feat(kubernetes): install kyverno #462
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
area/kubernetes
--- HelmRelease: kyverno-system/kyverno PodDisruptionBudget: kyverno-system/kyverno-admission-controller
+++ HelmRelease: kyverno-system/kyverno PodDisruptionBudget: kyverno-system/kyverno-admission-controller
@@ -0,0 +1,19 @@
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: kyverno-admission-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ minAvailable: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+
--- HelmRelease: kyverno-system/kyverno ServiceAccount: kyverno-system/kyverno-admission-controller
+++ HelmRelease: kyverno-system/kyverno ServiceAccount: kyverno-system/kyverno-admission-controller
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: kyverno-admission-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+
--- HelmRelease: kyverno-system/kyverno ServiceAccount: kyverno-system/kyverno-background-controller
+++ HelmRelease: kyverno-system/kyverno ServiceAccount: kyverno-system/kyverno-background-controller
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: kyverno-background-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+
--- HelmRelease: kyverno-system/kyverno ServiceAccount: kyverno-system/kyverno-cleanup-controller
+++ HelmRelease: kyverno-system/kyverno ServiceAccount: kyverno-system/kyverno-cleanup-controller
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: kyverno-cleanup-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+
--- HelmRelease: kyverno-system/kyverno ServiceAccount: kyverno-system/kyverno-cleanup-jobs
+++ HelmRelease: kyverno-system/kyverno ServiceAccount: kyverno-system/kyverno-cleanup-jobs
@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: kyverno-cleanup-jobs
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+
--- HelmRelease: kyverno-system/kyverno ServiceAccount: kyverno-system/kyverno-reports-controller
+++ HelmRelease: kyverno-system/kyverno ServiceAccount: kyverno-system/kyverno-reports-controller
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: kyverno-reports-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+
--- HelmRelease: kyverno-system/kyverno ConfigMap: kyverno-system/kyverno-grafana-grafana
+++ HelmRelease: kyverno-system/kyverno ConfigMap: kyverno-system/kyverno-grafana-grafana
@@ -0,0 +1,2889 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: kyverno-grafana-grafana
+ namespace: kyverno-system
+ annotations:
+ grafana_folder: ''
+ labels:
+ grafana_dashboard: '1'
+data:
+ dashboard.json: |
+ {
+ "__inputs": [
+ {
+ "name": "DS_PROMETHEUS_KYVERNO",
+ "label": "Prometheus Data Source exposing Kyverno's metrics",
+ "description": "Prometheus Data Source exposing Kyverno's metrics",
+ "type": "datasource"
+ }
+ ],
+ "annotations": {
+ "list": [
+ {
+ "builtIn": 1,
+ "datasource": "-- Grafana --",
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "target": {
+ "limit": 100,
+ "matchAny": false,
+ "tags": [],
+ "type": "dashboard"
+ },
+ "type": "dashboard"
+ }
+ ]
+ },
+ "description": "",
+ "editable": true,
+ "gnetId": null,
+ "graphTooltip": 0,
+ "id": 2,
+ "iteration": 1628375170149,
+ "links": [],
+ "panels": [
+ {
+ "datasource": "${DS_PROMETHEUS_KYVERNO}",
+ "gridPos": {
+ "h": 6,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 42,
+ "options": {
+ "content": "# Kyverno\nA Kubernetes-native policy management engine\n\n#### About this dashboard\n\nThis dashboard represents generic insights that can be extracted from a cluster with Kyverno running.\n\n#### For more details around the metrics\n\nCheckout the [official docs of Kyverno metrics](https://kyverno.io/docs/monitoring/)",
+ "mode": "markdown"
+ },
+ "pluginVersion": "8.1.0",
+ "timeFrom": null,
+ "timeShift": null,
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "collapsed": false,
+ "datasource": "${DS_PROMETHEUS_KYVERNO}",
+ "fieldConfig": {
+ "defaults": {},
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 6
+ },
+ "id": 12,
+ "panels": [],
+ "title": "Latest Status",
+ "type": "row"
+ },
+ {
+ "datasource": "${DS_PROMETHEUS_KYVERNO}",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "mappings": [],
+ "max": 100,
+ "min": 0,
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "text",
+ "value": null
+ },
+ {
+ "value": 0,
+ "color": "green"
+ },
+ {
+ "color": "#eab839",
+ "value": 25
+ },
+ {
+ "color": "red",
+ "value": 50
+ },
+ {
+ "color": "red",
+ "value": 100
+ }
+ ]
+ },
+ "unit": "percent"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 6,
+ "w": 6,
+ "x": 0,
+ "y": 7
+ },
+ "id": 29,
+ "options": {
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showThresholdLabels": false,
+ "showThresholdMarkers": true,
+ "text": {}
+ },
+ "pluginVersion": "8.1.0",
+ "targets": [
+ {
+ "exemplar": true,
+ "expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\", cluster=~\"$cluster\"}[24h]) or vector(0))*100/sum(increase(kyverno_policy_results_total{cluster=~\"$cluster\"}[24h]))",
+ "interval": "",
+ "legendFormat": "",
+ "refId": "A"
+ }
+ ],
+ "title": "Rule Execution Failure Rate (Last 24 Hours)",
+ "transparent": true,
+ "type": "gauge"
+ },
+ {
+ "datasource": "${DS_PROMETHEUS_KYVERNO}",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "mappings": [],
+ "noValue": "0",
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 8,
+ "y": 7
+ },
+ "id": 2,
+ "options": {
+ "colorMode": "background",
+ "graphMode": "none",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "text": {},
+ "textMode": "auto"
+ },
+ "pluginVersion": "8.1.0",
+ "targets": [
+ {
+ "exemplar": true,
+ "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"cluster\",cluster=~\"$cluster\"}==1) by (policy_name))",
+ "interval": "",
+ "legendFormat": "",
+ "refId": "A"
+ }
+ ],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Cluster Policies",
+ "type": "stat"
+ },
+ {
