jan/openreplay
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updating kyverno

Browse source
This commit is contained in:
rjshrjndrn 2023-06-09 18:13:40 +02:00
parent 5ad1dd58f1
commit 4180780b13
100 changed files with 8535 additions and 2313 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
scripts/helmcharts/toolings/charts/kyverno/Chart.yaml
View file

@ -1,16 +1,14 @@
annotations:
artifacthub.io/changes: |
- kind: changed
description: Syntax change for webhooksCleanup switch to match with the rest of the file
- kind: fixed
description: Handle multiple extraArgs in init container
description: incorrect config map names
artifacthub.io/links: |
- name: Documentation
url: https://kyverno.io/docs
artifacthub.io/operator: "false"
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: v1.9.2
appVersion: v1.10.0
description: Kubernetes Native Policy Management
home: https://kyverno.io/
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
@ -28,4 +26,4 @@ name: kyverno
sources:
- https://github.com/kyverno/kyverno
type: application
version: 2.7.2
version: 3.0.1

582
scripts/helmcharts/toolings/charts/kyverno/README.md
View file

@ -2,7 +2,7 @@
Kubernetes Native Policy Management
![Version: 2.7.2](https://img.shields.io/badge/Version-2.7.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.9.2](https://img.shields.io/badge/AppVersion-v1.9.2-informational?style=flat-square)
![Version: 3.0.1](https://img.shields.io/badge/Version-3.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.10.0](https://img.shields.io/badge/AppVersion-v1.10.0-informational?style=flat-square)
## About
@ -21,6 +21,10 @@ Access the complete user documentation and guides at: https://kyverno.io.
## Installing the Chart
**IMPORTANT IMPORTANT IMPORTANT IMPORTANT**
This chart changed significantly between `v2` and `v3`. If you are upgrading from `v2`, please read `Migrating from v2 to v3` section.
**Add the Kyverno Helm repository:**
```console
@ -105,6 +109,125 @@ spec:
- Replace=true
```
## Migrating from v2 to v3
Direct upgrades from v2 of the Helm chart to v3 are not supported due to the number of breaking changes and manual intervention is required. Review and select an option after carefully reading below. Because either method requires down time, an upgrade should only be performed during a maintenance window. Regardless of the chosen option, please read all release notes very carefully to understand the full extent of changes brought by Kyverno 1.10. Release notes can be found at https://github.com/kyverno/kyverno/releases.
### Option 1 - Uninstallation and Reinstallation
The first option for upgrading, which is the recommended option, involves backing up Kyverno policy resources, uninstalling Kyverno, and reinstalling with v3 of the chart. Policy Reports for policies which have background mode enabled will be regenerated upon the next scan interval.
**Pros**
* Reduced complexity with minimal effort
* Allows re-checking older policies against new validation webhooks in 1.10
**Cons**
* Policy Reports which contained results only from admission mode and from policies/rules where background scans were disabled will be lost.
Follow the procedure below.
1. READ THE COMPLETE RELEASE NOTES FIRST
2. Backup and export all Kyverno policy resources to a YAML manifest. Use the command `kubectl get pol,cpol,cleanpol,ccleanpol,polex -A > kyvernobackup.yaml`.
3. Uninstall your current version of Kyverno.
4. Review the [New Chart Values](#new-chart-values) section and translate your desired features and configurations to the new format.
5. Install the v3 chart with Kyverno 1.10.
6. Restore your Kyverno policies. Use the command `kubectl create -f kyvernobackup.yaml`.
### Option 2 - Scale to Zero
In the second option, Kyverno policies do not have to be backed up however you perform more manual work in order to prepare for the upgrade to chart v3.
**Pros**
* Policy Reports which contained results from admission mode will be preserved
* Kyverno policies do not need to be backed up first
**Cons**
* More manual effort is required
* Older policies will not be revalidated for correctness according to the breaking schema changes. Some policies may not work as they did before.
Follow the procedure below.
1. READ THE COMPLETE RELEASE NOTES FIRST
2. Scale the `kyverno` Deployment to zero replicas.
3. If coming from 1.9 and you have install the cleanup controller, scale the `kyverno-cleanup-controller` Deployment to zero replicas.
4. If step 3 applied to you, now delete the cleanup Deployment.
5. Review the [New Chart Values](#new-chart-values) section and translate your desired features and configurations to the new format.
6. Upgrade to the v3 chart by passing the mandatory flag `upgrade.fromV2=true`.
### New Chart Values
In `v3` chart values changed significantly, please read the instructions below to migrate your values:
- `config.metricsConfig` is now `metricsConfig`
- `resourceFiltersExcludeNamespaces` has been replaced with `config.resourceFiltersExcludeNamespaces`
- `excludeKyvernoNamespace` has been replaced with `config.excludeKyvernoNamespace`
- `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__
- `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__
- `namespace` has been renamed `namespaceOverride`
- `installCRDs` has been replaced with `crds.install`
- `testImage` has been replaced with `test.image`
- `testResources` has been replaced with `test.resources`
- `testSecurityContext` has been replaced with `test.securityContext`
- `replicaCount` has been replaced with `admissionController.replicas`
- `updateStrategy` has been replaced with `admissionController.updateStrategy`
- `priorityClassName` has been replaced with `admissionController.priorityClassName`
- `hostNetwork` has been replaced with `admissionController.hostNetwork`
- `dnsPolicy` has been replaced with `admissionController.dnsPolicy`
- `nodeSelector` has been replaced with `admissionController.nodeSelector`
- `tolerations` has been replaced with `admissionController.tolerations`
- `topologySpreadConstraints` has been replaced with `admissionController.topologySpreadConstraints`
- `podDisruptionBudget` has been replaced with `admissionController.podDisruptionBudget`
- `antiAffinity` has been replaced with `admissionController.antiAffinity`
- `antiAffinity.enable` has been replaced with `admissionController.antiAffinity.enabled`
- `podAntiAffinity` has been replaced with `admissionController.podAntiAffinity`
- `podAffinity` has been replaced with `admissionController.podAffinity`
- `nodeAffinity` has been replaced with `admissionController.nodeAffinity`
- `startupProbe` has been replaced with `admissionController.startupProbe`
- `livenessProbe` has been replaced with `admissionController.livenessProbe`
- `readinessProbe` has been replaced with `admissionController.readinessProbe`
- `createSelfSignedCert` has been replaced with `admissionController.createSelfSignedCert`
- `serviceMonitor` has been replaced with `admissionController.serviceMonitor`
- `podSecurityContext` has been replaced with `admissionController.podSecurityContext`
- `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath`
- `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume`
- `initImage` has been replaced with `admissionController.initContainer.image`
- `initResources` has been replaced with `admissionController.initContainer.resources`
- `image` has been replaced with `admissionController.container.image`
- `image.pullSecrets` has been replaced with `admissionController.imagePullSecrets`
- `resources` has been replaced with `admissionController.container.resources`
- `service` has been replaced with `admissionController.service`
- `metricsService` has been replaced with `admissionController.metricsService`
- `initContainer.extraArgs` has been replaced with `admissionController.initContainer.extraArgs`
- `envVarsInit` has been replaced with `admissionController.initContainer.extraEnvVars`
- `envVars` has been replaced with `admissionController.container.extraEnvVars`
- `extraArgs` has been replaced with `admissionController.container.extraArgs`
- `extraInitContainers` has been replaced with `admissionController.extraInitContainers`
- `extraContainers` has been replaced with `admissionController.extraContainers`
- `podLabels` has been replaced with `admissionController.podLabels`
- `podAnnotations` has been replaced with `admissionController.podAnnotations`
- `securityContext` has been replaced with `admissionController.container.securityContext` and `admissionController.initContainer.securityContext`
- `rbac` has been replaced with `admissionController.rbac`
- `generatecontrollerExtraResources` has been replaced with `admissionController.rbac.clusterRole.extraResources`
- `networkPolicy` has been replaced with `admissionController.networkPolicy`
- all `extraArgs` now use objects instead of arrays
- logging, tracing and metering are now configured using `*Controller.logging`, `*Controller.tracing` and `*Controller.metering`
- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
- Image tags are now validated and must be strings, if you use image tags in the `1.35` form please add quotes around the tag value.
- Image references are now using the `registry` setting, if you override the registry or repository fields please use `registry` (`--set image.registry=ghcr.io --set image.repository=kyverno/kyverno` instead of `--set image.repository=ghcr.io/kyverno/kyverno`).
- Admission controller `Deployment` name changed from `kyverno` to `kyverno-admission-controller`.
- `config.excludeUsername` was renamed to `config.excludeUsernames`
- `config.excludeGroupRole` was renamed to `config.excludeGroups`
Hardcoded defaults for `config.excludeGroups` and `config.excludeUsernames` have been removed, please review those fields if you provide your own exclusions.
## Uninstalling the Chart
To uninstall/delete the `kyverno` deployment:
@ -117,120 +240,234 @@ The command removes all the Kubernetes components associated with the chart and
## Values
The chart values are organised per component.
### Custom resource definitions
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| nameOverride | string | `nil` | Override the name of the chart |
| fullnameOverride | string | `nil` | Override the expanded name of the chart |
| namespace | string | `nil` | Namespace the chart deploys to |
| customLabels | object | `{}` | Additional labels |
| rbac.create | bool | `true` | Create ClusterRoles, ClusterRoleBindings, and ServiceAccount |
| rbac.serviceAccount.create | bool | `true` | Create a ServiceAccount |
| rbac.serviceAccount.name | string | `nil` | The ServiceAccount name |
| rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
| image.registry | string | `nil` | Image registry |
| image.repository | string | `"ghcr.io/kyverno/kyverno"` | Image repository |
| image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| image.pullSecrets | list | `[]` | Image pull secrets |
| initImage.registry | string | `nil` | Image registry |
| initImage.repository | string | `"ghcr.io/kyverno/kyvernopre"` | Image repository |
| initImage.tag | string | `nil` | Image tag If initImage.tag is missing, defaults to image.tag |
| initImage.pullPolicy | string | `nil` | Image pull policy If initImage.pullPolicy is missing, defaults to image.pullPolicy |
| initContainer.extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the kyvernopre binary. |
| testImage.registry | string | `nil` | Image registry |
| testImage.repository | string | `"busybox"` | Image repository |
| testImage.tag | float | `1.35` | Image tag Defaults to `latest` if omitted |
| testImage.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
| replicaCount | int | `nil` | Desired number of pods |
| podLabels | object | `{}` | Additional labels to add to each pod |
| podAnnotations | object | `{}` | Additional annotations to add to each pod |
| podSecurityContext | object | `{}` | Security context for the pod |
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| testSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers |
| priorityClassName | string | `""` | Optional priority class to be used for kyverno pods |
| antiAffinity.enable | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
| podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
| podAffinity | object | `{}` | Pod affinity constraints. |
| nodeAffinity | object | `{}` | Node affinity constraints. |
| podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for kyverno disruptions. Cannot be used if `maxUnavailable` is set. |
| podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for kyverno disruptions. Cannot be used if `minAvailable` is set. |
| nodeSelector | object | `{}` | Node labels for pod assignment |
| tolerations | list | `[]` | List of node taints to tolerate |
| hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the kyverno's pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
| dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
| envVarsInit | object | `{}` | Env variables for initContainers. |
| envVars | object | `{}` | Env variables for containers. |
| extraArgs | list | `["--loggingFormat=text","--exceptionNamespace={{ include \"kyverno.namespace\" . }}"]` | Extra arguments to give to the binary. |
| extraInitContainers | list | `[]` | Array of extra init containers |
| extraContainers | list | `[]` | Array of extra containers to run alongside kyverno |
| imagePullSecrets | object | `{}` | Image pull secrets for image verify and imageData policies. This will define the `--imagePullSecrets` Kyverno argument. |
| existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verify and imageData policies. This will define the `--imagePullSecrets` Kyverno argument. |
| resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits |
| resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
| initResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
| initResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
| testResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
| testResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
| startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |
| excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
| resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
| config.existingConfig | string | `""` | Name of an existing config map (ignores default/provided resourceFilters) |
| config.annotations | object | `{}` | Additional annotations to add to the configmap |
| config.excludeGroupRole | string | `nil` | Exclude group role |
| config.excludeUsername | string | `nil` | Exclude username |
| config.webhooks | string | `nil` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
| crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created |
| crds.annotations | object | `{}` | Additional CRDs annotations |
### Config
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| config.create | bool | `true` | Create the configmap. |
| config.name | string | `nil` | The configmap name (required if `create` is `false`). |
| config.annotations | object | `{}` | Additional annotations to add to the configmap. |
| config.enableDefaultRegistryMutation | bool | `true` | Enable registry mutation for container images. Enabled by default. |
| config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. |
| config.excludeGroups | list | `["system:nodes"]` | Exclude groups |
| config.excludeUsernames | list | `[]` | Exclude usernames |
| config.excludeRoles | list | `[]` | Exclude roles |
| config.excludeClusterRoles | list | `[]` | Exclude roles |
| config.generateSuccessEvents | bool | `false` | Generate success events. |
| config.metricsConfig | object | `{"annotations":{},"namespaces":{"exclude":[],"include":[]}}` | Metrics config. |
| config.metricsConfig.annotations | object | `{}` | Additional annotations to add to the metricsconfigmap |
| updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
| service.port | int | `443` | Service port. |
| service.type | string | `"ClusterIP"` | Service type. |
| service.nodePort | string | `nil` | Service node port. Only used if `service.type` is `NodePort`. |
| service.annotations | object | `{}` | Service annotations. |
| topologySpreadConstraints | list | `[]` | Topology spread constraints. |
| metricsService.create | bool | `true` | Create service. |
| metricsService.port | int | `8000` | Service port. Kyverno's metrics server will be exposed at this port. |
| metricsService.type | string | `"ClusterIP"` | Service type. |
| metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
| metricsService.annotations | object | `{}` | Service annotations. |
| serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
| serviceMonitor.additionalLabels | string | `nil` | Additional labels |
| serviceMonitor.namespace | string | `nil` | Override namespace (default is the same as kyverno) |
| serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
| serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
| createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert. In this case, you will need to create a certificate with a specific name and data structure. As long as you follow the naming scheme, it will be automatically picked up. kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt) kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false |
| installCRDs | bool | `true` | Whether to have Helm install the Kyverno CRDs. If the CRDs are not installed by Helm, they must be added before policies can be created. |
| crds.annotations | object | `{}` | Additional CRDs annotations. |
| networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
| networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| webhooksCleanup.enable | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
| webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
| tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
| grafana.enabled | bool | `false` | Enable grafana dashboard creation. |
| grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. |
| grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. |
| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
| config.webhooks | list | `[]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
| config.webhookAnnotations | object | `{}` | Defines annotations to set on webhook configurations. |
| config.excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
| config.resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
### Metrics config
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| metricsConfig.create | bool | `true` | Create the configmap. |
| metricsConfig.name | string | `nil` | The configmap name (required if `create` is `false`). |
| metricsConfig.annotations | object | `{}` | Additional annotations to add to the configmap. |
| metricsConfig.namespaces.include | list | `[]` | List of namespaces to capture metrics for. |
| metricsConfig.namespaces.exclude | list | `[]` | list of namespaces to NOT capture metrics for. |
| metricsConfig.metricsRefreshInterval | string | `nil` | Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics |
### Features
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| features.admissionReports.enabled | bool | `true` | Enables the feature |
| features.autoUpdateWebhooks.enabled | bool | `true` | Enables the feature |
| features.backgroundScan.enabled | bool | `true` | Enables the feature |
| features.backgroundScan.backgroundScanWorkers | int | `2` | Number of background scan workers |
| features.backgroundScan.backgroundScanInterval | string | `"1h"` | Background scan interval |
| features.backgroundScan.skipResourceFilters | bool | `true` | Skips resource filters in background scan |
| features.configMapCaching.enabled | bool | `true` | Enables the feature |
| features.dumpPayload.enabled | bool | `false` | Enables the feature |
| features.forceFailurePolicyIgnore.enabled | bool | `false` | Enables the feature |
| features.logging.format | string | `"text"` | Logging format |
| features.logging.verbosity | int | `2` | Logging verbosity |
| features.omitEvents.eventTypes | list | `[]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) |
| features.policyExceptions.enabled | bool | `false` | Enables the feature |
| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace |
| features.protectManagedResources.enabled | bool | `false` | Enables the feature |
| features.registryClient.allowInsecure | bool | `false` | Allow insecure registry |
| features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers |
| features.reports.chunkSize | int | `1000` | Reports chunk size |
### Admission controller
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| admissionController.featuresOverride | object | `{}` | Overrides features defined at the root level |
| admissionController.rbac.create | bool | `true` | Create RBAC resources |
| admissionController.rbac.serviceAccount.name | string | `nil` | The ServiceAccount name |
| admissionController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
| admissionController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
| admissionController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. |
| admissionController.replicas | int | `nil` | Desired number of pods |
| admissionController.podLabels | object | `{}` | Additional labels to add to each pod |
| admissionController.podAnnotations | object | `{}` | Additional annotations to add to each pod |
| admissionController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
| admissionController.priorityClassName | string | `""` | Optional priority class |
| admissionController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
| admissionController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
| admissionController.startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| admissionController.livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| admissionController.readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| admissionController.nodeSelector | object | `{}` | Node labels for pod assignment |
| admissionController.tolerations | list | `[]` | List of node taints to tolerate |
| admissionController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
| admissionController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
| admissionController.podAffinity | object | `{}` | Pod affinity constraints. |
| admissionController.nodeAffinity | object | `{}` | Node affinity constraints. |
