""` | Otel collector endpoint |
| cleanupController.metering.creds | string | `""` | Otel collector credentials |
## TLS Configuration

28
scripts/helmcharts/toolings/charts/kyverno/grafana/dashboard.json
View file

@ -129,7 +129,7 @@
"targets": [
{
"exemplar": true,
"expr": "sum(delta(kyverno_policy_results_total{rule_result=\"fail\"}[24h]))*100/sum(delta(kyverno_policy_results_total{}[24h]))",
"expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\"}[24h]))*100/sum(increase(kyverno_policy_results_total{}[24h]))",
"interval": "",
"legendFormat": "",
"refId": "A"
@ -313,7 +313,7 @@
"targets": [
{
"exemplar": true,
"expr": "sum(delta(kyverno_policy_results_total{rule_result=\"fail\", policy_background_mode=\"true\"}[24h]))*100/sum(delta(kyverno_policy_results_total{policy_background_mode=\"true\"}[24h]))",
"expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\", policy_background_mode=\"true\"}[24h]))*100/sum(increase(kyverno_policy_results_total{policy_background_mode=\"true\"}[24h]))",
"interval": "",
"legendFormat": "",
"refId": "A"
@ -572,7 +572,7 @@
"targets": [
{
"exemplar": true,
"expr": "sum(delta(kyverno_policy_results_total{rule_execution_cause=\"admission_request\"}[5m])) by (rule_result)",
"expr": "sum(increase(kyverno_policy_results_total{rule_execution_cause=\"admission_request\"}[5m])) by (rule_result)",
"interval": "",
"legendFormat": "{{rule_result}}",
"refId": "A"
@ -678,7 +678,7 @@
"targets": [
{
"exemplar": true,
"expr": "sum(delta(kyverno_policy_results_total{rule_execution_cause=\"background_scan\"}[5m])) by (rule_result)",
"expr": "sum(increase(kyverno_policy_results_total{rule_execution_cause=\"background_scan\"}[5m])) by (rule_result)",
"interval": "",
"legendFormat": "{{rule_result}}",
"refId": "A"
@ -785,7 +785,7 @@
"targets": [
{
"exemplar": true,
"expr": "sum(sum(delta(kyverno_policy_results_total{rule_result=\"fail\"}[5m])) by (policy_name, policy_type)) by (policy_type)",
"expr": "sum(sum(increase(kyverno_policy_results_total{rule_result=\"fail\"}[5m])) by (policy_name, policy_type)) by (policy_type)",
"interval": "",
"legendFormat": "{{policy_type}}",
"refId": "A"
@ -891,7 +891,7 @@
"targets": [
{
"exemplar": true,
"expr": "sum(sum(delta(kyverno_policy_results_total{rule_execution_cause=\"admission_request\"}[5m])) by (policy_name, rule_result)) by (rule_result)",
"expr": "sum(sum(increase(kyverno_policy_results_total{rule_execution_cause=\"admission_request\"}[5m])) by (policy_name, rule_result)) by (rule_result)",
"interval": "",
"legendFormat": "{{rule_result}}",
"refId": "A"
@ -997,7 +997,7 @@
"targets": [
{
"exemplar": true,
"expr": "sum(sum(delta(kyverno_policy_results_total{rule_execution_cause=\"background_scan\"}[5m])) by (policy_name, rule_result)) by (rule_result)",
"expr": "sum(sum(increase(kyverno_policy_results_total{rule_execution_cause=\"background_scan\"}[5m])) by (policy_name, rule_result)) by (rule_result)",
"interval": "",
"legendFormat": "{{rule_result}}",
"refId": "A"
@ -2151,7 +2151,7 @@
"targets": [
{
"exemplar": true,
"expr": "sum(delta(kyverno_admission_requests_total{}[5m]))",
"expr": "sum(increase(kyverno_admission_requests_total{}[5m]))",
"interval": "",
"legendFormat": "",
"refId": "A"
@ -2285,7 +2285,7 @@
"targets": [
{
"exemplar": true,
"expr": "sum(delta(kyverno_policy_changes_total{}[5m])) by (policy_change_type)",
"expr": "sum(increase(kyverno_policy_changes_total{}[5m])) by (policy_change_type)",
"interval": "",
"legendFormat": "Change type: {{policy_change_type}}",
"refId": "A"
@ -2389,7 +2389,7 @@
"targets": [
{
"exemplar": true,
"expr": "sum(delta(kyverno_policy_changes_total{}[5m])) by (policy_type)",
"expr": "sum(increase(kyverno_policy_changes_total{}[5m])) by (policy_type)",
"interval": "",
"legendFormat": "{{policy_type}}",
"refId": "A"
@ -2485,7 +2485,7 @@
"targets": [
{
"exemplar": true,
"expr": "sum(delta(kyverno_policy_changes_total{}[24h]))",
"expr": "sum(increase(kyverno_policy_changes_total{}[24h]))",
"interval": "",
"legendFormat": "",
"refId": "A"
@ -2615,7 +2615,7 @@
"targets": [
{
"exemplar": true,
"expr": "sum(delta(kyverno_admission_requests_total{}[5m])) by (resource_request_operation)",
"expr": "sum(increase(kyverno_admission_requests_total{}[5m])) by (resource_request_operation)",
"interval": "",
"legendFormat": "Resource Operation: {{resource_request_operation}}",
"refId": "A"
@ -2716,7 +2716,7 @@
"targets": [
{
"exemplar": true,
"expr": "sum(delta(kyverno_admission_requests_total{}[5m])) by (resource_kind)",
"expr": "sum(increase(kyverno_admission_requests_total{}[5m])) by (resource_kind)",
"interval": "",
"legendFormat": "Resource Kind: {{resource_kind}}",
"refId": "A"
@ -2813,7 +2813,7 @@
"targets": [
{
"exemplar": true,
"expr": "sum(delta(kyverno_admission_requests_total{}[24h]))",
"expr": "sum(increase(kyverno_admission_requests_total{}[24h]))",
"interval": "",
"legendFormat": "",
"refId": "A"