+ "datasource": "${DS_PROMETHEUS_KYVERNO}",
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "mappings": [],
+ "noValue": "0",
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
+ }
+ ]
+ }
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 5,
+ "w": 4,
+ "x": 12,
+ "y": 7
+ },
+ "id": 3,
+ "options": {
+ "colorMode": "background",
+ "graphMode": "none",
+ "justifyMode": "auto",
+ "orientation": "auto",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "text": {},
+ "textMode": "auto"
+ },
+ "pluginVersion": "8.1.0",
+ "targets": [
+ {
+ "exemplar": true,
+ "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"namespaced\", cluster=~\"$cluster\"}==1) by (policy_name))",
+ "interval": "",
+ "legendFormat": "",
+ "refId": "A"
+ }
+ ],
+ "timeFrom": null,
+ "timeShift": null,
+ "title": "Policies",
+ "type": "stat"
+ },
+ {
+ "datasource": "${DS_PROMETHEUS_KYVERNO}",
[Diff truncated by flux-local]
--- HelmRelease: kyverno-system/kyverno ConfigMap: kyverno-system/kyverno
+++ HelmRelease: kyverno-system/kyverno ConfigMap: kyverno-system/kyverno
@@ -0,0 +1,67 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: kyverno
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: config
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+data:
+ enableDefaultRegistryMutation: 'true'
+ defaultRegistry: docker.io
+ generateSuccessEvents: 'false'
+ excludeGroups: system:nodes
+ resourceFilters: '[*/*,kyverno-system,*] [Event,*,*] [*/*,kube-system,*] [*/*,kube-public,*]
+ [*/*,kube-node-lease,*] [Node,*,*] [Node/*,*,*] [APIService,*,*] [APIService/*,*,*]
+ [TokenReview,*,*] [SubjectAccessReview,*,*] [SelfSubjectAccessReview,*,*] [Binding,*,*]
+ [Pod/binding,*,*] [ReplicaSet,*,*] [ReplicaSet/*,*,*] [AdmissionReport,*,*] [AdmissionReport/*,*,*]
+ [ClusterAdmissionReport,*,*] [ClusterAdmissionReport/*,*,*] [BackgroundScanReport,*,*]
+ [BackgroundScanReport/*,*,*] [ClusterBackgroundScanReport,*,*] [ClusterBackgroundScanReport/*,*,*]
+ [ClusterRole,*,kyverno:admission-controller] [ClusterRole,*,kyverno:admission-controller:core]
+ [ClusterRole,*,kyverno:admission-controller:additional] [ClusterRole,*,kyverno:background-controller]
+ [ClusterRole,*,kyverno:background-controller:core] [ClusterRole,*,kyverno:background-controller:additional]
+ [ClusterRole,*,kyverno:cleanup-controller] [ClusterRole,*,kyverno:cleanup-controller:core]
+ [ClusterRole,*,kyverno:cleanup-controller:additional] [ClusterRole,*,kyverno:reports-controller]
+ [ClusterRole,*,kyverno:reports-controller:core] [ClusterRole,*,kyverno:reports-controller:additional]
+ [ClusterRoleBinding,*,kyverno:admission-controller] [ClusterRoleBinding,*,kyverno:background-controller]
+ [ClusterRoleBinding,*,kyverno:cleanup-controller] [ClusterRoleBinding,*,kyverno:reports-controller]
+ [ServiceAccount,kyverno-system,kyverno-admission-controller] [ServiceAccount/*,kyverno-system,kyverno-admission-controller]
+ [ServiceAccount,kyverno-system,kyverno-background-controller] [ServiceAccount/*,kyverno-system,kyverno-background-controller]
+ [ServiceAccount,kyverno-system,kyverno-cleanup-controller] [ServiceAccount/*,kyverno-system,kyverno-cleanup-controller]
+ [ServiceAccount,kyverno-system,kyverno-reports-controller] [ServiceAccount/*,kyverno-system,kyverno-reports-controller]
+ [Role,kyverno-system,kyverno:admission-controller] [Role,kyverno-system,kyverno:background-controller]
+ [Role,kyverno-system,kyverno:cleanup-controller] [Role,kyverno-system,kyverno:reports-controller]
+ [RoleBinding,kyverno-system,kyverno:admission-controller] [RoleBinding,kyverno-system,kyverno:background-controller]
+ [RoleBinding,kyverno-system,kyverno:cleanup-controller] [RoleBinding,kyverno-system,kyverno:reports-controller]
+ [ConfigMap,kyverno-system,kyverno] [ConfigMap,kyverno-system,kyverno-metrics]
+ [Deployment,kyverno-system,kyverno-admission-controller] [Deployment/*,kyverno-system,kyverno-admission-controller]
+ [Deployment,kyverno-system,kyverno-background-controller] [Deployment/*,kyverno-system,kyverno-background-controller]
+ [Deployment,kyverno-system,kyverno-cleanup-controller] [Deployment/*,kyverno-system,kyverno-cleanup-controller]
+ [Deployment,kyverno-system,kyverno-reports-controller] [Deployment/*,kyverno-system,kyverno-reports-controller]
+ [Pod,kyverno-system,kyverno-admission-controller-*] [Pod/*,kyverno-system,kyverno-admission-controller-*]
+ [Pod,kyverno-system,kyverno-background-controller-*] [Pod/*,kyverno-system,kyverno-background-controller-*]
+ [Pod,kyverno-system,kyverno-cleanup-controller-*] [Pod/*,kyverno-system,kyverno-cleanup-controller-*]
+ [Pod,kyverno-system,kyverno-reports-controller-*] [Pod/*,kyverno-system,kyverno-reports-controller-*]
+ [Job,kyverno-system,kyverno-hook-pre-delete] [Job/*,kyverno-system,kyverno-hook-pre-delete]
+ [NetworkPolicy,kyverno-system,kyverno-admission-controller] [NetworkPolicy/*,kyverno-system,kyverno-admission-controller]
+ [NetworkPolicy,kyverno-system,kyverno-background-controller] [NetworkPolicy/*,kyverno-system,kyverno-background-controller]
+ [NetworkPolicy,kyverno-system,kyverno-cleanup-controller] [NetworkPolicy/*,kyverno-system,kyverno-cleanup-controller]
+ [NetworkPolicy,kyverno-system,kyverno-reports-controller] [NetworkPolicy/*,kyverno-system,kyverno-reports-controller]
+ [PodDisruptionBudget,kyverno-system,kyverno-admission-controller] [PodDisruptionBudget/*,kyverno-system,kyverno-admission-controller]
+ [PodDisruptionBudget,kyverno-system,kyverno-background-controller] [PodDisruptionBudget/*,kyverno-system,kyverno-background-controller]
+ [PodDisruptionBudget,kyverno-system,kyverno-cleanup-controller] [PodDisruptionBudget/*,kyverno-system,kyverno-cleanup-controller]
+ [PodDisruptionBudget,kyverno-system,kyverno-reports-controller] [PodDisruptionBudget/*,kyverno-system,kyverno-reports-controller]
+ [Service,kyverno-system,kyverno-svc] [Service/*,kyverno-system,kyverno-svc] [Service,kyverno-system,kyverno-svc-metrics]