| admissionController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
| admissionController.podSecurityContext | object | `{}` | Security context for the pod |
| admissionController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
| admissionController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
| admissionController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
| admissionController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. |
| admissionController.imagePullSecrets | list | `[]` | Image pull secrets |
| admissionController.initContainer.image.registry | string | `"ghcr.io"` | Image registry |
| admissionController.initContainer.image.repository | string | `"kyverno/kyvernopre"` | Image repository |
| admissionController.initContainer.image.tag | string | `nil` | Image tag If missing, defaults to image.tag |
| admissionController.initContainer.image.pullPolicy | string | `nil` | Image pull policy If missing, defaults to image.pullPolicy |
| admissionController.initContainer.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
| admissionController.initContainer.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
| admissionController.initContainer.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context |
| admissionController.initContainer.extraArgs | object | `{}` | Additional container args. |
| admissionController.initContainer.extraEnvVars | list | `[]` | Additional container environment variables. |
| admissionController.container.image.registry | string | `"ghcr.io"` | Image registry |
| admissionController.container.image.repository | string | `"kyverno/kyverno"` | Image repository |
| admissionController.container.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
| admissionController.container.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| admissionController.container.resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits |
| admissionController.container.resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
| admissionController.container.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context |
| admissionController.container.extraArgs | object | `{}` | Additional container args. |
| admissionController.container.extraEnvVars | list | `[]` | Additional container environment variables. |
| admissionController.extraInitContainers | list | `[]` | Array of extra init containers |
| admissionController.extraContainers | list | `[]` | Array of extra containers to run alongside kyverno |
| admissionController.service.port | int | `443` | Service port. |
| admissionController.service.type | string | `"ClusterIP"` | Service type. |
| admissionController.service.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
| admissionController.service.annotations | object | `{}` | Service annotations. |
| admissionController.metricsService.create | bool | `true` | Create service. |
| admissionController.metricsService.port | int | `8000` | Service port. Kyverno's metrics server will be exposed at this port. |
| admissionController.metricsService.type | string | `"ClusterIP"` | Service type. |
| admissionController.metricsService.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
| admissionController.metricsService.annotations | object | `{}` | Service annotations. |
| admissionController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
| admissionController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| admissionController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
| admissionController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
| admissionController.serviceMonitor.namespace | string | `nil` | Override namespace |
| admissionController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
| admissionController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| admissionController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
| admissionController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
| admissionController.tracing.enabled | bool | `false` | Enable tracing |
| admissionController.tracing.address | string | `nil` | Traces receiver address |
| admissionController.tracing.port | string | `nil` | Traces receiver port |
| admissionController.tracing.creds | string | `""` | Traces receiver credentials |
| admissionController.metering.disabled | bool | `false` | Disable metrics export |
| admissionController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` |
| admissionController.metering.port | int | `8000` | Prometheus endpoint port |
| admissionController.metering.collector | string | `""` | Otel collector endpoint |
| admissionController.metering.creds | string | `""` | Otel collector credentials |
### Background controller
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| backgroundController.featuresOverride | object | `{}` | Overrides features defined at the root level |
| backgroundController.enabled | bool | `true` | Enable background controller. |
| backgroundController.rbac.create | bool | `true` | Create RBAC resources |
| backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name |
| backgroundController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
| backgroundController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
| backgroundController.image.registry | string | `"ghcr.io"` | Image registry |
| backgroundController.image.repository | string | `"kyverno/background-controller"` | Image repository |
| backgroundController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
| backgroundController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| backgroundController.imagePullSecrets | list | `[]` | Image pull secrets |
| backgroundController.replicas | int | `nil` | Desired number of pods |
| backgroundController.podLabels | object | `{}` | Additional labels to add to each pod |
| backgroundController.podAnnotations | object | `{}` | Additional annotations to add to each pod |
| backgroundController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
| backgroundController.priorityClassName | string | `""` | Optional priority class |
| backgroundController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
| backgroundController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
| backgroundController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line |
| backgroundController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
| backgroundController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
| backgroundController.nodeSelector | object | `{}` | Node labels for pod assignment |
| backgroundController.tolerations | list | `[]` | List of node taints to tolerate |
| backgroundController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
| backgroundController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
| backgroundController.podAffinity | object | `{}` | Pod affinity constraints. |
| backgroundController.nodeAffinity | object | `{}` | Node affinity constraints. |
| backgroundController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
| backgroundController.podSecurityContext | object | `{}` | Security context for the pod |
| backgroundController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| backgroundController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
| backgroundController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
| backgroundController.metricsService.create | bool | `true` | Create service. |
| backgroundController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. |
| backgroundController.metricsService.type | string | `"ClusterIP"` | Service type. |
| backgroundController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
| backgroundController.metricsService.annotations | object | `{}` | Service annotations. |
| backgroundController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
| backgroundController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| backgroundController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
| backgroundController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
| backgroundController.serviceMonitor.namespace | string | `nil` | Override namespace |
| backgroundController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
| backgroundController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| backgroundController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
| backgroundController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
| backgroundController.tracing.enabled | bool | `false` | Enable tracing |
| backgroundController.tracing.address | string | `nil` | Traces receiver address |
| backgroundController.tracing.port | string | `nil` | Traces receiver port |
| backgroundController.tracing.creds | string | `""` | Traces receiver credentials |
| backgroundController.metering.disabled | bool | `false` | Disable metrics export |
| backgroundController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` |
| backgroundController.metering.port | int | `8000` | Prometheus endpoint port |
| backgroundController.metering.collector | string | `""` | Otel collector endpoint |
| backgroundController.metering.creds | string | `""` | Otel collector credentials |
### Cleanup controller
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| cleanupController.featuresOverride | object | `{}` | Overrides features defined at the root level |
| cleanupController.enabled | bool | `true` | Enable cleanup controller. |
| cleanupController.rbac.create | bool | `true` | Create RBAC resources |
| cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name |
| cleanupController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
| cleanupController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
| cleanupController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. |
| cleanupController.image.registry | string | `nil` | Image registry |
| cleanupController.image.repository | string | `"ghcr.io/kyverno/cleanup-controller"` | Image repository |
| cleanupController.image.registry | string | `"ghcr.io"` | Image registry |
| cleanupController.image.repository | string | `"kyverno/cleanup-controller"` | Image repository |
| cleanupController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
| cleanupController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| cleanupController.image.pullSecrets | list | `[]` | Image pull secrets |
| cleanupController.imagePullSecrets | list | `[]` | Image pull secrets |
| cleanupController.replicas | int | `nil` | Desired number of pods |
| cleanupController.podLabels | object | `{}` | Additional labels to add to each pod |
| cleanupController.podAnnotations | object | `{}` | Additional annotations to add to each pod |
| cleanupController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
| cleanupController.priorityClassName | string | `""` | Optional priority class |
| cleanupController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
| cleanupController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
| cleanupController.extraArgs | list | `[]` | Extra arguments passed to the container on the command line |
| cleanupController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line |
| cleanupController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
| cleanupController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
| cleanupController.startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
@ -256,9 +493,11 @@ The command removes all the Kubernetes components associated with the chart and
| cleanupController.metricsService.type | string | `"ClusterIP"` | Service type. |
| cleanupController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
| cleanupController.metricsService.annotations | object | `{}` | Service annotations. |
| cleanupController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
| cleanupController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| cleanupController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
| cleanupController.serviceMonitor.additionalLabels | string | `nil` | Additional labels |
| cleanupController.serviceMonitor.namespace | string | `nil` | Override namespace (default is the same as kyverno) |
| cleanupController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
| cleanupController.serviceMonitor.namespace | string | `nil` | Override namespace |
| cleanupController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
| cleanupController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| cleanupController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
@ -267,18 +506,151 @@ The command removes all the Kubernetes components associated with the chart and
| cleanupController.tracing.address | string | `nil` | Traces receiver address |
| cleanupController.tracing.port | string | `nil` | Traces receiver port |
| cleanupController.tracing.creds | string | `""` | Traces receiver credentials |
| cleanupController.logging.format | string | `"text"` | Logging format |
| cleanupController.metering.disabled | bool | `false` | Disable metrics export |
| cleanupController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` |
| cleanupController.metering.port | int | `8000` | Prometheus endpoint port |
| cleanupController.metering.collector | string | `""` | Otel collector endpoint |
| cleanupController.metering.creds | string | `""` | Otel collector credentials |
### Reports controller
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| reportsController.featuresOverride | object | `{}` | Overrides features defined at the root level |
| reportsController.enabled | bool | `true` | Enable reports controller. |
| reportsController.rbac.create | bool | `true` | Create RBAC resources |
| reportsController.rbac.serviceAccount.name | string | `nil` | Service account name |
| reportsController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
| reportsController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
| reportsController.image.registry | string | `"ghcr.io"` | Image registry |
| reportsController.image.repository | string | `"kyverno/reports-controller"` | Image repository |
| reportsController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
| reportsController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| reportsController.imagePullSecrets | list | `[]` | Image pull secrets |
| reportsController.replicas | int | `nil` | Desired number of pods |
| reportsController.podLabels | object | `{}` | Additional labels to add to each pod |
| reportsController.podAnnotations | object | `{}` | Additional annotations to add to each pod |
| reportsController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
| reportsController.priorityClassName | string | `""` | Optional priority class |
| reportsController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
| reportsController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
| reportsController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line |
| reportsController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
| reportsController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
| reportsController.nodeSelector | object | `{}` | Node labels for pod assignment |
| reportsController.tolerations | list | `[]` | List of node taints to tolerate |
| reportsController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
| reportsController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
| reportsController.podAffinity | object | `{}` | Pod affinity constraints. |
| reportsController.nodeAffinity | object | `{}` | Node affinity constraints. |
| reportsController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
| reportsController.podSecurityContext | object | `{}` | Security context for the pod |
| reportsController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| reportsController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
| reportsController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
| reportsController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
| reportsController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. |
| reportsController.metricsService.create | bool | `true` | Create service. |
| reportsController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. |
| reportsController.metricsService.type | string | `"ClusterIP"` | Service type. |
| reportsController.metricsService.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
| reportsController.metricsService.annotations | object | `{}` | Service annotations. |
| reportsController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
| reportsController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| reportsController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
| reportsController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
| reportsController.serviceMonitor.namespace | string | `nil` | Override namespace |
| reportsController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
| reportsController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| reportsController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
| reportsController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
| reportsController.tracing.enabled | bool | `false` | Enable tracing |
| reportsController.tracing.address | string | `nil` | Traces receiver address |
| reportsController.tracing.port | string | `nil` | Traces receiver port |
| reportsController.tracing.creds | string | `nil` | Traces receiver credentials |
| reportsController.metering.disabled | bool | `false` | Disable metrics export |
| reportsController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` |
| reportsController.metering.port | int | `8000` | Prometheus endpoint port |
| reportsController.metering.collector | string | `nil` | Otel collector endpoint |
| reportsController.metering.creds | string | `nil` | Otel collector credentials |
### Grafana
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| grafana.enabled | bool | `false` | Enable grafana dashboard creation. |
| grafana.configMapName | string | `"{{ include \"kyverno.fullname\" . }}-grafana"` | Configmap name template. |
| grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. |
| grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. |
### Webhooks cleanup
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| webhooksCleanup.enabled | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
| webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
| webhooksCleanup.imagePullSecrets | list | `[]` | Image pull secrets |
### Test
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| test.image.registry | string | `nil` | Image registry |
| test.image.repository | string | `"busybox"` | Image repository |
| test.image.tag | string | `"1.35"` | Image tag Defaults to `latest` if omitted |
| test.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
| test.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
| test.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
| test.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers |
### Api version override
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| apiVersionOverride.podDisruptionBudget | string | `nil` | Override api version used to create `PodDisruptionBudget`` resources. When not specified the chart will check if `policy/v1/PodDisruptionBudget` is available to determine the api version automatically. |
### Cleanup jobs
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| cleanupJobs.admissionReports.enabled | bool | `true` | Enable cleanup cronjob |
| cleanupJobs.admissionReports.image.registry | string | `nil` | Image registry |
| cleanupJobs.admissionReports.image.repository | string | `"bitnami/kubectl"` | Image repository |
| cleanupJobs.admissionReports.image.tag | string | `"1.26.4"` | Image tag Defaults to `latest` if omitted |
| cleanupJobs.admissionReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
| cleanupJobs.admissionReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule |
| cleanupJobs.admissionReports.threshold | int | `10000` | Reports threshold, if number of reports are above this value the cronjob will start deleting them |
| cleanupJobs.admissionReports.history | object | `{"failure":1,"success":1}` | Cronjob history |
| cleanupJobs.admissionReports.podSecurityContext | object | `{}` | Security context for the pod |
| cleanupJobs.admissionReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| cleanupJobs.clusterAdmissionReports.enabled | bool | `true` | Enable cleanup cronjob |
| cleanupJobs.clusterAdmissionReports.image.registry | string | `nil` | Image registry |
| cleanupJobs.clusterAdmissionReports.image.repository | string | `"bitnami/kubectl"` | Image repository |
| cleanupJobs.clusterAdmissionReports.image.tag | string | `"1.26.4"` | Image tag Defaults to `latest` if omitted |
| cleanupJobs.clusterAdmissionReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
| cleanupJobs.clusterAdmissionReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule |
| cleanupJobs.clusterAdmissionReports.threshold | int | `10000` | Reports threshold, if number of reports are above this value the cronjob will start deleting them |
| cleanupJobs.clusterAdmissionReports.history | object | `{"failure":1,"success":1}` | Cronjob history |
| cleanupJobs.clusterAdmissionReports.podSecurityContext | object | `{}` | Security context for the pod |
| cleanupJobs.clusterAdmissionReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
### Other
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| nameOverride | string | `nil` | Override the name of the chart |
| fullnameOverride | string | `nil` | Override the expanded name of the chart |
| namespaceOverride | string | `nil` | Override the namespace the chart deploys to |
| upgrade.fromV2 | bool | `false` | Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed. |
| imagePullSecrets | object | `{}` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
| existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
| customLabels | object | `{}` | Additional labels |
## TLS Configuration
If `createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate)
If `admissionController.createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate)
If `createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
If `admissionController.createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
## Default resource filters