67
scripts/helmcharts/toolings/charts/kyverno/templates/_helpers.tpl
View file

@ -28,15 +28,51 @@ If release name contains chart name it will be used as a full name.
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* Helm labels */}}
{{- define "kyverno.helmLabels" -}}
{{- if not .Values.templating.enabled -}}
helm.sh/chart: {{ template "kyverno.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{- end -}}
{{/* Version labels */}}
{{- define "kyverno.versionLabels" -}}
{{- if .Values.templating.enabled -}}
app.kubernetes.io/version: {{ required "templating.version is required when templating.enabled is true" .Values.templating.version | replace "+" "_" }}
{{- else -}}
app.kubernetes.io/version: {{ .Chart.Version | replace "+" "_" }}
{{- end -}}
{{- end -}}
{{/* CRD labels */}}
{{- define "kyverno.crdLabels" -}}
app.kubernetes.io/component: kyverno
{{- with (include "kyverno.helmLabels" .) }}
{{ . }}
{{- end }}
{{- with (include "kyverno.matchLabels" .) }}
{{ . }}
{{- end }}
app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
{{- with (include "kyverno.versionLabels" .) }}
{{ . }}
{{- end }}
{{- end -}}
{{/* Helm required labels */}}
{{- define "kyverno.labels" -}}
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/name: {{ template "kyverno.name" . }}
{{- with (include "kyverno.helmLabels" .) }}
{{ . }}
{{- end }}
{{- with (include "kyverno.matchLabels" .) }}
{{ . }}
{{- end }}
app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
app.kubernetes.io/version: "{{ .Chart.Version }}"
helm.sh/chart: {{ template "kyverno.chart" . }}
{{- with (include "kyverno.versionLabels" .) }}
{{ . }}
{{- end }}
{{- if .Values.customLabels }}
{{ toYaml .Values.customLabels }}
{{- end }}
@ -44,19 +80,26 @@ helm.sh/chart: {{ template "kyverno.chart" . }}
{{/* Helm required labels */}}
{{- define "kyverno.test-labels" -}}
{{- with (include "kyverno.helmLabels" .) }}
{{ . }}
{{- end }}
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/name: {{ template "kyverno.name" . }}-test
app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
app.kubernetes.io/version: "{{ .Chart.Version }}"
helm.sh/chart: {{ template "kyverno.chart" . }}
app.kubernetes.io/version: "{{ .Chart.Version | replace "+" "_" }}"
{{- end -}}
{{/* matchLabels */}}
{{- define "kyverno.matchLabels" -}}
{{- if .Values.templating.enabled -}}
app: kyverno
{{- end }}
app.kubernetes.io/name: {{ template "kyverno.name" . }}
{{- if not .Values.templating.enabled }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- end -}}
{{/* Get the config map name. */}}
@ -93,7 +136,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/* Create the default PodDisruptionBudget to use */}}
{{- define "podDisruptionBudget.spec" -}}
{{- define "kyverno.podDisruptionBudget.spec" -}}
{{- if and .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable }}
{{- fail "Cannot set both .Values.podDisruptionBudget.minAvailable and .Values.podDisruptionBudget.maxUnavailable" -}}
{{- end }}
@ -159,9 +202,3 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- $newWebhook | toJson }}
{{- end }}
{{- define "kyverno.crdAnnotations" -}}
{{- range $key, $value := .Values.crds.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}

28
scripts/helmcharts/toolings/charts/kyverno/templates/aggregateroles.yaml
View file