+ [Service/*,kyverno-system,kyverno-svc-metrics] [Service,kyverno-system,kyverno-background-controller-metrics]
+ [Service/*,kyverno-system,kyverno-background-controller-metrics] [Service,kyverno-system,kyverno-cleanup-controller]
+ [Service/*,kyverno-system,kyverno-cleanup-controller] [Service,kyverno-system,kyverno-cleanup-controller-metrics]
+ [Service/*,kyverno-system,kyverno-cleanup-controller-metrics] [Service,kyverno-system,kyverno-reports-controller-metrics]
+ [Service/*,kyverno-system,kyverno-reports-controller-metrics] [ServiceMonitor,kyverno-system,kyverno-admission-controller]
+ [ServiceMonitor,kyverno-system,kyverno-background-controller] [ServiceMonitor,kyverno-system,kyverno-cleanup-controller]
+ [ServiceMonitor,kyverno-system,kyverno-reports-controller] [Secret,kyverno-system,kyverno-svc.kyverno-system.svc.*]
+ [Secret,kyverno-system,kyverno-cleanup-controller.kyverno-system.svc.*]'
+ webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno-system"]}]}}]'
+
--- HelmRelease: kyverno-system/kyverno ConfigMap: kyverno-system/kyverno-metrics
+++ HelmRelease: kyverno-system/kyverno ConfigMap: kyverno-system/kyverno-metrics
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: kyverno-metrics
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: config
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+data:
+ namespaces: '{"exclude":[],"include":[]}'
+ bucketBoundaries: 0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20,
+ 25, 30
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:admission-controller
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:admission-controller
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:admission-controller
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+aggregationRule:
+ clusterRoleSelectors:
+ - matchLabels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:admission-controller:core
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:admission-controller:core
@@ -0,0 +1,97 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:admission-controller:core
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+rules:
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ - validatingwebhookconfigurations
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+- apiGroups:
+ - rbac.authorization.k8s.io
+ resources:
+ - roles
+ - clusterroles
+ - rolebindings
+ - clusterrolebindings
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - kyverno.io
+ resources:
+ - policies
+ - policies/status
+ - clusterpolicies
+ - clusterpolicies/status
+ - updaterequests
+ - updaterequests/status
+ - admissionreports
+ - clusteradmissionreports
+ - backgroundscanreports
+ - clusterbackgroundscanreports
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+- apiGroups:
+ - wgpolicyk8s.io
+ resources:
+ - policyreports
+ - policyreports/status
+ - clusterpolicyreports
+ - clusterpolicyreports/status
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+- apiGroups:
+ - ''
+ - events.k8s.io
+ resources:
+ - events
+ verbs:
+ - create
+ - update
+ - patch
+- apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+- apiGroups:
+ - '*'
+ resources:
+ - '*'
+ verbs:
+ - get
+ - list
+ - watch
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:admission-controller:additional
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:admission-controller:additional
@@ -0,0 +1,20 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:admission-controller:additional
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - pods
+ verbs:
+ - create
+ - update
+ - delete
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:background-controller
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:background-controller
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:background-controller
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+aggregationRule:
+ clusterRoleSelectors:
+ - matchLabels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:background-controller:core
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:background-controller:core
@@ -0,0 +1,91 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:background-controller:core
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - policies
+ - clusterpolicies
+ - policyexceptions
+ - updaterequests
+ - updaterequests/status
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+- apiGroups:
+ - ''
+ resources:
+ - namespaces
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ''
+ - events.k8s.io
+ resources:
+ - events
+ verbs:
+ - create
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - '*'
+ resources:
+ - '*'
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ - ingressclasses
+ - networkpolicies
+ verbs:
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - rbac.authorization.k8s.io
+ resources:
+ - rolebindings
+ - roles
+ verbs:
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ - secrets
+ - resourcequotas
+ - limitranges
+ verbs:
+ - create
+ - update
+ - patch
+ - delete
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:background-controller:additional
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:background-controller:additional
@@ -0,0 +1,23 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:background-controller:additional
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - pods
+ verbs:
+ - create
+ - update
+ - patch
+ - delete
+ - get
+ - list
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:cleanup-controller
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:cleanup-controller
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:cleanup-controller
+ labels:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+aggregationRule:
+ clusterRoleSelectors:
+ - matchLabels:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:cleanup-controller:core