4
scripts/helmcharts/toolings/charts/kyverno/grafana/dashboard.json
View file

@ -2847,8 +2847,8 @@
},
"timepicker": {},
"timezone": "",
"title": "Kyverno",
"title": "Kyverno Metrics",
"folder": "Kyverno",
"uid": "Rg8lWBG7k",
"version": "1.4.3"
}
}

28
scripts/helmcharts/toolings/charts/kyverno/templates/NOTES.txt
View file

@ -1,12 +1,30 @@
Chart version: {{ .Chart.Version }}
Kyverno version: {{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }}
Kyverno version: {{ default .Chart.AppVersion (default .Values.admissionController.container.image.tag .Values.admissionController.initContainer.image.tag) }}
Thank you for installing {{ .Chart.Name }}! Your release is named {{ .Release.Name }}.
{{- if not .Values.replicaCount }}
⚠️ WARNING: Setting replicas count below 3 means Kyverno is not running in high availability mode.
{{- else if lt (int .Values.replicaCount) 3 }}
⚠️ WARNING: Setting replicas count below 3 means Kyverno is not running in high availability mode.
The following components have been installed in your cluster:
{{- if .Values.crds.install }}
- CRDs
{{- end }}
- Admission controller
{{- if .Values.reportsController.enabled }}
- Reports controller
{{- end }}
{{- if .Values.cleanupController.enabled }}
- Cleanup controller
{{- end }}
{{- if .Values.backgroundController.enabled }}
- Background controller
{{- end }}
{{- if .Values.grafana.enabled }}
- Grafana dashboard
{{- end }}
{{ if not .Values.admissionController.replicas }}
⚠️ WARNING: Setting the admission controller replica count below 3 means Kyverno is not running in high availability mode.
{{- else if lt (int .Values.admissionController.replicas) 3 }}
⚠️ WARNING: Setting the admission controller replica count below 3 means Kyverno is not running in high availability mode.
{{- end }}
💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks.

236
scripts/helmcharts/toolings/charts/kyverno/templates/_helpers.tpl
View file

@ -1,204 +1,62 @@
{{/* vim: set filetype=mustache: */}}
{{/* Expand the name of the chart. */}}
{{- define "kyverno.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kyverno.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* Create chart name and version as used by the chart label. */}}
{{- define "kyverno.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* Helm labels */}}
{{- define "kyverno.helmLabels" -}}
{{- if not .Values.templating.enabled -}}
helm.sh/chart: {{ template "kyverno.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{- end -}}
{{/* Version labels */}}
{{- define "kyverno.versionLabels" -}}
{{- define "kyverno.chartVersion" -}}
{{- if .Values.templating.enabled -}}
app.kubernetes.io/version: {{ required "templating.version is required when templating.enabled is true" .Values.templating.version | replace "+" "_" }}
{{- required "templating.version is required when templating.enabled is true" .Values.templating.version | replace "+" "_" -}}
{{- else -}}
app.kubernetes.io/version: {{ .Chart.Version | replace "+" "_" }}
{{- .Chart.Version | replace "+" "_" -}}
{{- end -}}
{{- end -}}
{{/* CRD labels */}}
{{- define "kyverno.crdLabels" -}}
app.kubernetes.io/component: kyverno
{{- with (include "kyverno.helmLabels" .) }}
{{ . }}
{{- end }}
{{- with (include "kyverno.matchLabels" .) }}
{{ . }}
{{- end }}
app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
{{- with (include "kyverno.versionLabels" .) }}
{{ . }}
{{- end }}
{{- define "kyverno.features.flags" -}}
{{- $flags := list -}}
{{- with .admissionReports -}}
{{- $flags = append $flags (print "--admissionReports=" .enabled) -}}
{{- end -}}
{{/* Helm required labels */}}
{{- define "kyverno.labels" -}}
app.kubernetes.io/component: kyverno
{{- with (include "kyverno.helmLabels" .) }}
{{ . }}
{{- end }}
{{- with (include "kyverno.matchLabels" .) }}
{{ . }}
{{- end }}
app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
{{- with (include "kyverno.versionLabels" .) }}
{{ . }}
{{- end }}
{{- if .Values.customLabels }}
{{ toYaml .Values.customLabels }}
{{- end }}
{{- with .autoUpdateWebhooks -}}
{{- $flags = append $flags (print "--autoUpdateWebhooks=" .enabled) -}}
{{- end -}}
{{/* Helm required labels */}}
{{- define "kyverno.test-labels" -}}
{{- with (include "kyverno.helmLabels" .) }}
{{ . }}
{{- end }}
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/name: {{ template "kyverno.name" . }}-test
app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
app.kubernetes.io/version: "{{ .Chart.Version | replace "+" "_" }}"
{{- with .backgroundScan -}}
{{- $flags = append $flags (print "--backgroundScan=" .enabled) -}}
{{- $flags = append $flags (print "--backgroundScanWorkers=" .backgroundScanWorkers) -}}
{{- $flags = append $flags (print "--backgroundScanInterval=" .backgroundScanInterval) -}}
{{- $flags = append $flags (print "--skipResourceFilters=" .skipResourceFilters) -}}
{{- end -}}
{{/* matchLabels */}}
{{- define "kyverno.matchLabels" -}}
{{- if .Values.templating.enabled -}}
app: kyverno
{{- end }}
app.kubernetes.io/name: {{ template "kyverno.name" . }}
{{- if not .Values.templating.enabled }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- with .configMapCaching -}}
{{- $flags = append $flags (print "--enableConfigMapCaching=" .enabled) -}}
{{- end -}}
{{/* Get the config map name. */}}
{{- define "kyverno.configMapName" -}}
{{- printf "%s" (default (include "kyverno.fullname" .) .Values.config.existingConfig) -}}
{{- with .dumpPayload -}}
{{- $flags = append $flags (print "--dumpPayload=" .enabled) -}}
{{- end -}}
{{/* Get the metrics config map name. */}}
{{- define "kyverno.metricsConfigMapName" -}}
{{- printf "%s" (default (printf "%s-metrics" (include "kyverno.fullname" .)) .Values.config.existingMetricsConfig) -}}
{{- with .forceFailurePolicyIgnore -}}
{{- $flags = append $flags (print "--forceFailurePolicyIgnore=" .enabled) -}}
{{- end -}}
{{/* Get the namespace name. */}}
{{- define "kyverno.namespace" -}}
{{- if .Values.namespace -}}
{{- .Values.namespace -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- with .logging -}}
{{- $flags = append $flags (print "--loggingFormat=" .format) -}}
{{- $flags = append $flags (print "--v=" (join "," .verbosity)) -}}
{{- end -}}
{{- end -}}
{{/* Create the name of the service to use */}}
{{- define "kyverno.serviceName" -}}
{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/* Create the name of the service account to use */}}
{{- define "kyverno.serviceAccountName" -}}
{{- if .Values.rbac.serviceAccount.create -}}
{{ default (include "kyverno.fullname" .) .Values.rbac.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.rbac.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/* Create the default PodDisruptionBudget to use */}}
{{- define "kyverno.podDisruptionBudget.spec" -}}
{{- if and .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable }}
{{- fail "Cannot set both .Values.podDisruptionBudget.minAvailable and .Values.podDisruptionBudget.maxUnavailable" -}}
{{- end }}
{{- if not .Values.podDisruptionBudget.maxUnavailable }}
minAvailable: {{ default 1 .Values.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- end }}
{{- define "kyverno.securityContext" -}}
{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
{{ toYaml (omit .Values.securityContext "seccompProfile") }}
{{- else }}
{{ toYaml .Values.securityContext }}
{{- end }}
{{- end }}
{{- define "kyverno.testSecurityContext" -}}
{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
{{ toYaml (omit .Values.testSecurityContext "seccompProfile") }}
{{- else }}
{{ toYaml .Values.testSecurityContext }}
{{- end }}
{{- end }}
{{- define "kyverno.imagePullSecret" }}
{{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
{{- end }}
{{- define "kyverno.image" -}}
{{- if .image.registry -}}
{{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
{{- else -}}
{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
{{- with .omitEvents -}}
{{- with .eventTypes -}}
{{- $flags = append $flags (print "--omit-events=" (join "," .)) -}}
{{- end -}}
{{- end }}
{{- define "kyverno.resourceFilters" -}}
{{- $resourceFilters := .Values.config.resourceFilters }}
{{- if .Values.excludeKyvernoNamespace }}
{{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*,%s,*]" (include "kyverno.namespace" .)) }}
{{- end }}
{{- range $exclude := .Values.resourceFiltersExcludeNamespaces }}
{{- range $filter := $resourceFilters }}
{{- if (contains (printf ",%s," $exclude) $filter) }}
{{- $resourceFilters = without $resourceFilters $filter }}
{{- end }}
{{- end }}
{{- end }}
{{- tpl (join "" $resourceFilters) . }}
{{- end }}
{{- define "kyverno.webhooks" -}}
{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
{{- $newWebhook := list }}
{{- range $webhook := .Values.config.webhooks }}
{{- $namespaceSelector := default dict $webhook.namespaceSelector }}
{{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
{{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
{{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
{{- end }}
{{- $newWebhook | toJson }}
{{- end }}
{{- end -}}
{{- with .policyExceptions -}}
{{- $flags = append $flags (print "--enablePolicyException=" .enabled) -}}
{{- with .namespace -}}
{{- $flags = append $flags (print "--exceptionNamespace=" .) -}}
{{- end -}}
{{- end -}}
{{- with .protectManagedResources -}}
{{- $flags = append $flags (print "--protectManagedResources=" .enabled) -}}
{{- end -}}
{{- with .reports -}}
{{- $flags = append $flags (print "--reportsChunkSize=" .chunkSize) -}}
{{- end -}}
{{- with .registryClient -}}
{{- $flags = append $flags (print "--allowInsecureRegistry=" .allowInsecure) -}}
{{- $flags = append $flags (print "--registryCredentialHelpers=" (join "," .credentialHelpers)) -}}
{{- end -}}
{{- with $flags -}}
{{- toYaml . -}}
{{- end -}}
{{- end -}}

8
scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_deployment.tpl Normal file
View file

@ -0,0 +1,8 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.deployment.replicas" -}}
{{- if eq (int (default 1 .)) 0 -}}
{{- fail "Kyverno does not support running with 0 replicas. Please provide a non-zero integer value." -}}
{{- end -}}
{{- . -}}
{{- end -}}

13
scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_image.tpl Normal file
View file

@ -0,0 +1,13 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.image" -}}
{{- $tag := default .defaultTag .image.tag -}}
{{- if not (typeIs "string" $tag) -}}
{{ fail "Image tags must be strings." }}
{{- end -}}
{{- if .image.registry -}}
{{- print .image.registry "/" (required "An image repository is required" .image.repository) ":" $tag -}}
{{- else -}}
{{- print (required "An image repository is required" .image.repository) ":" $tag -}}
{{- end -}}
{{- end -}}

43
scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_labels.tpl Normal file
View file

@ -0,0 +1,43 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.labels.merge" -}}
{{- $labels := dict -}}
{{- range . -}}
{{- $labels = merge $labels (fromYaml .) -}}
{{- end -}}
{{- with $labels -}}
{{- toYaml $labels -}}
{{- end -}}
{{- end -}}
{{- define "kyverno.labels.helm" -}}
{{- if not .Values.templating.enabled -}}
helm.sh/chart: {{ template "kyverno.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{- end -}}
{{- define "kyverno.labels.version" -}}
app.kubernetes.io/version: {{ template "kyverno.chartVersion" . }}
{{- end -}}
{{- define "kyverno.labels.common" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.helm" .)
(include "kyverno.labels.version" .)
(toYaml .Values.customLabels)
) -}}
{{- end -}}
{{- define "kyverno.matchLabels.common" -}}
app.kubernetes.io/part-of: {{ template "kyverno.fullname" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- define "kyverno.labels.component" -}}
app.kubernetes.io/component: {{ . }}
{{- end -}}
{{- define "kyverno.labels.name" -}}
app.kubernetes.io/name: {{ . }}
{{- end -}}

26
scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_names.tpl Normal file
View file

@ -0,0 +1,26 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "kyverno.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "kyverno.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "kyverno.namespace" -}}
{{ default .Release.Namespace .Values.namespaceOverride }}
{{- end -}}

23
scripts/helmcharts/toolings/charts/kyverno/templates/_helpers/_pdb.tpl Normal file
View file

@ -0,0 +1,23 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.pdb.apiVersion" -}}
{{- if .Values.apiVersionOverride.podDisruptionBudget -}}
{{- .Values.apiVersionOverride.podDisruptionBudget -}}
{{- else if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
policy/v1
{{- else -}}
policy/v1beta1
{{- end -}}
{{- end -}}
{{- define "kyverno.pdb.spec" -}}
{{- if and .minAvailable .maxUnavailable -}}
{{- fail "Cannot set both .minAvailable and .maxUnavailable" -}}
{{- end -}}
{{- if not .maxUnavailable }}
minAvailable: {{ default 1 .minAvailable }}
{{- end }}
{{- if .maxUnavailable }}
maxUnavailable: {{ .maxUnavailable }}
{{- end }}
{{- end -}}

8
scripts/helmcharts/toolings/charts/kyverno/templates/_templating/_helpers.tpl Normal file
View file

@ -0,0 +1,8 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.templating.labels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.common" .)
(include "kyverno.matchLabels.common" .)
) -}}
{{- end -}}

8
scripts/helmcharts/toolings/charts/kyverno/templates/_templating/namespace.yaml Normal file
View file

@ -0,0 +1,8 @@
{{- if .Values.templating.enabled -}}
apiVersion: v1
kind: Namespace
metadata:
name: {{ include "kyverno.namespace" . }}
labels:
{{- include "kyverno.templating.labels" . | nindent 4 }}
{{- end -}}

35
scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/_helpers.tpl Normal file
View file