@ -3,9 +3,9 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:admin-policies
labels: {{ include "kyverno.labels" . | nindent 4 }}
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
@ -24,10 +24,10 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
name: {{ template "kyverno.fullname" . }}:admin-policyreport
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- wgpolicyk8s.io
@ -46,10 +46,10 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
name: {{ template "kyverno.fullname" . }}:admin-reports
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
@ -70,10 +70,10 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
name: {{ template "kyverno.fullname" . }}:admin-generaterequest
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
@ -91,10 +91,10 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
name: {{ template "kyverno.fullname" . }}:admin-updaterequest
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io

67
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/_helpers.tpl Normal file
View file

@ -0,0 +1,67 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.cleanup-controller.name" -}}
{{ template "kyverno.name" . }}-cleanup-controller
{{- end -}}
{{- define "kyverno.cleanup-controller.labels" -}}
app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
{{- with (include "kyverno.helmLabels" .) }}
{{ . }}
{{- end }}
{{- with (include "kyverno.versionLabels" .) }}
{{ . }}
{{- end }}
{{- with (include "kyverno.cleanup-controller.matchLabels" .) }}
{{ . }}
{{- end }}
{{- end -}}
{{- define "kyverno.cleanup-controller.matchLabels" -}}
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/name: {{ template "kyverno.cleanup-controller.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- define "kyverno.cleanup-controller.image" -}}
{{- if .image.registry -}}
{{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
{{- else -}}
{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
{{- end -}}
{{- end -}}
{{- define "kyverno.cleanup-controller.roleName" -}}
{{ .Release.Name }}:cleanup-controller
{{- end -}}
{{/* Create the name of the service account to use */}}
{{- define "kyverno.cleanup-controller.serviceAccountName" -}}
{{- if .Values.cleanupController.rbac.create -}}
{{ default (include "kyverno.cleanup-controller.name" .) .Values.cleanupController.rbac.serviceAccount.name }}
{{- else -}}
{{ required "A service account name is required when `rbac.create` is set to `false`" .Values.cleanupController.rbac.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{- define "kyverno.cleanup-controller.securityContext" -}}
{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
{{ toYaml (omit .Values.cleanupController.securityContext "seccompProfile") }}
{{- else }}
{{ toYaml .Values.cleanupController.securityContext }}
{{- end }}
{{- end }}
{{/* Create the default PodDisruptionBudget to use */}}
{{- define "kyverno.cleanup-controller.podDisruptionBudget.spec" -}}
{{- if and .Values.cleanupController.podDisruptionBudget.minAvailable .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
{{- fail "Cannot set both .Values.cleanupController.podDisruptionBudget.minAvailable and .Values.cleanupController.podDisruptionBudget.maxUnavailable" -}}
{{- end }}
{{- if not .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
minAvailable: {{ default 1 .Values.cleanupController.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- end }}

94
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/clusterrole.yaml Normal file
View file

@ -0,0 +1,94 @@
{{- if .Values.cleanupController.enabled -}}
{{- if .Values.cleanupController.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.cleanup-controller.roleName" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
{{- include "kyverno.cleanup-controller.matchLabels" . | nindent 8 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.cleanup-controller.roleName" . }}:core
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- kyverno.io
resources:
- clustercleanuppolicies
- cleanuppolicies
- clustercleanuppolicies/*
- cleanuppolicies/*
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
{{- with .Values.cleanupController.rbac.clusterRole.extraResources }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.cleanup-controller.roleName" $ }}:additional
labels:
{{- include "kyverno.cleanup-controller.labels" $ | nindent 4 }}
rules:
{{- range . }}
- apiGroups:
{{- toYaml .apiGroups | nindent 6 }}
resources:
{{- toYaml .resources | nindent 6 }}
verbs:
- delete
- list
{{- end }}
{{- end }}
{{- end }}
{{- end }}

18
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml Normal file
View file

@ -0,0 +1,18 @@
{{- if .Values.cleanupController.enabled -}}
{{- if .Values.cleanupController.rbac.create -}}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.cleanup-controller.roleName" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.cleanup-controller.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end -}}
{{- end -}}

139
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/deployment.yaml Normal file
View file