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:cleanup-controller:core
@@ -0,0 +1,69 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:cleanup-controller:core
+ labels:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+rules:
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - validatingwebhookconfigurations
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - update
+ - watch
+- apiGroups:
+ - ''
+ resources:
+ - namespaces
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - kyverno.io
+ resources:
+ - clustercleanuppolicies
+ - cleanuppolicies
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - kyverno.io
+ resources:
+ - clustercleanuppolicies/status
+ - cleanuppolicies/status
+ verbs:
+ - update
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ''
+ - events.k8s.io
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - update
+- apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno-cleanup-jobs
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno-cleanup-jobs
@@ -0,0 +1,20 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno-cleanup-jobs
+ labels:
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - admissionreports
+ - clusteradmissionreports
+ verbs:
+ - list
+ - deletecollection
+ - delete
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:admin:policies
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:admin:policies
@@ -0,0 +1,28 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:rbac:admin:policies
+ labels:
+ app.kubernetes.io/component: rbac
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - cleanuppolicies
+ - clustercleanuppolicies
+ - policies
+ - clusterpolicies
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:view:policies
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:view:policies
@@ -0,0 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:rbac:view:policies
+ labels:
+ app.kubernetes.io/component: rbac
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ rbac.authorization.k8s.io/aggregate-to-view: 'true'
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - cleanuppolicies
+ - clustercleanuppolicies
+ - policies
+ - clusterpolicies
+ verbs:
+ - get
+ - list
+ - watch
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:admin:policyreports
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:admin:policyreports
@@ -0,0 +1,26 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:rbac:admin:policyreports
+ labels:
+ app.kubernetes.io/component: rbac
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+rules:
+- apiGroups:
+ - wgpolicyk8s.io
+ resources:
+ - policyreports
+ - clusterpolicyreports
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:view:policyreports
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:view:policyreports
@@ -0,0 +1,22 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:rbac:view:policyreports
+ labels:
+ app.kubernetes.io/component: rbac
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ rbac.authorization.k8s.io/aggregate-to-view: 'true'
+rules:
+- apiGroups:
+ - wgpolicyk8s.io
+ resources:
+ - policyreports
+ - clusterpolicyreports
+ verbs:
+ - get
+ - list
+ - watch
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:admin:reports
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:admin:reports
@@ -0,0 +1,28 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:rbac:admin:reports
+ labels:
+ app.kubernetes.io/component: rbac
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - admissionreports
+ - clusteradmissionreports
+ - backgroundscanreports
+ - clusterbackgroundscanreports
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:view:reports
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:view:reports
@@ -0,0 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:rbac:view:reports
+ labels:
+ app.kubernetes.io/component: rbac
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ rbac.authorization.k8s.io/aggregate-to-view: 'true'
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - admissionreports
+ - clusteradmissionreports
+ - backgroundscanreports
+ - clusterbackgroundscanreports
+ verbs:
+ - get
+ - list
+ - watch
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:admin:updaterequests
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:admin:updaterequests
@@ -0,0 +1,25 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:rbac:admin:updaterequests
+ labels:
+ app.kubernetes.io/component: rbac
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ rbac.authorization.k8s.io/aggregate-to-admin: 'true'
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - updaterequests
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:view:updaterequests
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:rbac:view:updaterequests
@@ -0,0 +1,21 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:rbac:view:updaterequests
+ labels:
+ app.kubernetes.io/component: rbac
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ rbac.authorization.k8s.io/aggregate-to-view: 'true'
+rules:
+- apiGroups:
+ - kyverno.io
+ resources:
+ - updaterequests
+ verbs:
+ - get
+ - list
+ - watch
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:reports-controller
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:reports-controller
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:reports-controller
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+aggregationRule:
+ clusterRoleSelectors:
+ - matchLabels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+
--- HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:reports-controller:core
+++ HelmRelease: kyverno-system/kyverno ClusterRole: kyverno-system/kyverno:reports-controller:core
@@ -0,0 +1,60 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: kyverno:reports-controller:core
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+rules:
+- apiGroups:
+ - '*'