@ -0,0 +1,35 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.admission-controller.name" -}}
{{ template "kyverno.name" . }}-admission-controller
{{- end -}}
{{- define "kyverno.admission-controller.labels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.common" .)
(include "kyverno.admission-controller.matchLabels" .)
) -}}
{{- end -}}
{{- define "kyverno.admission-controller.matchLabels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.matchLabels.common" .)
(include "kyverno.labels.component" "admission-controller")
) -}}
{{- end -}}
{{- define "kyverno.admission-controller.roleName" -}}
{{ include "kyverno.fullname" . }}:admission-controller
{{- end -}}
{{- define "kyverno.admission-controller.serviceAccountName" -}}
{{- if .Values.admissionController.rbac.create -}}
{{ default (include "kyverno.admission-controller.name" .) .Values.admissionController.rbac.serviceAccount.name }}
{{- else -}}
{{ required "A service account name is required when `rbac.create` is set to `false`" .Values.admissionController.rbac.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{- define "kyverno.admission-controller.serviceName" -}}
{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}

116
scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/clusterrole.yaml Normal file
View file

@ -0,0 +1,116 @@
{{- if .Values.admissionController.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.admission-controller.roleName" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
{{- include "kyverno.admission-controller.matchLabels" . | nindent 8 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.admission-controller.roleName" . }}:core
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
verbs:
- watch
- list
- apiGroups:
- kyverno.io
resources:
- policies
- policies/status
- clusterpolicies
- clusterpolicies/status
- updaterequests
- updaterequests/status
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- wgpolicyk8s.io
resources:
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- ''
- events.k8s.io
resources:
- events
verbs:
- create
- update
- patch
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
{{- with .Values.admissionController.rbac.clusterRole.extraResources }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.admission-controller.roleName" $ }}:additional
labels:
{{- include "kyverno.admission-controller.labels" $ | nindent 4 }}
rules:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

16
scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml Normal file
View file

@ -0,0 +1,16 @@
{{- if .Values.admissionController.rbac.create -}}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.admission-controller.roleName" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.admission-controller.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end -}}

221
scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/deployment.yaml Normal file
View file

@ -0,0 +1,221 @@
{{- if not .Values.templating.debug -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "kyverno.admission-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
spec:
replicas: {{ template "kyverno.deployment.replicas" .Values.admissionController.replicas }}
{{- with .Values.admissionController.updateStrategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 8 }}
{{- with .Values.admissionController.podLabels }}
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.admissionController.podAnnotations }}
annotations: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
spec:
{{- with .Values.admissionController.container.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.admissionController.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.admissionController.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.admissionController.tolerations }}
tolerations:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.admissionController.topologySpreadConstraints }}
topologySpreadConstraints:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.admissionController.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
{{- with .Values.admissionController.hostNetwork }}
hostNetwork: {{ . }}
{{- end }}
{{- with .Values.admissionController.dnsPolicy }}
dnsPolicy: {{ . }}
{{- end }}
{{- if or .Values.admissionController.antiAffinity.enable .Values.admissionController.podAffinity .Values.admissionController.nodeAffinity }}
affinity:
{{- if .Values.admissionController.antiAffinity.enabled }}
{{- with .Values.admissionController.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- with .Values.admissionController.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.admissionController.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }}
initContainers:
{{- with .Values.admissionController.extraInitContainers }}
{{- toYaml . | nindent 8 }}
{{- end }}
- name: kyverno-pre
image: {{ include "kyverno.image" (dict "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.admissionController.container.image.tag)) | quote }}
imagePullPolicy: {{ default .Values.admissionController.container.image.pullPolicy .Values.admissionController.initContainer.image.pullPolicy }}
args:
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.admissionController.featuresOverride)
"logging"
) | nindent 12 }}
{{- range $key, $value := .Values.admissionController.initContainer.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- end }}
{{- end }}
{{- with .Values.admissionController.initContainer.resources }}
resources:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.admissionController.initContainer.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
env:
- name: METRICS_CONFIG
value: {{ template "kyverno.config.metricsConfigMapName" . }}
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_DEPLOYMENT
value: {{ template "kyverno.fullname" . }}
{{- with .Values.admissionController.initContainer.extraEnvVars }}
{{- toYaml . | nindent 10 }}
{{- end }}
containers:
{{- with .Values.admissionController.extraContainers }}
{{- toYaml . | nindent 8 }}
{{- end }}
- name: kyverno
image: {{ include "kyverno.image" (dict "image" .Values.admissionController.container.image "defaultTag" .Chart.AppVersion) | quote }}
imagePullPolicy: {{ .Values.admissionController.container.image.pullPolicy }}
args:
- --backgroundServiceAccountName=system:serviceaccount:{{ include "kyverno.namespace" . }}:{{ include "kyverno.background-controller.serviceAccountName" . }}
- --servicePort={{ .Values.admissionController.service.port }}
{{- if .Values.admissionController.tracing.enabled }}
- --enableTracing
- --tracingAddress={{ .Values.admissionController.tracing.address }}
- --tracingPort={{ .Values.admissionController.tracing.port }}
{{- with .Values.admissionController.tracing.creds }}
- --tracingCreds={{ . }}
{{- end }}
{{- end }}
- --disableMetrics={{ .Values.admissionController.metering.disabled }}
{{- if not .Values.admissionController.metering.disabled }}
- --otelConfig={{ .Values.admissionController.metering.config }}
- --metricsPort={{ .Values.admissionController.metering.port }}
{{- with .Values.admissionController.metering.collector }}
- --otelCollector={{ . }}
{{- end }}
{{- with .Values.admissionController.metering.creds }}
- --transportCreds={{ . }}
{{- end }}
{{- end }}
{{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
- --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
{{- end }}
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.admissionController.featuresOverride)
"admissionReports"
"autoUpdateWebhooks"
"configMapCaching"
"dumpPayload"
"forceFailurePolicyIgnore"
"logging"
"omitEvents"
"policyExceptions"
"protectManagedResources"
"registryClient"
) | nindent 12 }}
{{- range $key, $value := .Values.admissionController.container.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- end }}
{{- end }}
{{- with .Values.admissionController.container.resources }}
resources: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.admissionController.container.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics-port
protocol: TCP
env:
- name: INIT_CONFIG
value: {{ template "kyverno.config.configMapName" . }}
- name: METRICS_CONFIG
value: {{ template "kyverno.config.metricsConfigMapName" . }}
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: {{ template "kyverno.admission-controller.serviceAccountName" . }}
- name: KYVERNO_SVC
value: {{ template "kyverno.admission-controller.serviceName" . }}
- name: TUF_ROOT
value: {{ .Values.admissionController.tufRootMountPath }}
{{- with .Values.admissionController.container.extraEnvVars }}
{{- toYaml . | nindent 10 }}
{{- end }}
- name: KYVERNO_DEPLOYMENT
value: {{ template "kyverno.admission-controller.name" . }}
{{- with .Values.admissionController.startupProbe }}
startupProbe:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.admissionController.livenessProbe }}
livenessProbe:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.admissionController.readinessProbe }}
readinessProbe:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: {{ .Values.admissionController.tufRootMountPath }}
name: sigstore
volumes:
- name: sigstore
{{- toYaml (required "A valid .Values.admissionController.sigstoreVolume entry is required" .Values.admissionController.sigstoreVolume) | nindent 8 }}
{{- end -}}

31
scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/networkpolicy.yaml Normal file
View file

@ -0,0 +1,31 @@
{{- if .Values.admissionController.networkPolicy.enabled -}}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "kyverno.admission-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
policyTypes:
- Ingress
{{- if .Values.admissionController.networkPolicy.ingressFrom }}
ingress:
- from:
{{- toYaml .Values.admissionController.networkPolicy.ingressFrom | nindent 8 }}
ports:
- protocol: TCP
port: 9443 # webhook access
# Allow prometheus scrapes for metrics
{{- if .Values.admissionController.metricsService.create }}
- protocol: TCP
port: {{ .Values.admissionController.metricsService.port }}
{{- end }}
{{- else }}
ingress:
- {}
{{- end }}
{{- end -}}

14
scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml Normal file
View file

@ -0,0 +1,14 @@
{{- if (gt (int .Values.admissionController.replicas) 1) -}}
apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ template "kyverno.admission-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
spec:
{{- include "kyverno.pdb.spec" .Values.admissionController.podDisruptionBudget | nindent 2 }}
selector:
matchLabels:
{{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
{{- end -}}

57
scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/role.yaml Normal file
View file

@ -0,0 +1,57 @@
{{- if .Values.admissionController.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "kyverno.admission-controller.roleName" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
resourceNames:
- {{ include "kyverno.config.configMapName" . }}
- {{ include "kyverno.config.metricsConfigMapName" . }}
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
# Allow update of Kyverno deployment annotations
- apiGroups:
- apps
resources:
- deployments
{{- if .Values.webhooksCleanup.enabled }}
- deployments/scale
{{- end }}
verbs:
- get
- list
- watch
{{- if .Values.webhooksCleanup.enabled }}
- patch
- update
{{- end }}
{{- end -}}

17
scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/rolebinding.yaml Normal file
View file

@ -0,0 +1,17 @@
{{- if .Values.admissionController.rbac.create -}}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.admission-controller.roleName" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "kyverno.admission-controller.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end -}}

12
scripts/helmcharts/toolings/charts/kyverno/templates/secret.yaml → scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/secret.yaml
View file

@ -1,14 +1,14 @@
{{- if .Values.createSelfSignedCert }}
{{- if .Values.admissionController.createSelfSignedCert -}}
{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}}
{{- $svcName := (printf "%s.%s.svc" (include "kyverno.serviceName" .) (include "kyverno.namespace" .)) -}}
{{- $svcName := (printf "%s.%s.svc" (include "kyverno.admission-controller.serviceName" .) (include "kyverno.namespace" .)) -}}
{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
name: {{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.labels" . | nindent 4 }}
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.key: {{ $ca.Key | b64enc }}
@ -17,10 +17,10 @@ data:
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
name: {{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.labels" . | nindent 4 }}
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
annotations:
self-signed-cert: "true"
type: kubernetes.io/tls

47
scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/service.yaml Normal file
View file

@ -0,0 +1,47 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "kyverno.admission-controller.serviceName" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
{{- with .Values.admissionController.service.annotations }}
annotations: {{ tpl (toYaml .) $ | nindent 4 }}
{{- end }}
spec:
ports:
- port: {{ .Values.admissionController.service.port }}
targetPort: https
protocol: TCP
name: https
{{- if and (eq .Values.admissionController.service.type "NodePort") (not (empty .Values.admissionController.service.nodePort)) }}
nodePort: {{ .Values.admissionController.service.nodePort }}
{{- end }}
selector:
{{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }}
type: {{ .Values.admissionController.service.type }}
---
{{- if .Values.admissionController.metricsService.create }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "kyverno.admission-controller.serviceName" . }}-metrics
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
{{- with .Values.admissionController.metricsService.annotations }}
annotations: {{ tpl (toYaml .) $ | nindent 4 }}
{{- end }}
spec:
ports:
- port: {{ .Values.admissionController.metricsService.port }}
targetPort: 8000
protocol: TCP
name: metrics-port
{{- if and (eq .Values.admissionController.metricsService.type "NodePort") (not (empty .Values.admissionController.metricsService.nodePort)) }}
nodePort: {{ .Values.admissionController.metricsService.nodePort }}
{{- end }}
selector:
{{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }}
type: {{ .Values.admissionController.metricsService.type }}
{{- end -}}

13
scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/serviceaccount.yaml Normal file
View file

@ -0,0 +1,13 @@
{{- if .Values.admissionController.rbac.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
{{- with .Values.admissionController.rbac.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

32
scripts/helmcharts/toolings/charts/kyverno/templates/admission-controller/servicemonitor.yaml Normal file
View file

@ -0,0 +1,32 @@
{{- if .Values.admissionController.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "kyverno.admission-controller.name" . }}
{{- if .Values.admissionController.serviceMonitor.namespace }}
namespace: {{ .Values.admissionController.serviceMonitor.namespace }}
{{- else }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
{{- with .Values.admissionController.serviceMonitor.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ template "kyverno.namespace" . }}
endpoints:
- port: metrics-port
interval: {{ .Values.admissionController.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.admissionController.serviceMonitor.scrapeTimeout }}
{{- if .Values.admissionController.serviceMonitor.secure }}
scheme: https
tlsConfig:
{{- toYaml .Values.admissionController.serviceMonitor.tlsConfig | nindent 8 }}
{{- end }}
{{- end -}}

111
scripts/helmcharts/toolings/charts/kyverno/templates/aggregateroles.yaml
View file

@ -1,111 +0,0 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:admin-policies
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
resources:
- policies
- clusterpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:admin-policyreport
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- wgpolicyk8s.io
resources:
- policyreports
- clusterpolicyreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:admin-reports
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:admin-generaterequest
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
resources:
- generaterequests
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:admin-updaterequest
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
resources:
- updaterequests
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
{{- end }}

39
scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/_helpers.tpl Normal file
View file

@ -0,0 +1,39 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.background-controller.name" -}}
{{ template "kyverno.name" . }}-background-controller
{{- end -}}
{{- define "kyverno.background-controller.labels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.common" .)
(include "kyverno.background-controller.matchLabels" .)
) -}}
{{- end -}}
{{- define "kyverno.background-controller.matchLabels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.matchLabels.common" .)
(include "kyverno.labels.component" "background-controller")
) -}}
{{- end -}}
{{- define "kyverno.background-controller.image" -}}
{{- if .image.registry -}}
{{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
{{- else -}}
{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
{{- end -}}
{{- end -}}
{{- define "kyverno.background-controller.roleName" -}}
{{ include "kyverno.fullname" . }}:background-controller
{{- end -}}
{{- define "kyverno.background-controller.serviceAccountName" -}}
{{- if .Values.backgroundController.rbac.create -}}
{{ default (include "kyverno.background-controller.name" .) .Values.backgroundController.rbac.serviceAccount.name }}
{{- else -}}
{{ required "A service account name is required when `rbac.create` is set to `false`" .Values.backgroundController.rbac.serviceAccount.name }}
{{- end -}}
{{- end -}}

109
scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/clusterrole.yaml Normal file
View file

@ -0,0 +1,109 @@
{{- if .Values.backgroundController.enabled -}}
{{- if .Values.backgroundController.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.background-controller.roleName" . }}
labels:
{{- include "kyverno.background-controller.labels" . | nindent 4 }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
{{- include "kyverno.background-controller.matchLabels" . | nindent 8 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.background-controller.roleName" . }}:core
labels:
{{- include "kyverno.background-controller.labels" . | nindent 4 }}
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- kyverno.io
resources:
- updaterequests
- updaterequests/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- ''
- events.k8s.io
resources:
- events
verbs:
- create
- update
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
verbs:
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps
- secrets
- resourcequotas
- limitranges
verbs:
- create
- update
- patch
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- update
- patch
- delete
{{- with .Values.backgroundController.rbac.clusterRole.extraResources }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.background-controller.roleName" $ }}:additional
labels:
{{- include "kyverno.background-controller.labels" $ | nindent 4 }}
rules:
{{- range . }}
- apiGroups:
{{- toYaml .apiGroups | nindent 6 }}
resources:
{{- toYaml .resources | nindent 6 }}
verbs:
- create
- update
- patch
- delete
- get
- list
{{- end }}
{{- end }}
{{- end }}
{{- end }}

18
scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/clusterrolebinding.yaml Normal file
View file