@ -0,0 +1,139 @@
{{- if .Values.cleanupController.enabled -}}
{{- if not .Values.templating.debug -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "kyverno.cleanup-controller.name" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
spec:
{{- with .Values.cleanupController.replicas }}
replicas: {{ . }}
{{- end }}
{{- with .Values.cleanupController.updateStrategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 8 }}
spec:
{{- with .Values.cleanupController.image.pullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.cleanupController.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.cleanupController.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.cleanupController.tolerations }}
tolerations:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.cleanupController.topologySpreadConstraints }}
topologySpreadConstraints:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.cleanupController.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
{{- with .Values.cleanupController.hostNetwork }}
hostNetwork: {{ . }}
{{- end }}
{{- with .Values.cleanupController.dnsPolicy }}
dnsPolicy: {{ . }}
{{- end }}
{{- if or .Values.cleanupController.antiAffinity.enabled .Values.cleanupController.podAffinity .Values.cleanupController.nodeAffinity }}
affinity:
{{- if .Values.cleanupController.antiAffinity.enabled }}
{{- with .Values.cleanupController.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- with .Values.cleanupController.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.cleanupController.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
serviceAccountName: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
containers:
- name: controller
image: {{ include "kyverno.cleanup-controller.image" (dict "image" .Values.cleanupController.image "defaultTag" .Chart.AppVersion) | quote }}
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics
protocol: TCP
args:
- --loggingFormat={{ .Values.cleanupController.logging.format }}
{{- if .Values.cleanupController.tracing.enabled }}
- --enableTracing
- --tracingAddress={{ .Values.cleanupController.tracing.address }}
- --tracingPort={{ .Values.cleanupController.tracing.port }}
{{- with .Values.cleanupController.tracing.creds }}
- --tracingCreds={{ . }}
{{- end }}
{{- end }}
- --disableMetrics={{ .Values.cleanupController.metering.disabled }}
{{- if not .Values.cleanupController.metering.disabled }}
- --otelConfig={{ .Values.cleanupController.metering.config }}
- --metricsPort={{ .Values.cleanupController.metering.port }}
{{- with .Values.cleanupController.metering.collector }}
- --otelCollector={{ . }}
{{- end }}
{{- with .Values.cleanupController.metering.creds }}
- --transportCreds={{ . }}
{{- end }}
{{- end }}
{{- range .Values.cleanupController.extraArgs }}
- {{ . }}
{{- end }}
env:
- name: METRICS_CONFIG
value: {{ template "kyverno.metricsConfigMapName" . }}
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: {{ template "kyverno.cleanup-controller.name" . }}
{{- with .Values.cleanupController.resources }}
resources: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- if .Values.cleanupController.securityContext }}
securityContext: {{ include "kyverno.cleanup-controller.securityContext" . | nindent 12 }}
{{- end }}
{{- with .Values.cleanupController.startupProbe }}
startupProbe:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.cleanupController.livenessProbe }}
livenessProbe:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.cleanupController.readinessProbe }}
readinessProbe:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- end -}}
{{- end -}}

20
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml Normal file
View file

@ -0,0 +1,20 @@
{{- if .Values.cleanupController.enabled -}}
{{- if (gt (int .Values.cleanupController.replicas) 1) -}}
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
apiVersion: policy/v1
{{- else -}}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ template "kyverno.cleanup-controller.name" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
spec:
{{- include "kyverno.cleanup-controller.podDisruptionBudget.spec" . | indent 2 }}
selector:
matchLabels:
{{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }}
{{- end -}}
{{- end -}}

40
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/role.yaml Normal file
View file

@ -0,0 +1,40 @@
{{- if .Values.cleanupController.enabled -}}
{{- if .Values.cleanupController.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "kyverno.cleanup-controller.roleName" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
{{- end -}}
{{- end -}}

19
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/rolebinding.yaml Normal file
View file

@ -0,0 +1,19 @@
{{- if .Values.cleanupController.enabled -}}
{{- if .Values.cleanupController.rbac.create -}}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.cleanup-controller.roleName" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "kyverno.cleanup-controller.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end -}}
{{- end -}}

32
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/secret.yaml Normal file
View file

@ -0,0 +1,32 @@
{{- if .Values.cleanupController.enabled -}}
{{- if .Values.cleanupController.createSelfSignedCert -}}
{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}}
{{- $svcName := (printf "%s.%s.svc" (include "kyverno.cleanup-controller.name" .) (include "kyverno.namespace" .)) -}}
{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.key: {{ $ca.Key | b64enc }}
tls.crt: {{ $ca.Cert | b64enc }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
annotations:
self-signed-cert: "true"
type: kubernetes.io/tls
data:
tls.key: {{ $cert.Key | b64enc }}
tls.crt: {{ $cert.Cert | b64enc }}
{{- end -}}
{{- end -}}

51
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/service.yaml Normal file
View file