+ resources:
+ - '*'
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - kyverno.io
+ resources:
+ - admissionreports
+ - clusteradmissionreports
+ - backgroundscanreports
+ - clusterbackgroundscanreports
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+- apiGroups:
+ - wgpolicyk8s.io
+ resources:
+ - policyreports
+ - policyreports/status
+ - clusterpolicyreports
+ - clusterpolicyreports/status
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+- apiGroups:
+ - ''
+ - events.k8s.io
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+
--- HelmRelease: kyverno-system/kyverno ClusterRoleBinding: kyverno-system/kyverno:admission-controller
+++ HelmRelease: kyverno-system/kyverno ClusterRoleBinding: kyverno-system/kyverno:admission-controller
@@ -0,0 +1,19 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:admission-controller
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:admission-controller
+subjects:
+- kind: ServiceAccount
+ name: kyverno-admission-controller
+ namespace: kyverno-system
+
--- HelmRelease: kyverno-system/kyverno ClusterRoleBinding: kyverno-system/kyverno:background-controller
+++ HelmRelease: kyverno-system/kyverno ClusterRoleBinding: kyverno-system/kyverno:background-controller
@@ -0,0 +1,19 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:background-controller
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:background-controller
+subjects:
+- kind: ServiceAccount
+ name: kyverno-background-controller
+ namespace: kyverno-system
+
--- HelmRelease: kyverno-system/kyverno ClusterRoleBinding: kyverno-system/kyverno:cleanup-controller
+++ HelmRelease: kyverno-system/kyverno ClusterRoleBinding: kyverno-system/kyverno:cleanup-controller
@@ -0,0 +1,19 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:cleanup-controller
+ labels:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:cleanup-controller
+subjects:
+- kind: ServiceAccount
+ name: kyverno-cleanup-controller
+ namespace: kyverno-system
+
--- HelmRelease: kyverno-system/kyverno ClusterRoleBinding: kyverno-system/kyverno-cleanup-jobs
+++ HelmRelease: kyverno-system/kyverno ClusterRoleBinding: kyverno-system/kyverno-cleanup-jobs
@@ -0,0 +1,18 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno-cleanup-jobs
+ labels:
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno-cleanup-jobs
+subjects:
+- kind: ServiceAccount
+ name: kyverno-cleanup-jobs
+ namespace: kyverno-system
+
--- HelmRelease: kyverno-system/kyverno ClusterRoleBinding: kyverno-system/kyverno:reports-controller
+++ HelmRelease: kyverno-system/kyverno ClusterRoleBinding: kyverno-system/kyverno:reports-controller
@@ -0,0 +1,19 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:reports-controller
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: kyverno:reports-controller
+subjects:
+- kind: ServiceAccount
+ name: kyverno-reports-controller
+ namespace: kyverno-system
+
--- HelmRelease: kyverno-system/kyverno Role: kyverno-system/kyverno:admission-controller
+++ HelmRelease: kyverno-system/kyverno Role: kyverno-system/kyverno:admission-controller
@@ -0,0 +1,56 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: kyverno:admission-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ resourceNames:
+ - kyverno
+ - kyverno-metrics
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - create
+ - delete
+ - get
+ - patch
+ - update
+- apiGroups:
+ - apps
+ resources:
+ - deployments
+ - deployments/scale
+ verbs:
+ - get
+ - list
+ - watch
+ - patch
+ - update
+
--- HelmRelease: kyverno-system/kyverno Role: kyverno-system/kyverno:background-controller
+++ HelmRelease: kyverno-system/kyverno Role: kyverno-system/kyverno:background-controller
@@ -0,0 +1,49 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: kyverno:background-controller
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ namespace: kyverno-system
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ resourceNames:
+ - kyverno
+ - kyverno-metrics
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - create
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - delete
+ - get
+ - patch
+ - update
+ resourceNames:
+ - kyverno-background-controller
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+
--- HelmRelease: kyverno-system/kyverno Role: kyverno-system/kyverno:cleanup-controller
+++ HelmRelease: kyverno-system/kyverno Role: kyverno-system/kyverno:cleanup-controller
@@ -0,0 +1,60 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: kyverno:cleanup-controller
+ labels:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ namespace: kyverno-system
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - create
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - delete
+ - get
+ - list
+ - update
+ - watch
+ resourceNames:
+ - kyverno-cleanup-controller.kyverno-system.svc.kyverno-tls-ca
+ - kyverno-cleanup-controller.kyverno-system.svc.kyverno-tls-pair
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ resourceNames:
+ - kyverno
+ - kyverno-metrics
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - create
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - delete
+ - get
+ - patch
+ - update
+ resourceNames:
+ - kyverno-cleanup-controller
+
--- HelmRelease: kyverno-system/kyverno Role: kyverno-system/kyverno:reports-controller
+++ HelmRelease: kyverno-system/kyverno Role: kyverno-system/kyverno:reports-controller
@@ -0,0 +1,41 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: kyverno:reports-controller
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ namespace: kyverno-system
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ resourceNames:
+ - kyverno
+ - kyverno-metrics
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - create
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - delete
+ - get
+ - patch
+ - update
+ resourceNames:
+ - kyverno-reports-controller
+