@ -0,0 +1,18 @@
{{- if .Values.backgroundController.enabled -}}
{{- if .Values.backgroundController.rbac.create -}}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.background-controller.roleName" . }}
labels:
{{- include "kyverno.background-controller.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.background-controller.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.background-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end -}}
{{- end -}}

142
scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/deployment.yaml Normal file
View file

@ -0,0 +1,142 @@
{{- if .Values.backgroundController.enabled -}}
{{- if not .Values.templating.debug -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "kyverno.background-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.background-controller.labels" . | nindent 4 }}
spec:
replicas: {{ template "kyverno.deployment.replicas" .Values.backgroundController.replicas }}
{{- with .Values.backgroundController.updateStrategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "kyverno.background-controller.matchLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "kyverno.background-controller.labels" . | nindent 8 }}
{{- with .Values.backgroundController.podLabels }}
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.backgroundController.podAnnotations }}
annotations: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
spec:
{{- with .Values.backgroundController.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.backgroundController.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.backgroundController.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.backgroundController.tolerations }}
tolerations:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.backgroundController.topologySpreadConstraints }}
topologySpreadConstraints:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.backgroundController.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
{{- with .Values.backgroundController.hostNetwork }}
hostNetwork: {{ . }}
{{- end }}
{{- with .Values.backgroundController.dnsPolicy }}
dnsPolicy: {{ . }}
{{- end }}
{{- if or .Values.backgroundController.antiAffinity.enabled .Values.backgroundController.podAffinity .Values.backgroundController.nodeAffinity }}
affinity:
{{- if .Values.backgroundController.antiAffinity.enabled }}
{{- with .Values.backgroundController.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- with .Values.backgroundController.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.backgroundController.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
serviceAccountName: {{ template "kyverno.background-controller.serviceAccountName" . }}
containers:
- name: controller
image: {{ include "kyverno.background-controller.image" (dict "image" .Values.backgroundController.image "defaultTag" .Chart.AppVersion) | quote }}
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics
protocol: TCP
args:
{{- if .Values.backgroundController.tracing.enabled }}
- --enableTracing
- --tracingAddress={{ .Values.backgroundController.tracing.address }}
- --tracingPort={{ .Values.backgroundController.tracing.port }}
{{- with .Values.backgroundController.tracing.creds }}
- --tracingCreds={{ . }}
{{- end }}
{{- end }}
- --disableMetrics={{ .Values.backgroundController.metering.disabled }}
{{- if not .Values.backgroundController.metering.disabled }}
- --otelConfig={{ .Values.backgroundController.metering.config }}
- --metricsPort={{ .Values.backgroundController.metering.port }}
{{- with .Values.backgroundController.metering.collector }}
- --otelCollector={{ . }}
{{- end }}
{{- with .Values.backgroundController.metering.creds }}
- --transportCreds={{ . }}
{{- end }}
{{- end }}
{{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
- --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
{{- end }}
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.backgroundController.featuresOverride)
"configMapCaching"
"logging"
"omitEvents"
"policyExceptions"
) | nindent 12 }}
{{- range $key, $value := .Values.backgroundController.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- end }}
{{- end }}
env:
- name: INIT_CONFIG
value: {{ template "kyverno.config.configMapName" . }}
- name: METRICS_CONFIG
value: {{ template "kyverno.config.metricsConfigMapName" . }}
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.backgroundController.resources }}
resources: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.backgroundController.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end -}}
{{- end -}}

30
scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/networkpolicy.yaml Normal file
View file

@ -0,0 +1,30 @@
{{- if .Values.backgroundController.enabled -}}
{{- if .Values.backgroundController.networkPolicy.enabled -}}
{{- if .Values.backgroundController.metricsService.create -}}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "kyverno.background-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.background-controller.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "kyverno.background-controller.matchLabels" . | nindent 6 }}
policyTypes:
- Ingress
{{- if .Values.backgroundController.networkPolicy.ingressFrom }}
ingress:
- from:
{{- toYaml .Values.backgroundController.networkPolicy.ingressFrom | nindent 8 }}
ports:
- protocol: TCP
port: {{ .Values.backgroundController.metricsService.port }}
{{- else }}
ingress:
- {}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}

16
scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/poddisruptionbudget.yaml Normal file
View file

@ -0,0 +1,16 @@
{{- if .Values.backgroundController.enabled -}}
{{- if (gt (int .Values.backgroundController.replicas) 1) -}}
apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ template "kyverno.background-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.background-controller.labels" . | nindent 4 }}
spec:
{{- include "kyverno.pdb.spec" .Values.backgroundController.podDisruptionBudget | nindent 2 }}
selector:
matchLabels:
{{- include "kyverno.background-controller.matchLabels" . | nindent 6 }}
{{- end -}}
{{- end -}}

33
scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/role.yaml Normal file
View file

@ -0,0 +1,33 @@
{{- if .Values.backgroundController.enabled -}}
{{- if .Values.backgroundController.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "kyverno.background-controller.roleName" . }}
labels:
{{- include "kyverno.background-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
rules:
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
resourceNames:
- {{ include "kyverno.config.configMapName" . }}
- {{ include "kyverno.config.metricsConfigMapName" . }}
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
{{- end -}}
{{- end -}}

19
scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/rolebinding.yaml Normal file
View file

@ -0,0 +1,19 @@
{{- if .Values.backgroundController.enabled -}}
{{- if .Values.backgroundController.rbac.create -}}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.background-controller.roleName" . }}
labels:
{{- include "kyverno.background-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "kyverno.background-controller.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.background-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end -}}
{{- end -}}

27
scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/service.yaml Normal file
View file

@ -0,0 +1,27 @@
{{- if .Values.backgroundController.enabled -}}
{{- if .Values.backgroundController.metricsService.create -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "kyverno.background-controller.name" . }}-metrics
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.background-controller.labels" . | nindent 4 }}
{{- with .Values.backgroundController.metricsService.annotations }}
annotations:
{{- tpl (toYaml .) $ | nindent 4 }}
{{- end }}
spec:
ports:
- port: {{ .Values.backgroundController.metricsService.port }}
targetPort: 8000
protocol: TCP
name: metrics-port
{{- if and (eq .Values.backgroundController.metricsService.type "NodePort") (not (empty .Values.backgroundController.metricsService.nodePort)) }}
nodePort: {{ .Values.backgroundController.metricsService.nodePort }}
{{- end }}
selector:
{{- include "kyverno.background-controller.matchLabels" . | nindent 4 }}
type: {{ .Values.backgroundController.metricsService.type }}
{{- end -}}
{{- end -}}

15
scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/serviceaccount.yaml Normal file
View file

@ -0,0 +1,15 @@
{{- if .Values.backgroundController.enabled -}}
{{- if .Values.backgroundController.rbac.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kyverno.background-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.background-controller.labels" . | nindent 4 }}
{{- with .Values.backgroundController.rbac.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{- end -}}

34
scripts/helmcharts/toolings/charts/kyverno/templates/background-controller/servicemonitor.yaml Normal file
View file

@ -0,0 +1,34 @@
{{- if .Values.backgroundController.enabled -}}
{{- if .Values.backgroundController.serviceMonitor.enabled -}}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "kyverno.background-controller.name" . }}
{{- if .Values.backgroundController.serviceMonitor.namespace }}
namespace: {{ .Values.backgroundController.serviceMonitor.namespace }}
{{- else }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}
labels:
{{- include "kyverno.background-controller.labels" . | nindent 4 }}
{{- with .Values.backgroundController.serviceMonitor.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "kyverno.background-controller.matchLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ template "kyverno.namespace" . }}
endpoints:
- port: metrics-port
interval: {{ .Values.backgroundController.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.backgroundController.serviceMonitor.scrapeTimeout }}
{{- if .Values.backgroundController.serviceMonitor.secure }}
scheme: https
tlsConfig:
{{- toYaml .Values.backgroundController.serviceMonitor.tlsConfig | nindent 8 }}
{{- end }}
{{- end -}}
{{- end -}}

46
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/_helpers.tpl
View file

@ -5,22 +5,17 @@
{{- end -}}
{{- define "kyverno.cleanup-controller.labels" -}}
app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
{{- with (include "kyverno.helmLabels" .) }}
{{ . }}
{{- end }}
{{- with (include "kyverno.versionLabels" .) }}
{{ . }}
{{- end }}
{{- with (include "kyverno.cleanup-controller.matchLabels" .) }}
{{ . }}
{{- end }}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.common" .)
(include "kyverno.cleanup-controller.matchLabels" .)
) -}}
{{- end -}}
{{- define "kyverno.cleanup-controller.matchLabels" -}}
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/name: {{ template "kyverno.cleanup-controller.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- template "kyverno.labels.merge" (list
(include "kyverno.matchLabels.common" .)
(include "kyverno.labels.component" "cleanup-controller")
) -}}
{{- end -}}
{{- define "kyverno.cleanup-controller.image" -}}
@ -32,10 +27,9 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- define "kyverno.cleanup-controller.roleName" -}}
{{ .Release.Name }}:cleanup-controller
{{ include "kyverno.fullname" . }}:cleanup-controller
{{- end -}}
{{/* Create the name of the service account to use */}}
{{- define "kyverno.cleanup-controller.serviceAccountName" -}}
{{- if .Values.cleanupController.rbac.create -}}
{{ default (include "kyverno.cleanup-controller.name" .) .Values.cleanupController.rbac.serviceAccount.name }}
@ -43,25 +37,3 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{ required "A service account name is required when `rbac.create` is set to `false`" .Values.cleanupController.rbac.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{- define "kyverno.cleanup-controller.securityContext" -}}
{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
{{ toYaml (omit .Values.cleanupController.securityContext "seccompProfile") }}
{{- else }}
{{ toYaml .Values.cleanupController.securityContext }}
{{- end }}
{{- end }}
{{/* Create the default PodDisruptionBudget to use */}}
{{- define "kyverno.cleanup-controller.podDisruptionBudget.spec" -}}
{{- if and .Values.cleanupController.podDisruptionBudget.minAvailable .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
{{- fail "Cannot set both .Values.cleanupController.podDisruptionBudget.minAvailable and .Values.cleanupController.podDisruptionBudget.maxUnavailable" -}}
{{- end }}
{{- if not .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
minAvailable: {{ default 1 .Values.cleanupController.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- end }}

10
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
View file

@ -65,12 +65,20 @@ rules:
- update
- watch
- apiGroups:
- ""
- ''
- events.k8s.io
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
{{- with .Values.cleanupController.rbac.clusterRole.extraResources }}
---
apiVersion: rbac.authorization.k8s.io/v1

37
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/deployment.yaml
View file

@ -4,13 +4,11 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "kyverno.cleanup-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
spec:
{{- with .Values.cleanupController.replicas }}
replicas: {{ . }}
{{- end }}
replicas: {{ template "kyverno.deployment.replicas" .Values.cleanupController.replicas }}
{{- with .Values.cleanupController.updateStrategy }}
strategy:
{{- toYaml . | nindent 4 }}
@ -22,8 +20,14 @@ spec:
metadata:
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 8 }}
{{- with .Values.cleanupController.podLabels }}
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.cleanupController.podAnnotations }}
annotations: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
spec:
{{- with .Values.cleanupController.image.pullSecrets }}
{{- with .Values.cleanupController.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
@ -81,7 +85,7 @@ spec:
name: metrics
protocol: TCP
args:
- --loggingFormat={{ .Values.cleanupController.logging.format }}
- --servicePort={{ .Values.cleanupController.service.port }}
{{- if .Values.cleanupController.tracing.enabled }}
- --enableTracing
- --tracingAddress={{ .Values.cleanupController.tracing.address }}
@ -101,16 +105,26 @@ spec:
- --transportCreds={{ . }}
{{- end }}
{{- end }}
{{- range .Values.cleanupController.extraArgs }}
- {{ . }}
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.cleanupController.featuresOverride)
"dumpPayload"
"logging"
) | nindent 12 }}
{{- range $key, $value := .Values.cleanupController.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- end }}
{{- end }}
env:
- name: INIT_CONFIG
value: {{ template "kyverno.config.configMapName" . }}
- name: METRICS_CONFIG
value: {{ template "kyverno.metricsConfigMapName" . }}
value: {{ template "kyverno.config.metricsConfigMapName" . }}
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
@ -120,8 +134,9 @@ spec:
{{- with .Values.cleanupController.resources }}
resources: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- if .Values.cleanupController.securityContext }}
securityContext: {{ include "kyverno.cleanup-controller.securityContext" . | nindent 12 }}
{{- with .Values.cleanupController.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.cleanupController.startupProbe }}
startupProbe:

33
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/networkpolicy.yaml Normal file
View file

@ -0,0 +1,33 @@
{{- if .Values.cleanupController.enabled -}}
{{- if .Values.cleanupController.networkPolicy.enabled -}}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "kyverno.cleanup-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }}
policyTypes:
- Ingress
{{- if .Values.cleanupController.networkPolicy.ingressFrom }}
ingress:
- from:
{{- toYaml .Values.cleanupController.networkPolicy.ingressFrom | nindent 8 }}
ports:
- protocol: TCP
port: 9443 # webhook access
# Allow prometheus scrapes for metrics
{{- if .Values.cleanupController.metricsService.create }}
- protocol: TCP
port: {{ .Values.cleanupController.metricsService.port }}
{{- end }}
{{- else }}
ingress:
- {}
{{- end }}
{{- end -}}
{{- end -}}

10
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml
View file

@ -1,18 +1,14 @@
{{- if .Values.cleanupController.enabled -}}
{{- if (gt (int .Values.cleanupController.replicas) 1) -}}
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
apiVersion: policy/v1
{{- else -}}
apiVersion: policy/v1beta1
{{- end }}
apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ template "kyverno.cleanup-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
spec:
{{- include "kyverno.cleanup-controller.podDisruptionBudget.spec" . | indent 2 }}
{{- include "kyverno.pdb.spec" .Values.cleanupController.podDisruptionBudget | nindent 2 }}
selector:
matchLabels:
{{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }}

59
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/role.yaml
View file

@ -8,33 +8,36 @@ metadata:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
resourceNames:
- {{ include "kyverno.config.configMapName" . }}
- {{ include "kyverno.config.metricsConfigMapName" . }}
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
{{- end -}}
{{- end -}}

6
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/rolebinding.yaml
View file

@ -12,8 +12,8 @@ roleRef:
kind: Role
name: {{ template "kyverno.cleanup-controller.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
- kind: ServiceAccount
name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end -}}
{{- end -}}

6
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml
View file

@ -4,8 +4,12 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
{{- with .Values.cleanupController.rbac.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{- end -}}

2
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml
View file

@ -12,7 +12,7 @@ metadata:
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
{{- with .Values.cleanupController.serviceMonitor.additionalLabels }}
{{- toYaml .Values.cleanupController.serviceMonitor.additionalLabels | nindent 4 }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:

43
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml Normal file
View file

@ -0,0 +1,43 @@
{{- if .Values.cleanupJobs.admissionReports.enabled -}}
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ template "kyverno.name" . }}-cleanup-admission-reports
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }}
spec:
schedule: {{ .Values.cleanupJobs.admissionReports.schedule | quote }}
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: {{ .Values.cleanupJobs.admissionReports.history.success }}
failedJobsHistoryLimit: {{ .Values.cleanupJobs.admissionReports.history.failure }}
jobTemplate:
spec:
template:
spec:
serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
{{- with .Values.cleanupJobs.admissionReports.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
containers:
- name: cleanup
image: {{ template "kyverno.image" .Values.cleanupJobs.admissionReports }}
imagePullPolicy: {{ .Values.cleanupJobs.admissionReports.image.pullPolicy }}
command:
- /bin/sh
- -c
- |
COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l)
if [ "$COUNT" -gt {{ .Values.cleanupJobs.admissionReports.threshold }} ]; then
echo "too many reports found ($COUNT), cleaning up..."
kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
else
echo "($COUNT) reports found, no clean up needed"
fi
{{- with .Values.cleanupJobs.admissionReports.securityContext }}
securityContext:
{{- toYaml . | nindent 14 }}
{{- end }}
restartPolicy: OnFailure
{{- end -}}

43
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml Normal file
View file

@ -0,0 +1,43 @@
{{- if .Values.cleanupJobs.clusterAdmissionReports.enabled -}}
apiVersion: batch/v1
kind: CronJob
metadata:
name: {{ template "kyverno.name" . }}-cleanup-cluster-admission-reports
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }}
spec:
schedule: {{ .Values.cleanupJobs.clusterAdmissionReports.schedule | quote }}
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: {{ .Values.cleanupJobs.clusterAdmissionReports.history.success }}
failedJobsHistoryLimit: {{ .Values.cleanupJobs.clusterAdmissionReports.history.failure }}
jobTemplate:
spec:
template:
spec:
serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs
{{- with .Values.cleanupJobs.clusterAdmissionReports.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
containers:
- name: cleanup
image: {{ template "kyverno.image" .Values.cleanupJobs.clusterAdmissionReports }}
imagePullPolicy: {{ .Values.cleanupJobs.clusterAdmissionReports.image.pullPolicy }}
command:
- /bin/sh
- -c
- |
COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l)
if [ "$COUNT" -gt {{ .Values.cleanupJobs.clusterAdmissionReports.threshold }} ]; then
echo "too many reports found ($COUNT), cleaning up..."
kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
else
echo "($COUNT) reports found, no clean up needed"
fi
{{- with .Values.cleanupJobs.clusterAdmissionReports.securityContext }}
securityContext:
{{- toYaml . | nindent 14 }}
{{- end }}
restartPolicy: OnFailure
{{- end -}}

15
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/clusterrole.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.name" . }}-cleanup-jobs
labels:
{{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
resources:
- admissionreports
- clusteradmissionreports
verbs:
- list
- deletecollection

14
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/clusterrolebinding.yaml Normal file
View file

@ -0,0 +1,14 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.name" . }}-cleanup-jobs
labels:
{{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.name" . }}-cleanup-jobs
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.name" . }}-cleanup-jobs
namespace: {{ template "kyverno.namespace" . }}

7
scripts/helmcharts/toolings/charts/kyverno/templates/cleanup/serviceaccount.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kyverno.name" . }}-cleanup-jobs
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }}

188
scripts/helmcharts/toolings/charts/kyverno/templates/clusterrole.yaml
View file

@ -1,188 +0,0 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}
labels:
{{- include "kyverno.labels" . | nindent 4 }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
{{- include "kyverno.matchLabels" . | nindent 6 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:userinfo
labels:
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
verbs:
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:policies
labels:
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
resources:
- policies
- policies/status
- clusterpolicies
- clusterpolicies/status
- generaterequests
- generaterequests/status
- updaterequests
- updaterequests/status
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- wgpolicyk8s.io
resources:
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:view
labels:
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:generate
labels:
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
verbs:
- create
- update
- patch
- delete
- apiGroups:
- ''
resources:
- namespaces
- configmaps
- secrets
- resourcequotas
- limitranges
verbs:
- create
- update
- patch
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- update
- patch
- delete
{{- if .Values.generatecontrollerExtraResources }}
- apiGroups:
- '*'
resources:
{{- range .Values.generatecontrollerExtraResources }}
- {{ . }}
{{- end }}
verbs:
- create
- update
- delete
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:events
labels:
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- ''
- events.k8s.io
resources:
- events
verbs:
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:webhook
labels:
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
{{- end }}

16
scripts/helmcharts/toolings/charts/kyverno/templates/clusterrolebinding.yaml
View file

@ -1,16 +0,0 @@
{{- if .Values.rbac.create -}}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}
labels:
{{- include "kyverno.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end -}}

64
scripts/helmcharts/toolings/charts/kyverno/templates/config/_helpers.tpl Normal file
View file

@ -0,0 +1,64 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.config.configMapName" -}}
{{- if .Values.config.create -}}
{{ default (include "kyverno.fullname" .) .Values.config.name }}
{{- else -}}
{{ required "A configmap name is required when `config.create` is set to `false`" .Values.config.name }}
{{- end -}}
{{- end -}}
{{- define "kyverno.config.metricsConfigMapName" -}}
{{- if .Values.metricsConfig.create -}}
{{ default (printf "%s-metrics" (include "kyverno.fullname" .)) .Values.metricsConfig.name }}
{{- else -}}
{{ required "A configmap name is required when `metricsConfig.create` is set to `false`" .Values.metricsConfig.name }}
{{- end -}}
{{- end -}}
{{- define "kyverno.config.labels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.common" .)
(include "kyverno.config.matchLabels" .)
) -}}
{{- end -}}
{{- define "kyverno.config.matchLabels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.matchLabels.common" .)
(include "kyverno.labels.component" "config")
) -}}
{{- end -}}
{{- define "kyverno.config.resourceFilters" -}}
{{- $resourceFilters := .Values.config.resourceFilters -}}
{{- if .Values.config.excludeKyvernoNamespace -}}
{{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*/*,%s,*]" (include "kyverno.namespace" .)) -}}
{{- end -}}
{{- range $exclude := .Values.config.resourceFiltersExcludeNamespaces -}}
{{- range $filter := $resourceFilters -}}
{{- if (contains (printf ",%s," $exclude) $filter) -}}
{{- $resourceFilters = without $resourceFilters $filter -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- range $resourceFilter := $resourceFilters }}
{{ tpl $resourceFilter $ }}
{{- end -}}
{{- end -}}
{{- define "kyverno.config.webhooks" -}}
{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
{{- $newWebhook := list }}
{{- range $webhook := .Values.config.webhooks }}
{{- $namespaceSelector := default dict $webhook.namespaceSelector }}
{{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
{{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
{{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
{{- end }}
{{- $newWebhook | toJson }}
{{- end -}}
{{- define "kyverno.config.imagePullSecret" -}}
{{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
{{- end -}}

45
scripts/helmcharts/toolings/charts/kyverno/templates/config/configmap.yaml Normal file
View file

@ -0,0 +1,45 @@
{{- if .Values.config.create -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kyverno.config.configMapName" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.config.labels" . | nindent 4 }}
{{- with .Values.config.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
enableDefaultRegistryMutation: {{ .Values.config.enableDefaultRegistryMutation | quote }}
{{- with .Values.config.defaultRegistry }}
defaultRegistry: {{ . | quote }}
{{- end }}
generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }}
{{- with .Values.config.excludeGroups }}
excludeGroups: {{ join "," . | quote }}
{{- end -}}
{{- with .Values.config.excludeUsernames }}
excludeUsernames: {{ join "," . | quote }}
{{- end -}}
{{- with .Values.config.excludeRoles }}
excludeRoles: {{ join "," . | quote }}
{{- end -}}
{{- with .Values.config.excludeClusterRoles }}
excludeClusterRoles: {{ join "," . | quote }}
{{- end -}}
{{- if .Values.config.resourceFilters }}
resourceFilters: >-
{{- include "kyverno.config.resourceFilters" . | trim | nindent 4 }}
{{- end -}}
{{- if and .Values.config.webhooks .Values.config.excludeKyvernoNamespace }}
webhooks: {{ include "kyverno.config.webhooks" . | quote }}
{{- else if .Values.config.webhooks }}
webhooks: {{ .Values.config.webhooks | toJson | quote }}
{{- else if .Values.config.excludeKyvernoNamespace }}
webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["{{ include "kyverno.namespace" . }}"]}]}}]'
{{- end -}}
{{- with .Values.config.webhookAnnotations }}
webhookAnnotations: {{ toJson . | quote }}
{{- end }}
{{- end -}}

4
scripts/helmcharts/toolings/charts/kyverno/templates/imagepullsecret.yaml → scripts/helmcharts/toolings/charts/kyverno/templates/config/imagepullsecret.yaml
View file

@ -6,8 +6,8 @@ metadata:
name: {{ $name }}
namespace: {{ template "kyverno.namespace" $ }}
labels:
{{- include "kyverno.labels" $ | nindent 4 }}
{{- include "kyverno.config.labels" $ | nindent 4 }}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "kyverno.imagePullSecret" $secret }}
.dockerconfigjson: {{ template "kyverno.config.imagePullSecret" $secret }}
{{ end }}

20
scripts/helmcharts/toolings/charts/kyverno/templates/config/metricsconfigmap.yaml Normal file
View file

@ -0,0 +1,20 @@
{{- if .Values.metricsConfig.create -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kyverno.config.metricsConfigMapName" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.config.labels" . | nindent 4 }}
{{- with .Values.metricsConfig.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
{{- with .Values.metricsConfig.namespaces }}
namespaces: {{ toJson . | quote }}
{{- end }}
{{- with .Values.metricsConfig.metricsRefreshInterval }}
metricsRefreshInterval: {{ . }}
{{- end }}
{{- end -}}

34
scripts/helmcharts/toolings/charts/kyverno/templates/configmap.yaml
View file

@ -1,34 +0,0 @@
{{- if (not .Values.config.existingConfig) }}
apiVersion: v1
kind: ConfigMap
metadata:
labels:
{{- include "kyverno.labels" . | nindent 4 }}
{{- with .Values.config.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ template "kyverno.configMapName" . }}
namespace: {{ template "kyverno.namespace" . }}
data:
# resource types to be skipped by kyverno policy engine
{{- if .Values.config.resourceFilters }}
resourceFilters: {{ include "kyverno.resourceFilters" . | quote }}
{{- end -}}
{{- if .Values.config.excludeGroupRole }}
excludeGroupRole: {{ join "," .Values.config.excludeGroupRole | quote }}
{{- end -}}
{{- if .Values.config.excludeUsername }}
excludeUsername: {{ join "," .Values.config.excludeUsername | quote }}
{{- end -}}
{{- if and .Values.config.webhooks .Values.excludeKyvernoNamespace }}
webhooks: {{ include "kyverno.webhooks" . | quote }}
{{- else if .Values.config.webhooks }}
webhooks: {{ .Values.config.webhooks | toJson | quote }}
{{- else if .Values.excludeKyvernoNamespace }}
webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["{{ include "kyverno.namespace" . }}"]}]}}]'
{{- end -}}
{{- if .Values.config.generateSuccessEvents }}
generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }}
{{- end -}}
{{- end -}}

15
scripts/helmcharts/toolings/charts/kyverno/templates/crds/_helpers.tpl Normal file
View file

@ -0,0 +1,15 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.crds.labels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.common" .)
(include "kyverno.crds.matchLabels" .)
) -}}
{{- end -}}
{{- define "kyverno.crds.matchLabels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.matchLabels.common" .)
(include "kyverno.labels.component" "crds")
) -}}
{{- end -}}

4842
scripts/helmcharts/toolings/charts/kyverno/templates/crds.yaml → scripts/helmcharts/toolings/charts/kyverno/templates/crds/crds.yaml
View file

File diff suppressed because it is too large Load diff

174
scripts/helmcharts/toolings/charts/kyverno/templates/deployment.yaml
View file

@ -1,174 +0,0 @@
{{- if not .Values.templating.debug -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "kyverno.fullname" . }}
labels:
{{- include "kyverno.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
spec:
{{- with .Values.replicaCount }}
replicas: {{ . }}
{{- end }}
selector:
matchLabels:
{{- include "kyverno.matchLabels" . | nindent 6 }}
{{- if .Values.updateStrategy }}
strategy:
{{ toYaml .Values.updateStrategy | nindent 4 | trim }}
{{- end }}
template:
metadata:
labels:
{{- include "kyverno.labels" . | nindent 8 }}
{{- range $key, $value := .Values.podLabels }}
{{ $key }}: {{ $value }}
{{- end }}
{{- with .Values.podAnnotations }}
annotations: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
spec:
{{- with .Values.image.pullSecrets }}
imagePullSecrets: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if or .Values.antiAffinity.enable .Values.podAffinity .Values.nodeAffinity }}
affinity:
{{- if .Values.antiAffinity.enable }}
{{- with .Values.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- with .Values.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "kyverno.serviceAccountName" . }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- end }}
{{- if .Values.hostNetwork }}
hostNetwork: {{ .Values.hostNetwork }}
{{- end }}
{{- if .Values.dnsPolicy }}
dnsPolicy: {{ .Values.dnsPolicy }}
{{- end }}
initContainers:
{{- if .Values.extraInitContainers }}
{{- toYaml .Values.extraInitContainers | nindent 8 }}
{{- end }}
- name: kyverno-pre
image: {{ include "kyverno.image" (dict "image" .Values.initImage "defaultTag" (default .Chart.AppVersion .Values.image.tag)) | quote }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }}
{{- if .Values.initContainer.extraArgs }}
args:
{{- tpl (toYaml .Values.initContainer.extraArgs) . | nindent 12 }}
{{- end }}
{{- with .Values.initResources }}
resources: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- if .Values.securityContext }}
securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
{{- end }}
env:
- name: METRICS_CONFIG
value: {{ template "kyverno.metricsConfigMapName" . }}
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_DEPLOYMENT
value: {{ template "kyverno.fullname" . }}
{{- with .Values.envVarsInit }}
{{- toYaml . | nindent 10 }}
{{- end }}
containers:
{{- if .Values.extraContainers }}
{{- toYaml .Values.extraContainers | nindent 8 }}
{{- end }}
- name: kyverno
image: {{ include "kyverno.image" (dict "image" .Values.image "defaultTag" .Chart.AppVersion) | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if or .Values.extraArgs .Values.imagePullSecrets }}
args:
{{- if .Values.extraArgs -}}
{{ tpl (toYaml .Values.extraArgs) . | nindent 12 }}
{{- end }}
{{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
- --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
{{- end }}
{{- end }}
{{- with .Values.resources }}
resources: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- if .Values.securityContext }}
securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
{{- end }}
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics-port
protocol: TCP
env:
- name: INIT_CONFIG
value: {{ template "kyverno.configMapName" . }}
- name: METRICS_CONFIG
value: {{ template "kyverno.metricsConfigMapName" . }}
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: {{ template "kyverno.serviceAccountName" . }}
- name: KYVERNO_SVC
value: {{ template "kyverno.serviceName" . }}
- name: TUF_ROOT
value: {{ .Values.tufRootMountPath }}
{{- with .Values.envVars }}
{{- toYaml . | nindent 10 }}
{{- end }}
- name: KYVERNO_DEPLOYMENT
value: {{ template "kyverno.fullname" . }}
{{- with .Values.startupProbe }}
startupProbe: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.livenessProbe }}
livenessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.readinessProbe }}
readinessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: {{ .Values.tufRootMountPath }}
name: sigstore
volumes:
- name: sigstore
emptyDir: {}
{{- end -}}