@ -0,0 +1,51 @@
{{- if .Values.cleanupController.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "kyverno.cleanup-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
{{- with .Values.cleanupController.service.annotations }}
annotations:
{{- tpl (toYaml .) $ | nindent 4 }}
{{- end }}
spec:
ports:
- port: {{ .Values.cleanupController.service.port }}
targetPort: https
protocol: TCP
name: https
{{- if and (eq .Values.cleanupController.service.type "NodePort") (not (empty .Values.cleanupController.service.nodePort)) }}
nodePort: {{ .Values.cleanupController.service.nodePort }}
{{- end }}
selector:
{{- include "kyverno.cleanup-controller.matchLabels" . | nindent 4 }}
type: {{ .Values.cleanupController.service.type }}
{{- if .Values.cleanupController.metricsService.create }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ template "kyverno.cleanup-controller.name" . }}-metrics
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
{{- with .Values.cleanupController.metricsService.annotations }}
annotations:
{{- tpl (toYaml .) $ | nindent 4 }}
{{- end }}
spec:
ports:
- port: {{ .Values.cleanupController.metricsService.port }}
targetPort: 8000
protocol: TCP
name: metrics-port
{{- if and (eq .Values.cleanupController.metricsService.type "NodePort") (not (empty .Values.cleanupController.metricsService.nodePort)) }}
nodePort: {{ .Values.cleanupController.metricsService.nodePort }}
{{- end }}
selector:
{{- include "kyverno.cleanup-controller.matchLabels" . | nindent 4 }}
type: {{ .Values.cleanupController.metricsService.type }}
{{- end -}}
{{- end -}}

11
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml Normal file
View file

@ -0,0 +1,11 @@
{{- if .Values.cleanupController.enabled -}}
{{- if .Values.cleanupController.rbac.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
{{- end -}}
{{- end -}}

34
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml Normal file
View file

@ -0,0 +1,34 @@
{{- if .Values.cleanupController.enabled -}}
{{- if .Values.cleanupController.serviceMonitor.enabled -}}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "kyverno.cleanup-controller.name" . }}
{{- if .Values.cleanupController.serviceMonitor.namespace }}
namespace: {{ .Values.cleanupController.serviceMonitor.namespace }}
{{- else }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
{{- with .Values.cleanupController.serviceMonitor.additionalLabels }}
{{- toYaml .Values.cleanupController.serviceMonitor.additionalLabels | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ template "kyverno.namespace" . }}
endpoints:
- port: metrics-port
interval: {{ .Values.cleanupController.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.cleanupController.serviceMonitor.scrapeTimeout }}
{{- if .Values.cleanupController.serviceMonitor.secure }}
scheme: https
tlsConfig:
{{- toYaml .Values.cleanupController.serviceMonitor.tlsConfig | nindent 8 }}
{{- end }}
{{- end -}}
{{- end -}}

80
scripts/helmcharts/toolings/charts/kyverno/templates/clusterrole.yaml
View file

@ -3,8 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
@ -14,26 +14,26 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:userinfo
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- "rbac.authorization.k8s.io"
- rbac.authorization.k8s.io
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
- roles
- clusterroles
- rolebindings
- clusterrolebindings
verbs:
- watch
- list
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:policies
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
@ -60,29 +60,28 @@ rules:
- watch
- deletecollection
- apiGroups:
- wgpolicyk8s.io
- wgpolicyk8s.io
resources:
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:view
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- '*'
@ -97,8 +96,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:generate
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- networking.k8s.io
@ -112,7 +111,7 @@ rules:
- patch
- delete
- apiGroups:
- ""
- ''
resources:
- namespaces
- configmaps
@ -136,7 +135,7 @@ rules:
- delete
{{- if .Values.generatecontrollerExtraResources }}
- apiGroups:
- "*"
- '*'
resources:
{{- range .Values.generatecontrollerExtraResources }}
- {{ . }}
@ -151,11 +150,12 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:events
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- "*"
- ''
- events.k8s.io
resources:
- events
verbs:
@ -168,11 +168,11 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:webhook
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- 'admissionregistration.k8s.io'
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
@ -184,5 +184,5 @@ rules:
- patch
- update
- watch
- deletecollection
{{- end }}

4
scripts/helmcharts/toolings/charts/kyverno/templates/clusterrolebinding.yaml
View file

@ -3,8 +3,8 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole

4
scripts/helmcharts/toolings/charts/kyverno/templates/configmap.yaml
View file

@ -2,8 +2,8 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
{{- with .Values.config.annotations }}
annotations:
{{- toYaml . | nindent 4 }}

32614
scripts/helmcharts/toolings/charts/kyverno/templates/crds.yaml
View file

File diff suppressed because it is too large Load diff

39
scripts/helmcharts/toolings/charts/kyverno/templates/deployment.yaml
View file