--- HelmRelease: kyverno-system/kyverno RoleBinding: kyverno-system/kyverno:admission-controller
+++ HelmRelease: kyverno-system/kyverno RoleBinding: kyverno-system/kyverno:admission-controller
@@ -0,0 +1,20 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:admission-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: kyverno:admission-controller
+subjects:
+- kind: ServiceAccount
+ name: kyverno-admission-controller
+ namespace: kyverno-system
+
--- HelmRelease: kyverno-system/kyverno RoleBinding: kyverno-system/kyverno:background-controller
+++ HelmRelease: kyverno-system/kyverno RoleBinding: kyverno-system/kyverno:background-controller
@@ -0,0 +1,20 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:background-controller
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ namespace: kyverno-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: kyverno:background-controller
+subjects:
+- kind: ServiceAccount
+ name: kyverno-background-controller
+ namespace: kyverno-system
+
--- HelmRelease: kyverno-system/kyverno RoleBinding: kyverno-system/kyverno:cleanup-controller
+++ HelmRelease: kyverno-system/kyverno RoleBinding: kyverno-system/kyverno:cleanup-controller
@@ -0,0 +1,20 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:cleanup-controller
+ labels:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ namespace: kyverno-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: kyverno:cleanup-controller
+subjects:
+- kind: ServiceAccount
+ name: kyverno-cleanup-controller
+ namespace: kyverno-system
+
--- HelmRelease: kyverno-system/kyverno RoleBinding: kyverno-system/kyverno:reports-controller
+++ HelmRelease: kyverno-system/kyverno RoleBinding: kyverno-system/kyverno:reports-controller
@@ -0,0 +1,20 @@
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:reports-controller
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ namespace: kyverno-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: kyverno:reports-controller
+subjects:
+- kind: ServiceAccount
+ name: kyverno-reports-controller
+ namespace: kyverno-system
+
--- HelmRelease: kyverno-system/kyverno Service: kyverno-system/kyverno-svc
+++ HelmRelease: kyverno-system/kyverno Service: kyverno-system/kyverno-svc
@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: kyverno-svc
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ ports:
+ - port: 443
+ targetPort: https
+ protocol: TCP
+ name: https
+ selector:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+ type: ClusterIP
+
--- HelmRelease: kyverno-system/kyverno Service: kyverno-system/kyverno-svc-metrics
+++ HelmRelease: kyverno-system/kyverno Service: kyverno-system/kyverno-svc-metrics
@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: kyverno-svc-metrics
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ ports:
+ - port: 8000
+ targetPort: 8000
+ protocol: TCP
+ name: metrics-port
+ selector:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+ type: ClusterIP
+
--- HelmRelease: kyverno-system/kyverno Service: kyverno-system/kyverno-background-controller-metrics
+++ HelmRelease: kyverno-system/kyverno Service: kyverno-system/kyverno-background-controller-metrics
@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: kyverno-background-controller-metrics
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ ports:
+ - port: 8000
+ targetPort: 8000
+ protocol: TCP
+ name: metrics-port
+ selector:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+ type: ClusterIP
+
--- HelmRelease: kyverno-system/kyverno Service: kyverno-system/kyverno-cleanup-controller
+++ HelmRelease: kyverno-system/kyverno Service: kyverno-system/kyverno-cleanup-controller
@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: kyverno-cleanup-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ ports:
+ - port: 443
+ targetPort: https
+ protocol: TCP
+ name: https
+ selector:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+ type: ClusterIP
+
--- HelmRelease: kyverno-system/kyverno Service: kyverno-system/kyverno-cleanup-controller-metrics
+++ HelmRelease: kyverno-system/kyverno Service: kyverno-system/kyverno-cleanup-controller-metrics
@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: kyverno-cleanup-controller-metrics
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ ports:
+ - port: 8000
+ targetPort: 8000
+ protocol: TCP
+ name: metrics-port
+ selector:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+ type: ClusterIP
+
--- HelmRelease: kyverno-system/kyverno Service: kyverno-system/kyverno-reports-controller-metrics
+++ HelmRelease: kyverno-system/kyverno Service: kyverno-system/kyverno-reports-controller-metrics
@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: kyverno-reports-controller-metrics
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ ports:
+ - port: 8000
+ targetPort: 8000
+ protocol: TCP
+ name: metrics-port
+ selector:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+ type: ClusterIP
+
--- HelmRelease: kyverno-system/kyverno Deployment: kyverno-system/kyverno-admission-controller
+++ HelmRelease: kyverno-system/kyverno Deployment: kyverno-system/kyverno-admission-controller
@@ -0,0 +1,200 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: kyverno-admission-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ replicas: 3
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 40%
+ type: RollingUpdate
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ spec:
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: kyverno
+ app.kubernetes.io/instance: kyverno
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ dnsPolicy: ClusterFirst
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/component
+ operator: In
+ values:
+ - admission-controller
+ topologyKey: kubernetes.io/hostname
+ weight: 1
+ serviceAccountName: kyverno-admission-controller
+ initContainers:
+ - name: kyverno-pre