2
scripts/helmcharts/toolings/charts/kyverno/templates/grafana/dashboard.yaml
View file

@ -2,7 +2,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kyverno.configMapName" . }}-grafana
name: {{ tpl .Values.grafana.configMapName . }}
namespace: {{ default (include "kyverno.namespace" .) .Values.grafana.namespace }}
annotations:
{{- toYaml .Values.grafana.annotations | nindent 4 }}

26
scripts/helmcharts/toolings/charts/kyverno/templates/helm-pre-delete-hook.yaml
View file

@ -1,26 +0,0 @@
{{- if .Values.webhooksCleanup.enable }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kyverno.fullname" . }}-hook-pre-delete
labels:
{{- include "kyverno.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
spec:
template:
spec:
serviceAccount: {{ template "kyverno.serviceAccountName" . }}
containers:
- name: kubectl
image: {{ .Values.webhooksCleanup.image }}
command:
- sh
- '-c'
- >-
kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno;
kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno;
restartPolicy: Never
backoffLimit: 2
{{- end }}

15
scripts/helmcharts/toolings/charts/kyverno/templates/hooks/_helpers.tpl Normal file
View file

@ -0,0 +1,15 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.hooks.labels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.common" .)
(include "kyverno.hooks.matchLabels" .)
) -}}
{{- end -}}
{{- define "kyverno.hooks.matchLabels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.matchLabels.common" .)
(include "kyverno.labels.component" "hooks")
) -}}
{{- end -}}

33
scripts/helmcharts/toolings/charts/kyverno/templates/hooks/pre-delete.yaml Normal file
View file

@ -0,0 +1,33 @@
{{- if .Values.webhooksCleanup.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kyverno.fullname" . }}-hook-pre-delete
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.hooks.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
spec:
backoffLimit: 2
template:
spec:
serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }}
restartPolicy: Never
{{- with .Values.webhooksCleanup.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
containers:
- name: kubectl
image: {{ .Values.webhooksCleanup.image }}
command:
- sh
- '-c'
- |-
kubectl scale -n {{ template "kyverno.namespace" . }} deployment --all --replicas=0
sleep 30
kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
{{- end -}}

26
scripts/helmcharts/toolings/charts/kyverno/templates/metricsconfigmap.yaml
View file

@ -1,26 +0,0 @@
{{- if (not .Values.config.existingMetricsConfig) }}
apiVersion: v1
kind: ConfigMap
metadata:
labels:
{{- include "kyverno.labels" . | nindent 4 }}
{{- with .Values.config.metricsConfig.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ template "kyverno.metricsConfigMapName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- if .Values.config.metricsConfig }}
data:
{{- if .Values.config.metricsConfig.namespaces }}
namespaces: {{ .Values.config.metricsConfig.namespaces | toJson | quote }}
{{- end -}}
{{- if .Values.config.metricsConfig.metricsRefreshInterval }}
metricsRefreshInterval: {{ .Values.config.metricsConfig.metricsRefreshInterval }}
{{- end -}}
{{- else }}
data:
namespaces: '{"include": [], "exclude": []}'
metricsRefreshInterval: 0s
{{- end }}
{{- end -}}

8
scripts/helmcharts/toolings/charts/kyverno/templates/namespace.yaml
View file

@ -1,8 +0,0 @@
{{- if .Values.templating.enabled -}}
apiVersion: v1
kind: Namespace
metadata:
labels:
{{- include "kyverno.labels" . | nindent 4 }}
name: {{ template "kyverno.fullname" . }}
{{- end -}}

33
scripts/helmcharts/toolings/charts/kyverno/templates/networkpolicy.yaml
View file

@ -1,33 +0,0 @@
{{- if .Values.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
{{- include "kyverno.labels" . | nindent 4 }}
name: {{ template "kyverno.fullname" . }}
namespace: {{ template "kyverno.namespace" . }}
spec:
podSelector:
matchLabels:
{{- include "kyverno.matchLabels" . | nindent 6 }}
policyTypes:
- Ingress
{{- if .Values.networkPolicy.ingressFrom }}
ingress:
- from:
{{- with .Values.networkPolicy.ingressFrom }}
{{- toYaml . | nindent 4 }}
{{- end }}
ports:
- protocol: TCP
port: 9443 # webhook access
# Allow prometheus scrapes for metrics
{{- if .Values.metricsService.create }}
- protocol: TCP
port: {{ .Values.metricsService.port }}
{{- end }}
{{- else }}
ingress:
- {}
{{- end }}
{{- end }}

18
scripts/helmcharts/toolings/charts/kyverno/templates/poddisruptionbudget.yaml
View file

@ -1,18 +0,0 @@
{{- if (gt (int .Values.replicaCount) 1) }}
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ template "kyverno.fullname" . }}
labels:
{{- include "kyverno.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
spec:
{{- include "kyverno.podDisruptionBudget.spec" . | indent 2 }}
selector:
matchLabels:
{{- include "kyverno.matchLabels" . | nindent 6 }}
{{- end }}

28
scripts/helmcharts/toolings/charts/kyverno/templates/rbac/_helpers.tpl Normal file
View file

@ -0,0 +1,28 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.rbac.labels.admin" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.common" .)
(include "kyverno.rbac.matchLabels" .)
"rbac.authorization.k8s.io/aggregate-to-admin: 'true'"
) -}}
{{- end -}}
{{- define "kyverno.rbac.labels.view" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.common" .)
(include "kyverno.rbac.matchLabels" .)
"rbac.authorization.k8s.io/aggregate-to-view: 'true'"
) -}}
{{- end -}}
{{- define "kyverno.rbac.matchLabels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.matchLabels.common" .)
(include "kyverno.labels.component" "rbac")
) -}}
{{- end -}}
{{- define "kyverno.rbac.roleName" -}}
{{ include "kyverno.fullname" . }}:rbac
{{- end -}}

43
scripts/helmcharts/toolings/charts/kyverno/templates/rbac/policies.yaml Normal file
View file

@ -0,0 +1,43 @@
{{- if .Values.admissionController.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.rbac.roleName" . }}:admin:policies
labels:
{{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
resources:
- cleanuppolicies
- clustercleanuppolicies
- policies
- clusterpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.rbac.roleName" . }}:view:policies
labels:
{{- include "kyverno.rbac.labels.view" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
resources:
- cleanuppolicies
- clustercleanuppolicies
- policies
- clusterpolicies
verbs:
- get
- list
- watch
{{- end -}}

39
scripts/helmcharts/toolings/charts/kyverno/templates/rbac/policyreports.yaml Normal file
View file

@ -0,0 +1,39 @@
{{- if .Values.admissionController.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.rbac.roleName" . }}:admin:policyreports
labels:
{{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
rules:
- apiGroups:
- wgpolicyk8s.io
resources:
- policyreports
- clusterpolicyreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.rbac.roleName" . }}:view:policyreports
labels:
{{- include "kyverno.rbac.labels.view" . | nindent 4 }}
rules:
- apiGroups:
- wgpolicyk8s.io
resources:
- policyreports
- clusterpolicyreports
verbs:
- get
- list
- watch
{{- end -}}

43
scripts/helmcharts/toolings/charts/kyverno/templates/rbac/reports.yaml Normal file
View file

@ -0,0 +1,43 @@
{{- if .Values.admissionController.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.rbac.roleName" . }}:admin:reports
labels:
{{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.rbac.roleName" . }}:view:reports
labels:
{{- include "kyverno.rbac.labels.view" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- get
- list
- watch
{{- end -}}

37
scripts/helmcharts/toolings/charts/kyverno/templates/rbac/updaterequests.yaml Normal file
View file

@ -0,0 +1,37 @@
{{- if .Values.admissionController.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.rbac.roleName" . }}:admin:updaterequests
labels:
{{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
resources:
- updaterequests
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.rbac.roleName" . }}:view:updaterequests
labels:
{{- include "kyverno.rbac.labels.view" . | nindent 4 }}
rules:
- apiGroups:
- kyverno.io
resources:
- updaterequests
verbs:
- get
- list
- watch
{{- end -}}

39
scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/_helpers.tpl Normal file
View file

@ -0,0 +1,39 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.reports-controller.name" -}}
{{ template "kyverno.name" . }}-reports-controller
{{- end -}}
{{- define "kyverno.reports-controller.labels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.common" .)
(include "kyverno.reports-controller.matchLabels" .)
) -}}
{{- end -}}
{{- define "kyverno.reports-controller.matchLabels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.matchLabels.common" .)
(include "kyverno.labels.component" "reports-controller")
) -}}
{{- end -}}
{{- define "kyverno.reports-controller.image" -}}
{{- if .image.registry -}}
{{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
{{- else -}}
{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
{{- end -}}
{{- end -}}
{{- define "kyverno.reports-controller.roleName" -}}
{{ include "kyverno.fullname" . }}:reports-controller
{{- end -}}
{{- define "kyverno.reports-controller.serviceAccountName" -}}
{{- if .Values.reportsController.rbac.create -}}
{{ default (include "kyverno.reports-controller.name" .) .Values.reportsController.rbac.serviceAccount.name }}
{{- else -}}
{{ required "A service account name is required when `rbac.create` is set to `false`" .Values.reportsController.rbac.serviceAccount.name }}
{{- end -}}
{{- end -}}

90
scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/clusterrole.yaml Normal file
View file

@ -0,0 +1,90 @@
{{- if .Values.reportsController.enabled -}}
{{- if .Values.reportsController.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.reports-controller.roleName" . }}
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 4 }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
{{- include "kyverno.reports-controller.matchLabels" . | nindent 8 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.reports-controller.roleName" . }}:core
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 4 }}
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- kyverno.io
resources:
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- wgpolicyk8s.io
resources:
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- ''
- events.k8s.io
resources:
- events
verbs:
- create
- patch
{{- with .Values.reportsController.rbac.clusterRole.extraResources }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.reports-controller.roleName" $ }}:additional
labels:
{{- include "kyverno.reports-controller.labels" $ | nindent 4 }}
rules:
{{- range . }}
- apiGroups:
{{- toYaml .apiGroups | nindent 6 }}
resources:
{{- toYaml .resources | nindent 6 }}
verbs:
- get
- list
- watch
{{- end }}
{{- end }}
{{- end }}
{{- end }}

18
scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml Normal file
View file

@ -0,0 +1,18 @@
{{- if .Values.reportsController.enabled -}}
{{- if .Values.reportsController.rbac.create -}}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.reports-controller.roleName" . }}
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.reports-controller.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.reports-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end -}}
{{- end -}}

154
scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/deployment.yaml Normal file
View file

@ -0,0 +1,154 @@
{{- if .Values.reportsController.enabled -}}
{{- if not .Values.templating.debug -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "kyverno.reports-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 4 }}
spec:
replicas: {{ template "kyverno.deployment.replicas" .Values.reportsController.replicas }}
{{- with .Values.reportsController.updateStrategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 8 }}
{{- with .Values.reportsController.podLabels }}
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.reportsController.podAnnotations }}
annotations: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
spec:
{{- with .Values.reportsController.imagePullSecrets }}
imagePullSecrets:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.reportsController.podSecurityContext }}
securityContext:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.reportsController.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.reportsController.tolerations }}
tolerations:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.reportsController.topologySpreadConstraints }}
topologySpreadConstraints:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.reportsController.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
{{- with .Values.reportsController.hostNetwork }}
hostNetwork: {{ . }}
{{- end }}
{{- with .Values.reportsController.dnsPolicy }}
dnsPolicy: {{ . }}
{{- end }}
{{- if or .Values.reportsController.antiAffinity.enabled .Values.reportsController.podAffinity .Values.reportsController.nodeAffinity }}
affinity:
{{- if .Values.reportsController.antiAffinity.enabled }}
{{- with .Values.reportsController.podAntiAffinity }}
podAntiAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
{{- with .Values.reportsController.podAffinity }}
podAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- with .Values.reportsController.nodeAffinity }}
nodeAffinity:
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
{{- end }}
serviceAccountName: {{ template "kyverno.reports-controller.serviceAccountName" . }}
containers:
- name: controller
image: {{ include "kyverno.reports-controller.image" (dict "image" .Values.reportsController.image "defaultTag" .Chart.AppVersion) | quote }}
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics
protocol: TCP
args:
{{- if .Values.reportsController.tracing.enabled }}
- --enableTracing
- --tracingAddress={{ .Values.reportsController.tracing.address }}
- --tracingPort={{ .Values.reportsController.tracing.port }}
{{- with .Values.reportsController.tracing.creds }}
- --tracingCreds={{ . }}
{{- end }}
{{- end }}
- --disableMetrics={{ .Values.reportsController.metering.disabled }}
{{- if not .Values.reportsController.metering.disabled }}
- --otelConfig={{ .Values.reportsController.metering.config }}
- --metricsPort={{ .Values.reportsController.metering.port }}
{{- with .Values.reportsController.metering.collector }}
- --otelCollector={{ . }}
{{- end }}
{{- with .Values.reportsController.metering.creds }}
- --transportCreds={{ . }}
{{- end }}
{{- end }}
{{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
- --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
{{- end }}
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.reportsController.featuresOverride)
"admissionReports"
"backgroundScan"
"configMapCaching"
"logging"
"omitEvents"
"policyExceptions"
"reports"
"registryClient"
) | nindent 12 }}
{{- range $key, $value := .Values.reportsController.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- end }}
{{- end }}
env:
- name: INIT_CONFIG
value: {{ template "kyverno.config.configMapName" . }}
- name: METRICS_CONFIG
value: {{ template "kyverno.config.metricsConfigMapName" . }}
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: TUF_ROOT
value: {{ .Values.reportsController.tufRootMountPath }}
{{- with .Values.reportsController.resources }}
resources: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.reportsController.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: {{ .Values.reportsController.tufRootMountPath }}
name: sigstore
volumes:
- name: sigstore
{{- toYaml (required "A valid .Values.reportsController.sigstoreVolume entry is required" .Values.reportsController.sigstoreVolume) | nindent 8 }}
{{- end -}}
{{- end -}}

30
scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/networkpolicy.yaml Normal file
View file

@ -0,0 +1,30 @@
{{- if .Values.reportsController.enabled -}}
{{- if .Values.reportsController.networkPolicy.enabled -}}
{{- if .Values.reportsController.metricsService.create -}}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "kyverno.reports-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }}
policyTypes:
- Ingress
{{- if .Values.reportsController.networkPolicy.ingressFrom }}
ingress:
- from:
{{- toYaml .Values.reportsController.networkPolicy.ingressFrom | nindent 8 }}
ports:
- protocol: TCP
port: {{ .Values.reportsController.metricsService.port }}
{{- else }}
ingress:
- {}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}

16
scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/poddisruptionbudget.yaml Normal file
View file

@ -0,0 +1,16 @@
{{- if .Values.reportsController.enabled -}}
{{- if (gt (int .Values.reportsController.replicas) 1) -}}
apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ template "kyverno.reports-controller.name" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 4 }}
spec:
{{- include "kyverno.pdb.spec" .Values.reportsController.podDisruptionBudget | nindent 2 }}
selector:
matchLabels:
{{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }}
{{- end -}}
{{- end -}}