@ -1,22 +1,26 @@
{{- if not .Values.templating.debug -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "kyverno.fullname" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
spec:
replicas: {{ .Values.replicaCount }}
{{- with .Values.replicaCount }}
replicas: {{ . }}
{{- end }}
selector:
matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
matchLabels:
{{- include "kyverno.matchLabels" . | nindent 6 }}
{{- if .Values.updateStrategy }}
strategy:
{{ toYaml .Values.updateStrategy | nindent 4 | trim }}
{{- end }}
template:
metadata:
labels: {{ include "kyverno.labels" . | nindent 8 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 8 }}
{{- range $key, $value := .Values.podLabels }}
{{ $key }}: {{ $value }}
{{- end }}
@ -32,17 +36,19 @@ spec:
{{- end }}
{{- if or .Values.antiAffinity.enable .Values.podAffinity .Values.nodeAffinity }}
affinity:
{{- if and .Values.antiAffinity.enable .Values.podAntiAffinity }}
{{- if .Values.antiAffinity.enable }}
{{- with .Values.podAntiAffinity }}
podAntiAffinity:
{{- toYaml .Values.podAntiAffinity | nindent 10 }}
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- if .Values.podAffinity }}
{{- end }}
{{- with .Values.podAffinity }}
podAffinity:
{{- toYaml .Values.podAffinity | nindent 10 }}
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- if .Values.nodeAffinity }}
{{- with .Values.nodeAffinity }}
nodeAffinity:
{{- toYaml .Values.nodeAffinity | nindent 10 }}
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- with .Values.nodeSelector }}
@ -73,7 +79,7 @@ spec:
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }}
{{- if .Values.initContainer.extraArgs }}
args:
{{ tpl (toYaml .Values.initContainer.extraArgs) . }}
{{- tpl (toYaml .Values.initContainer.extraArgs) . | nindent 12 }}
{{- end }}
{{- with .Values.initResources }}
resources: {{ tpl (toYaml .) $ | nindent 12 }}
@ -109,8 +115,8 @@ spec:
{{- if .Values.extraArgs -}}
{{ tpl (toYaml .Values.extraArgs) . | nindent 12 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
- --imagePullSecrets={{ keys .Values.imagePullSecrets | join "," }}
{{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
- --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
{{- end }}
{{- end }}
{{- with .Values.resources }}
@ -164,4 +170,5 @@ spec:
name: sigstore
volumes:
- name: sigstore
emptyDir: {}
emptyDir: {}
{{- end -}}

0
scripts/helmcharts/toolings/charts/kyverno/templates/grafana.yaml → scripts/helmcharts/toolings/charts/kyverno/templates/grafana/dashboard.yaml
View file

11
scripts/helmcharts/toolings/charts/kyverno/templates/helm-pre-delete-hook.yaml
View file

@ -3,8 +3,8 @@ apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kyverno.fullname" . }}-hook-pre-delete
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
@ -19,11 +19,8 @@ spec:
- sh
- '-c'
- >-
kubectl delete validatingwebhookconfiguration kyverno-policy-validating-webhook-cfg;
kubectl delete validatingwebhookconfiguration kyverno-resource-validating-webhook-cfg;
kubectl delete mutatingwebhookconfiguration kyverno-policy-mutating-webhook-cfg;
kubectl delete mutatingwebhookconfiguration kyverno-resource-mutating-webhook-cfg;
kubectl delete mutatingwebhookconfiguration kyverno-verify-mutating-webhook-cfg;
kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno;
kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno;
restartPolicy: Never
backoffLimit: 2
{{- end }}

4
scripts/helmcharts/toolings/charts/kyverno/templates/imagepullsecret.yaml
View file

@ -3,10 +3,10 @@
apiVersion: v1
kind: Secret
metadata:
labels: {{ include "kyverno.labels" $ | nindent 4 }}
app: kyverno
name: {{ $name }}
namespace: {{ template "kyverno.namespace" $ }}
labels:
{{- include "kyverno.labels" $ | nindent 4 }}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "kyverno.imagePullSecret" $secret }}

4
scripts/helmcharts/toolings/charts/kyverno/templates/metricsconfigmap.yaml
View file

@ -2,8 +2,8 @@
apiVersion: v1
kind: ConfigMap
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
{{- with .Values.config.metricsConfig.annotations }}
annotations:
{{- toYaml . | nindent 4 }}

8
scripts/helmcharts/toolings/charts/kyverno/templates/namespace.yaml Normal file
View file

@ -0,0 +1,8 @@
{{- if .Values.templating.enabled -}}
apiVersion: v1
kind: Namespace
metadata:
labels:
{{- include "kyverno.labels" . | nindent 4 }}
name: {{ template "kyverno.fullname" . }}
{{- end -}}

6
scripts/helmcharts/toolings/charts/kyverno/templates/networkpolicy.yaml
View file

@ -2,14 +2,14 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
name: {{ template "kyverno.fullname" . }}
namespace: {{ template "kyverno.namespace" . }}
spec:
podSelector:
matchLabels:
app: kyverno
{{- include "kyverno.matchLabels" . | nindent 6 }}
policyTypes:
- Ingress
{{- if .Values.networkPolicy.ingressFrom }}

10
scripts/helmcharts/toolings/charts/kyverno/templates/poddisruptionbudget.yaml
View file

@ -7,12 +7,12 @@ apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ template "kyverno.fullname" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
spec:
{{- include "podDisruptionBudget.spec" . | indent 2 }}
{{- include "kyverno.podDisruptionBudget.spec" . | indent 2 }}
selector:
matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
app: kyverno
matchLabels:
{{- include "kyverno.matchLabels" . | nindent 6 }}
{{- end }}