+ image: ghcr.io/kyverno/kyvernopre:v1.11.4
+ imagePullPolicy: IfNotPresent
+ args:
+ - --loggingFormat=text
+ - --v=2
+ resources:
+ limits:
+ cpu: 100m
+ memory: 256Mi
+ requests:
+ cpu: 10m
+ memory: 64Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ env:
+ - name: KYVERNO_SERVICEACCOUNT_NAME
+ value: kyverno-admission-controller
+ - name: INIT_CONFIG
+ value: kyverno
+ - name: METRICS_CONFIG
+ value: kyverno-metrics
+ - name: KYVERNO_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: KYVERNO_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: KYVERNO_DEPLOYMENT
+ value: kyverno-admission-controller
+ - name: KYVERNO_SVC
+ value: kyverno-svc
+ containers:
+ - name: kyverno
+ image: ghcr.io/kyverno/kyverno:v1.11.4
+ imagePullPolicy: IfNotPresent
+ args:
+ - --caSecretName=kyverno-svc.kyverno-system.svc.kyverno-tls-ca
+ - --tlsSecretName=kyverno-svc.kyverno-system.svc.kyverno-tls-pair
+ - --backgroundServiceAccountName=system:serviceaccount:kyverno-system:kyverno-background-controller
+ - --servicePort=443
+ - --disableMetrics=false
+ - --otelConfig=prometheus
+ - --metricsPort=8000
+ - --admissionReports=true
+ - --autoUpdateWebhooks=true
+ - --enableConfigMapCaching=true
+ - --enableDeferredLoading=true
+ - --dumpPayload=false
+ - --forceFailurePolicyIgnore=false
+ - --generateValidatingAdmissionPolicy=false
+ - --loggingFormat=text
+ - --v=2
+ - --enablePolicyException=true
+ - --protectManagedResources=false
+ - --allowInsecureRegistry=false
+ - --registryCredentialHelpers=default,google,amazon,azure,github
+ resources:
+ limits:
+ memory: 384Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ ports:
+ - containerPort: 9443
+ name: https
+ protocol: TCP
+ - containerPort: 8000
+ name: metrics-port
+ protocol: TCP
+ env:
+ - name: INIT_CONFIG
+ value: kyverno
+ - name: METRICS_CONFIG
+ value: kyverno-metrics
+ - name: KYVERNO_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: KYVERNO_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: KYVERNO_SERVICEACCOUNT_NAME
+ value: kyverno-admission-controller
+ - name: KYVERNO_SVC
+ value: kyverno-svc
+ - name: TUF_ROOT
+ value: /.sigstore
+ - name: KYVERNO_DEPLOYMENT
+ value: kyverno-admission-controller
+ startupProbe:
+ failureThreshold: 20
+ httpGet:
+ path: /health/liveness
+ port: 9443
+ scheme: HTTPS
+ initialDelaySeconds: 2
+ periodSeconds: 6
+ livenessProbe:
+ failureThreshold: 2
+ httpGet:
+ path: /health/liveness
+ port: 9443
+ scheme: HTTPS
+ initialDelaySeconds: 15
+ periodSeconds: 30
+ successThreshold: 1
+ timeoutSeconds: 5
+ readinessProbe:
+ failureThreshold: 6
+ httpGet:
+ path: /health/readiness
+ port: 9443
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+ volumeMounts:
+ - mountPath: /.sigstore
+ name: sigstore
+ volumes:
+ - name: sigstore
+ emptyDir: {}
+
--- HelmRelease: kyverno-system/kyverno Deployment: kyverno-system/kyverno-background-controller
+++ HelmRelease: kyverno-system/kyverno Deployment: kyverno-system/kyverno-background-controller
@@ -0,0 +1,99 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: kyverno-background-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ replicas: null
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 40%
+ type: RollingUpdate
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ spec:
+ dnsPolicy: ClusterFirst
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/component
+ operator: In
+ values:
+ - background-controller
+ topologyKey: kubernetes.io/hostname
+ weight: 1
+ serviceAccountName: kyverno-background-controller
+ containers:
+ - name: controller
+ image: ghcr.io/kyverno/background-controller:v1.11.4
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 9443
+ name: https
+ protocol: TCP
+ - containerPort: 8000
+ name: metrics
+ protocol: TCP
+ args:
+ - --disableMetrics=false
+ - --otelConfig=prometheus
+ - --metricsPort=8000
+ - --enableConfigMapCaching=true
+ - --enableDeferredLoading=true
+ - --loggingFormat=text
+ - --v=2
+ - --enablePolicyException=true
+ env:
+ - name: KYVERNO_SERVICEACCOUNT_NAME
+ value: kyverno-background-controller
+ - name: KYVERNO_DEPLOYMENT
+ value: kyverno-background-controller
+ - name: INIT_CONFIG
+ value: kyverno
+ - name: METRICS_CONFIG
+ value: kyverno-metrics
+ - name: KYVERNO_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: KYVERNO_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ resources:
+ limits:
+ memory: 128Mi
+ requests:
+ cpu: 100m
+ memory: 64Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+
--- HelmRelease: kyverno-system/kyverno Deployment: kyverno-system/kyverno-cleanup-controller
+++ HelmRelease: kyverno-system/kyverno Deployment: kyverno-system/kyverno-cleanup-controller
@@ -0,0 +1,132 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: kyverno-cleanup-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ replicas: null
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 40%
+ type: RollingUpdate
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ spec:
+ dnsPolicy: ClusterFirst
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/component
+ operator: In
+ values:
+ - cleanup-controller
+ topologyKey: kubernetes.io/hostname
+ weight: 1
+ serviceAccountName: kyverno-cleanup-controller
+ containers:
+ - name: controller
+ image: ghcr.io/kyverno/cleanup-controller:v1.11.4
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 9443
+ name: https
+ protocol: TCP
+ - containerPort: 8000
+ name: metrics
+ protocol: TCP
+ args:
+ - --caSecretName=kyverno-cleanup-controller.kyverno-system.svc.kyverno-tls-ca
+ - --tlsSecretName=kyverno-cleanup-controller.kyverno-system.svc.kyverno-tls-pair
+ - --servicePort=443
+ - --disableMetrics=false
+ - --otelConfig=prometheus
+ - --metricsPort=8000
+ - --enableDeferredLoading=true
+ - --dumpPayload=false
+ - --loggingFormat=text
+ - --v=2
+ - --ttlReconciliationInterval=1m
+ env:
+ - name: KYVERNO_DEPLOYMENT