33
scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/role.yaml Normal file
View file

@ -0,0 +1,33 @@
{{- if .Values.reportsController.enabled -}}
{{- if .Values.reportsController.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "kyverno.reports-controller.roleName" . }}
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
rules:
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
resourceNames:
- {{ include "kyverno.config.configMapName" . }}
- {{ include "kyverno.config.metricsConfigMapName" . }}
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
{{- end -}}
{{- end -}}

19
scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/rolebinding.yaml Normal file
View file

@ -0,0 +1,19 @@
{{- if .Values.reportsController.enabled -}}
{{- if .Values.reportsController.rbac.create -}}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.reports-controller.roleName" . }}
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "kyverno.reports-controller.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.reports-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end -}}
{{- end -}}

27
scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/service.yaml Normal file
View file

@ -0,0 +1,27 @@
{{- if .Values.reportsController.enabled -}}
{{- if .Values.reportsController.metricsService.create -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "kyverno.reports-controller.name" . }}-metrics
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 4 }}
{{- with .Values.reportsController.metricsService.annotations }}
annotations:
{{- tpl (toYaml .) $ | nindent 4 }}
{{- end }}
spec:
ports:
- port: {{ .Values.reportsController.metricsService.port }}
targetPort: 8000
protocol: TCP
name: metrics-port
{{- if and (eq .Values.reportsController.metricsService.type "NodePort") (not (empty .Values.reportsController.metricsService.nodePort)) }}
nodePort: {{ .Values.reportsController.metricsService.nodePort }}
{{- end }}
selector:
{{- include "kyverno.reports-controller.matchLabels" . | nindent 4 }}
type: {{ .Values.reportsController.metricsService.type }}
{{- end -}}
{{- end -}}

15
scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/serviceaccount.yaml Normal file
View file

@ -0,0 +1,15 @@
{{- if .Values.reportsController.enabled -}}
{{- if .Values.reportsController.rbac.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kyverno.reports-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 4 }}
{{- with .Values.reportsController.rbac.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}
{{- end -}}

34
scripts/helmcharts/toolings/charts/kyverno/templates/reports-controller/servicemonitor.yaml Normal file
View file

@ -0,0 +1,34 @@
{{- if .Values.reportsController.enabled -}}
{{- if .Values.reportsController.serviceMonitor.enabled -}}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "kyverno.reports-controller.name" . }}
{{- if .Values.reportsController.serviceMonitor.namespace }}
namespace: {{ .Values.reportsController.serviceMonitor.namespace }}
{{- else }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}
labels:
{{- include "kyverno.reports-controller.labels" . | nindent 4 }}
{{- with .Values.reportsController.serviceMonitor.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ template "kyverno.namespace" . }}
endpoints:
- port: metrics-port
interval: {{ .Values.reportsController.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.reportsController.serviceMonitor.scrapeTimeout }}
{{- if .Values.reportsController.serviceMonitor.secure }}
scheme: https
tlsConfig:
{{- toYaml .Values.reportsController.serviceMonitor.tlsConfig | nindent 8 }}
{{- end }}
{{- end -}}
{{- end -}}

31
scripts/helmcharts/toolings/charts/kyverno/templates/role.yaml
View file

@ -1,31 +0,0 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "kyverno.fullname" . }}:leaderelection
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.labels" . | nindent 4 }}
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
# Allow update of Kyverno deployment annotations
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- patch
- update
- watch
{{- end }}

17
scripts/helmcharts/toolings/charts/kyverno/templates/rolebinding.yaml
View file

@ -1,17 +0,0 @@
{{- if .Values.rbac.create }}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:leaderelection
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "kyverno.fullname" . }}:leaderelection
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}

47
scripts/helmcharts/toolings/charts/kyverno/templates/service.yaml
View file

@ -1,47 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "kyverno.serviceName" . }}
labels:
{{- include "kyverno.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
{{- with .Values.service.annotations }}
annotations: {{ tpl (toYaml .) $ | nindent 4 }}
{{- end }}
spec:
ports:
- port: {{ .Values.service.port }}
targetPort: https
protocol: TCP
name: https
{{- if and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)) }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
selector:
{{- include "kyverno.matchLabels" . | nindent 4 }}
type: {{ .Values.service.type }}
---
{{- if .Values.metricsService.create }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "kyverno.serviceName" . }}-metrics
labels:
{{- include "kyverno.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
{{- with .Values.metricsService.annotations }}
annotations: {{ tpl (toYaml .) $ | nindent 4 }}
{{- end }}
spec:
ports:
- port: {{ .Values.metricsService.port }}
targetPort: 8000
protocol: TCP
name: metrics-port
{{- if and (eq .Values.metricsService.type "NodePort") (not (empty .Values.metricsService.nodePort)) }}
nodePort: {{ .Values.metricsService.nodePort }}
{{- end }}
selector:
{{- include "kyverno.matchLabels" . | nindent 4 }}
type: {{ .Values.metricsService.type }}
{{- end -}}

12
scripts/helmcharts/toolings/charts/kyverno/templates/serviceaccount.yaml
View file

@ -1,12 +0,0 @@
{{- if .Values.rbac.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kyverno.serviceAccountName" . }}
labels:
{{- include "kyverno.labels" . | nindent 4 }}
{{- if .Values.rbac.serviceAccount.annotations }}
annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
{{- end }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}

32
scripts/helmcharts/toolings/charts/kyverno/templates/servicemonitor.yaml
View file

@ -1,32 +0,0 @@
{{- if .Values.serviceMonitor.enabled }}
apiVersion: "monitoring.coreos.com/v1"
kind: ServiceMonitor
metadata:
labels:
{{- include "kyverno.labels" . | nindent 4 }}
{{- if .Values.serviceMonitor.additionalLabels }}
{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
name: {{ template "kyverno.serviceName" . }}-service-monitor
{{- if .Values.serviceMonitor.namespace }}
namespace: {{ .Values.serviceMonitor.namespace }}
{{- else }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "kyverno.matchLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ template "kyverno.namespace" . }}
endpoints:
- port: metrics-port
interval: {{ .Values.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
{{- if .Values.serviceMonitor.secure }}
scheme: https
tlsConfig:
{{- toYaml .Values.serviceMonitor.tlsConfig | nindent 8 }}
{{- end }}
{{- end }}

27
scripts/helmcharts/toolings/charts/kyverno/templates/tests/_helpers.tpl Normal file
View file

@ -0,0 +1,27 @@
{{/* vim: set filetype=mustache: */}}
{{- define "kyverno.test.labels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.labels.common" .)
(include "kyverno.test.matchLabels" .)
) -}}
{{- end -}}
{{- define "kyverno.test.matchLabels" -}}
{{- template "kyverno.labels.merge" (list
(include "kyverno.matchLabels.common" .)
(include "kyverno.labels.component" "test")
) -}}
{{- end -}}
{{- define "kyverno.test.annotations" -}}
helm.sh/hook: test
{{- end -}}
{{- define "kyverno.test.image" -}}
{{- template "kyverno.image" (dict "image" .Values.test.image "defaultTag" "latest") -}}
{{- end -}}
{{- define "kyverno.test.imagePullPolicy" -}}
{{- default .Values.admissionController.container.image.pullPolicy .Values.test.image.pullPolicy -}}
{{- end -}}

27
scripts/helmcharts/toolings/charts/kyverno/templates/tests/admission-controller-liveness.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: {{ template "kyverno.fullname" . }}-admission-controller-liveness
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.test.labels" . | nindent 4 }}
annotations:
{{- include "kyverno.test.annotations" . | nindent 4 }}
spec:
restartPolicy: Never
containers:
- name: test
image: {{ template "kyverno.test.image" . }}
imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
{{- with .Values.test.resources }}
resources:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.test.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
command:
- /bin/sh
- -c
- sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.service.port }}/health/liveness

29
scripts/helmcharts/toolings/charts/kyverno/templates/tests/admission-controller-metrics.yaml Normal file
View file

@ -0,0 +1,29 @@
{{- if .Values.admissionController.metricsService.create -}}
apiVersion: v1
kind: Pod
metadata:
name: {{ template "kyverno.fullname" . }}-admission-controller-metrics
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.test.labels" . | nindent 4 }}
annotations:
{{- include "kyverno.test.annotations" . | nindent 4 }}
spec:
restartPolicy: Never
containers:
- name: test
image: {{ template "kyverno.test.image" . }}
imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
{{- with .Values.test.resources }}
resources:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.test.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
command:
- /bin/sh
- -c
- sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.admission-controller.serviceName" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.metricsService.port }}/metrics
{{- end -}}

27
scripts/helmcharts/toolings/charts/kyverno/templates/tests/admission-controller-readiness.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: {{ template "kyverno.fullname" . }}-admission-controller-readiness
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.test.labels" . | nindent 4 }}
annotations:
{{- include "kyverno.test.annotations" . | nindent 4 }}
spec:
restartPolicy: Never
containers:
- name: test
image: {{ template "kyverno.test.image" . }}
imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
{{- with .Values.test.resources }}
resources:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.test.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
command:
- /bin/sh
- -c
- sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.service.port }}/health/readiness

29
scripts/helmcharts/toolings/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml Normal file
View file

@ -0,0 +1,29 @@
{{- if .Values.cleanupController.enabled -}}
apiVersion: v1
kind: Pod
metadata:
name: {{ template "kyverno.fullname" . }}-cleanup-controller-liveness
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.test.labels" . | nindent 4 }}
annotations:
{{- include "kyverno.test.annotations" . | nindent 4 }}
spec:
restartPolicy: Never
containers:
- name: test
image: {{ template "kyverno.test.image" . }}
imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
{{- with .Values.test.resources }}
resources:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.test.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
command:
- /bin/sh
- -c
- sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.service.port }}/health/liveness
{{- end -}}

29
scripts/helmcharts/toolings/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml Normal file
View file

@ -0,0 +1,29 @@
{{- if and .Values.cleanupController.enabled .Values.cleanupController.metricsService.create -}}
apiVersion: v1
kind: Pod
metadata:
name: {{ template "kyverno.fullname" . }}-cleanup-controller-metrics
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.test.labels" . | nindent 4 }}
annotations:
{{- include "kyverno.test.annotations" . | nindent 4 }}
spec:
restartPolicy: Never
containers:
- name: test
image: {{ template "kyverno.test.image" . }}
imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
{{- with .Values.test.resources }}
resources:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.test.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
command:
- /bin/sh
- -c
- sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.cleanup-controller.name" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.metricsService.port }}/metrics
{{- end -}}

29
scripts/helmcharts/toolings/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml Normal file
View file

@ -0,0 +1,29 @@
{{- if .Values.cleanupController.enabled -}}
apiVersion: v1
kind: Pod
metadata:
name: {{ template "kyverno.fullname" . }}-cleanup-controller-readiness
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.test.labels" . | nindent 4 }}
annotations:
{{- include "kyverno.test.annotations" . | nindent 4 }}
spec:
restartPolicy: Never
containers:
- name: test
image: {{ template "kyverno.test.image" . }}
imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
{{- with .Values.test.resources }}
resources:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.test.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
command:
- /bin/sh
- -c
- sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.service.port }}/health/readiness
{{- end -}}

29
scripts/helmcharts/toolings/charts/kyverno/templates/tests/reports-controller-metrics.yaml Normal file
View file

@ -0,0 +1,29 @@
{{- if and .Values.reportsController.enabled .Values.reportsController.metricsService.create -}}
apiVersion: v1
kind: Pod
metadata:
name: {{ template "kyverno.fullname" . }}-reports-controller-metrics
namespace: {{ template "kyverno.namespace" . }}
labels:
{{- include "kyverno.test.labels" . | nindent 4 }}
annotations:
{{- include "kyverno.test.annotations" . | nindent 4 }}
spec:
restartPolicy: Never
containers:
- name: test
image: {{ template "kyverno.test.image" . }}
imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
{{- with .Values.test.resources }}
resources:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.test.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
command:
- /bin/sh
- -c
- sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.reports-controller.name" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.reportsController.metricsService.port }}/metrics
{{- end -}}

39
scripts/helmcharts/toolings/charts/kyverno/templates/tests/test.yaml
View file

@ -1,39 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ template "kyverno.fullname" . }}-test"
labels:
{{- include "kyverno.test-labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
spec:
restartPolicy: Never
containers:
- name: wget
image: {{ include "kyverno.image" (dict "image" .Values.testImage "defaultTag" "latest") | quote }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }}
{{- with .Values.testResources }}
resources: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if .Values.testSecurityContext }}
securityContext: {{ include "kyverno.testSecurityContext" . | nindent 8 }}
{{- end }}
command:
- /bin/sh
- -c
- |
sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.serviceName" . }}:{{ .Values.service.port }}/health/liveness
- name: wget-metrics
image: {{ include "kyverno.image" (dict "image" .Values.testImage "defaultTag" "latest") | quote }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }}
{{- with .Values.testResources }}
resources: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if .Values.testSecurityContext }}
securityContext: {{ include "kyverno.testSecurityContext" . | nindent 8 }}
{{- end }}
command:
- /bin/sh
- -c
- |
sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.serviceName" . }}-metrics:{{ .Values.metricsService.port }}/metrics

39
scripts/helmcharts/toolings/charts/kyverno/templates/validate.yaml
View file

@ -1,13 +1,30 @@
{{- if hasKey .Values "mode" }}
{{ fail "mode is not supported anymore, please remove it from your release and use replicaCount instead." }}
{{- end }}
{{- if hasKey .Values "mode" -}}
{{- fail "mode is not supported anymore, please remove it from your release and use admissionController.replicas instead." -}}
{{- end -}}
{{- if .Values.replicaCount }}
{{- if eq (int .Values.replicaCount) 2 }}
{{ fail "Kyverno does not support running with 2 replicas. For a highly-available deployment, select 3 replicas or for standalone select 1 replica." }}
{{- end }}
{{- end }}
{{- if .Values.admissionController.replicas -}}
{{- if eq (int .Values.admissionController.replicas) 2 -}}
{{- fail "Kyverno does not support running with 2 replicas. For a highly-available deployment, select 3 replicas or for standalone select 1 replica." -}}
{{- end -}}
{{- end -}}
{{- if eq (include "kyverno.namespace" .) "kube-system" }}
{{ fail "Kyverno cannot be installed in namespace kube-system." }}
{{- end }}
{{- if eq (include "kyverno.namespace" .) "kube-system" -}}
{{- fail "Kyverno cannot be installed in namespace kube-system." -}}
{{- end -}}
{{- if not .Values.upgrade.fromV2 -}}
{{- $v2 := lookup "apps/v1" "Deployment" (include "kyverno.namespace" .) (include "kyverno.fullname" .) -}}
{{- if $v2 -}}
{{- fail (join "\n" (list
""
""
" +--------------------------------------------------------------------------------------------------------------------------------------+"
" | An earlier Helm installation of Kyverno was detected. |"
" | Given this chart version has significant breaking changes, the upgrade has been blocked. |"
" | Please review the release notes and chart README section and then, once prepared, set `upgrade.fromV2: true` once ready to proceed. |"
" +--------------------------------------------------------------------------------------------------------------------------------------+"
""
))
-}}
{{- end -}}
{{- end -}}

1655
scripts/helmcharts/toolings/charts/kyverno/values.yaml
View file

File diff suppressed because it is too large Load diff