19
scripts/helmcharts/toolings/charts/kyverno/templates/role.yaml
View file

@ -4,19 +4,19 @@ kind: Role
metadata:
name: {{ template "kyverno.fullname" . }}:leaderelection
namespace: {{ template "kyverno.namespace" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- coordination.k8s.io
- coordination.k8s.io
resources:
- leases
- leases
verbs:
- create
- delete
- get
- patch
- update
- create
- delete
- get
- patch
- update
# Allow update of Kyverno deployment annotations
- apiGroups:
- apps
@ -28,5 +28,4 @@ rules:
- patch
- update
- watch
{{- end }}

5
scripts/helmcharts/toolings/charts/kyverno/templates/rolebinding.yaml
View file

@ -4,8 +4,8 @@ apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:leaderelection
namespace: {{ template "kyverno.namespace" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@ -14,5 +14,4 @@ subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}

10
scripts/helmcharts/toolings/charts/kyverno/templates/secret.yaml
View file

@ -6,8 +6,9 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.labels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.key: {{ $ca.Key | b64enc }}
@ -17,8 +18,9 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.labels" . | nindent 4 }}
annotations:
self-signed-cert: "true"
type: kubernetes.io/tls

18
scripts/helmcharts/toolings/charts/kyverno/templates/service.yaml
View file

@ -2,8 +2,8 @@ apiVersion: v1
kind: Service
metadata:
name: {{ template "kyverno.serviceName" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
{{- with .Values.service.annotations }}
annotations: {{ tpl (toYaml .) $ | nindent 4 }}
@ -17,8 +17,8 @@ spec:
{{- if and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)) }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
selector: {{ include "kyverno.matchLabels" . | nindent 4 }}
app: kyverno
selector:
{{- include "kyverno.matchLabels" . | nindent 4 }}
type: {{ .Values.service.type }}
---
{{- if .Values.metricsService.create }}
@ -26,8 +26,8 @@ apiVersion: v1
kind: Service
metadata:
name: {{ template "kyverno.serviceName" . }}-metrics
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
{{- with .Values.metricsService.annotations }}
annotations: {{ tpl (toYaml .) $ | nindent 4 }}
@ -41,7 +41,7 @@ spec:
{{- if and (eq .Values.metricsService.type "NodePort") (not (empty .Values.metricsService.nodePort)) }}
nodePort: {{ .Values.metricsService.nodePort }}
{{- end }}
selector: {{ include "kyverno.matchLabels" . | nindent 4 }}
app: kyverno
selector:
{{- include "kyverno.matchLabels" . | nindent 4 }}
type: {{ .Values.metricsService.type }}
{{- end -}}
{{- end -}}

4
scripts/helmcharts/toolings/charts/kyverno/templates/serviceaccount.yaml
View file

@ -3,8 +3,8 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kyverno.serviceAccountName" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
{{- if .Values.rbac.serviceAccount.annotations }}
annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
{{- end }}

8
scripts/helmcharts/toolings/charts/kyverno/templates/servicemonitor.yaml
View file

@ -2,8 +2,8 @@
apiVersion: "monitoring.coreos.com/v1"
kind: ServiceMonitor
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
labels:
{{- include "kyverno.labels" . | nindent 4 }}
{{- if .Values.serviceMonitor.additionalLabels }}
{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
@ -15,8 +15,8 @@ metadata:
{{- end }}
spec:
selector:
matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
app: kyverno
matchLabels:
{{- include "kyverno.matchLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ template "kyverno.namespace" . }}

275
scripts/helmcharts/toolings/charts/kyverno/values.yaml
View file

@ -1,3 +1,10 @@
# -- Internal settings used with `helm template` to generate install manifest
# @ignored
templating:
enabled: false
debug: false
version:
# -- Override the name of the chart
nameOverride:
@ -67,7 +74,7 @@ testImage:
repository: busybox
# -- Image tag
# Defaults to `latest` if omitted
tag:
tag: 1.35
# -- Image pull policy
# Defaults to image.pullPolicy if omitted
pullPolicy:
@ -128,10 +135,10 @@ podAntiAffinity:
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- kyverno
- key: app.kubernetes.io/name
operator: In
values:
- '{{ template "kyverno.name" . }}'
topologyKey: kubernetes.io/hostname
# -- Pod affinity constraints.
@ -172,8 +179,8 @@ envVars: {}
# -- Extra arguments to give to the binary.
extraArgs:
- --autogenInternals=true
- --loggingFormat=text
- --exceptionNamespace={{ include "kyverno.namespace" . }}
# -- Array of extra init containers
extraInitContainers: []
@ -203,6 +210,15 @@ imagePullSecrets: {}
# username: barbaz
# password: secret2
# -- Existing Image pull secrets for image verify and imageData policies.
# This will define the `--imagePullSecrets` Kyverno argument.
existingImagePullSecrets: []
# Define an existing image pull secret
# existingImagePullSecrets:
# - test-registry
# - other-test-registry
resources:
# -- Pod resource limits
limits:
@ -476,3 +492,250 @@ grafana:
namespace:
# -- Grafana dashboard configmap annotations.
annotations: {}
cleanupController:
# -- Enable cleanup controller.
enabled: true
rbac:
# -- Create RBAC resources
create: true
serviceAccount:
# -- Service account name
name:
clusterRole:
# -- Extra resource permissions to add in the cluster role
extraResources: []
# - apiGroups:
# - ''
# resources:
# - pods
# -- Create self-signed certificates at deployment time.
# The certificates won't be automatically renewed if this is set to `true`.
createSelfSignedCert: false
image:
# -- Image registry
registry:
# If you want to manage the registry you should remove it from the repository
# registry: ghcr.io
# repository: kyverno/kyverno
# -- Image repository
repository: ghcr.io/kyverno/cleanup-controller # kyverno: replaced in e2e tests
# -- Image tag
# Defaults to appVersion in Chart.yaml if omitted
tag: # replaced in e2e tests
# -- Image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets
pullSecrets: []
# - secretName
# -- (int) Desired number of pods
replicas: ~
# -- Deployment update strategy.
# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
# @default -- See [values.yaml](values.yaml)
updateStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 40%
type: RollingUpdate
# -- Optional priority class
priorityClassName: ''
# -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
# Update the `dnsPolicy` accordingly as well to suit the host network mode.
hostNetwork: false
# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
dnsPolicy: ClusterFirst
# -- Extra arguments passed to the container on the command line
extraArgs: []
resources:
# -- Pod resource limits
limits:
memory: 128Mi
# -- Pod resource requests
requests:
cpu: 100m
memory: 64Mi
# -- Startup probe.
# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# @default -- See [values.yaml](values.yaml)
startupProbe:
httpGet:
path: /health/liveness
port: 9443
scheme: HTTPS
failureThreshold: 20
initialDelaySeconds: 2
periodSeconds: 6
# -- Liveness probe.
# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# @default -- See [values.yaml](values.yaml)
livenessProbe:
httpGet:
path: /health/liveness
port: 9443
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 2
successThreshold: 1
# -- Readiness Probe.
# The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# @default -- See [values.yaml](values.yaml)
readinessProbe:
httpGet:
path: /health/readiness
port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
# -- Node labels for pod assignment
nodeSelector: {}
# -- List of node taints to tolerate
tolerations: []
antiAffinity:
# -- Pod antiAffinities toggle.
# Enabled by default but can be disabled if you want to schedule pods to the same node.
enabled: true
# -- Pod anti affinity constraints.
# @default -- See [values.yaml](values.yaml)
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- cleanup-controller
topologyKey: kubernetes.io/hostname
# -- Pod affinity constraints.
podAffinity: {}
# -- Node affinity constraints.
nodeAffinity: {}
# -- Topology spread constraints.
topologySpreadConstraints: []
# -- Security context for the pod
podSecurityContext: {}
# -- Security context for the containers
securityContext:
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
podDisruptionBudget:
# -- Configures the minimum available pods for disruptions.
# Cannot be used if `maxUnavailable` is set.
minAvailable: 1
# -- Configures the maximum unavailable pods for disruptions.
# Cannot be used if `minAvailable` is set.
maxUnavailable:
service:
# -- Service port.
port: 443
# -- Service type.
type: ClusterIP
# -- Service node port.
# Only used if `service.type` is `NodePort`.
nodePort:
# -- Service annotations.
annotations: {}
metricsService:
# -- Create service.
create: true
# -- Service port.
# Metrics server will be exposed at this port.
port: 8000
# -- Service type.
type: ClusterIP
# -- Service node port.
# Only used if `metricsService.type` is `NodePort`.
nodePort:
# -- Service annotations.
annotations: {}
serviceMonitor:
# -- Create a `ServiceMonitor` to collect Prometheus metrics.
enabled: false
# -- Additional labels
additionalLabels:
# key: value
# -- Override namespace (default is the same as kyverno)
namespace:
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
# -- Is TLS required for endpoint
secure: false
# -- TLS Configuration for endpoint
tlsConfig: {}
tracing:
# -- Enable tracing
enabled: false
# -- Traces receiver address
address:
# -- Traces receiver port
port:
# -- Traces receiver credentials
creds: ''
logging:
# -- Logging format
format: text
metering:
# -- Disable metrics export
disabled: false
# -- Otel configuration, can be `prometheus` or `grpc`
config: prometheus
# -- Prometheus endpoint port
port: 8000
# -- Otel collector endpoint
collector: ''
# -- Otel collector credentials
creds: ''