+ value: kyverno-cleanup-controller
+ - name: INIT_CONFIG
+ value: kyverno
+ - name: METRICS_CONFIG
+ value: kyverno-metrics
+ - name: KYVERNO_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: KYVERNO_SERVICEACCOUNT_NAME
+ value: kyverno-cleanup-controller
+ - name: KYVERNO_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: KYVERNO_SVC
+ value: kyverno-cleanup-controller
+ resources:
+ limits:
+ memory: 128Mi
+ requests:
+ cpu: 100m
+ memory: 64Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ startupProbe:
+ failureThreshold: 20
+ httpGet:
+ path: /health/liveness
+ port: 9443
+ scheme: HTTPS
+ initialDelaySeconds: 2
+ periodSeconds: 6
+ livenessProbe:
+ failureThreshold: 2
+ httpGet:
+ path: /health/liveness
+ port: 9443
+ scheme: HTTPS
+ initialDelaySeconds: 15
+ periodSeconds: 30
+ successThreshold: 1
+ timeoutSeconds: 5
+ readinessProbe:
+ failureThreshold: 6
+ httpGet:
+ path: /health/readiness
+ port: 9443
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 5
+
--- HelmRelease: kyverno-system/kyverno Deployment: kyverno-system/kyverno-reports-controller
+++ HelmRelease: kyverno-system/kyverno Deployment: kyverno-system/kyverno-reports-controller
@@ -0,0 +1,118 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: kyverno-reports-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ replicas: null
+ strategy:
+ rollingUpdate:
+ maxSurge: 1
+ maxUnavailable: 40%
+ type: RollingUpdate
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ spec:
+ dnsPolicy: ClusterFirst
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/component
+ operator: In
+ values:
+ - reports-controller
+ topologyKey: kubernetes.io/hostname
+ weight: 1
+ serviceAccountName: kyverno-reports-controller
+ containers:
+ - name: controller
+ image: ghcr.io/kyverno/reports-controller:v1.11.4
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 9443
+ name: https
+ protocol: TCP
+ - containerPort: 8000
+ name: metrics
+ protocol: TCP
+ args:
+ - --disableMetrics=false
+ - --otelConfig=prometheus
+ - --metricsPort=8000
+ - --admissionReports=true
+ - --aggregateReports=true
+ - --policyReports=true
+ - --validatingAdmissionPolicyReports=false
+ - --backgroundScan=true
+ - --backgroundScanWorkers=2
+ - --backgroundScanInterval=1h
+ - --skipResourceFilters=true
+ - --enableConfigMapCaching=true
+ - --enableDeferredLoading=true
+ - --loggingFormat=text
+ - --v=2
+ - --enablePolicyException=true
+ - --reportsChunkSize=1000
+ - --allowInsecureRegistry=false
+ - --registryCredentialHelpers=default,google,amazon,azure,github
+ env:
+ - name: KYVERNO_SERVICEACCOUNT_NAME
+ value: kyverno-reports-controller
+ - name: KYVERNO_DEPLOYMENT
+ value: kyverno-reports-controller
+ - name: INIT_CONFIG
+ value: kyverno
+ - name: METRICS_CONFIG
+ value: kyverno-metrics
+ - name: KYVERNO_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: KYVERNO_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: TUF_ROOT
+ value: /.sigstore
+ resources:
+ limits:
+ memory: 128Mi
+ requests:
+ cpu: 100m
+ memory: 64Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /.sigstore
+ name: sigstore
+ volumes:
+ - name: sigstore
+ emptyDir: {}
+
--- HelmRelease: kyverno-system/kyverno CronJob: kyverno-system/kyverno-cleanup-admission-reports
+++ HelmRelease: kyverno-system/kyverno CronJob: kyverno-system/kyverno-cleanup-admission-reports
@@ -0,0 +1,49 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+ name: kyverno-cleanup-admission-reports
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: cleanup
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ schedule: '*/10 * * * *'
+ concurrencyPolicy: Forbid
+ successfulJobsHistoryLimit: 1
+ failedJobsHistoryLimit: 1
+ jobTemplate:
+ spec:
+ template:
+ metadata: null
+ spec:
+ serviceAccountName: kyverno-cleanup-jobs
+ containers:
+ - name: cleanup
+ image: bitnami/kubectl:1.28.5
+ imagePullPolicy: null
+ command:
+ - /bin/sh
+ - -c
+ - |
+ COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l)
+ if [ "$COUNT" -gt 10000 ]; then
+ echo "too many reports found ($COUNT), cleaning up..."
+ kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
+ else
+ echo "($COUNT) reports found, no clean up needed"
+ fi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ restartPolicy: OnFailure
+
--- HelmRelease: kyverno-system/kyverno CronJob: kyverno-system/kyverno-cleanup-cluster-admission-reports
+++ HelmRelease: kyverno-system/kyverno CronJob: kyverno-system/kyverno-cleanup-cluster-admission-reports
@@ -0,0 +1,49 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+ name: kyverno-cleanup-cluster-admission-reports
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: cleanup
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ schedule: '*/10 * * * *'
+ concurrencyPolicy: Forbid
+ successfulJobsHistoryLimit: 1
+ failedJobsHistoryLimit: 1
+ jobTemplate:
+ spec:
+ template:
+ metadata: null
+ spec:
+ serviceAccountName: kyverno-cleanup-jobs
+ containers:
+ - name: cleanup
+ image: bitnami/kubectl:1.28.5
+ imagePullPolicy: null
+ command:
+ - /bin/sh
+ - -c
+ - |
+ COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l)
+ if [ "$COUNT" -gt 10000 ]; then
+ echo "too many reports found ($COUNT), cleaning up..."
+ kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
+ else
+ echo "($COUNT) reports found, no clean up needed"
+ fi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ restartPolicy: OnFailure
+
--- HelmRelease: kyverno-system/kyverno ServiceMonitor: kyverno-system/kyverno-admission-controller
+++ HelmRelease: kyverno-system/kyverno ServiceMonitor: kyverno-system/kyverno-admission-controller
@@ -0,0 +1,25 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: kyverno-admission-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+ namespaceSelector:
+ matchNames:
+ - kyverno-system
+ endpoints:
+ - port: metrics-port
+ interval: 30s
+ scrapeTimeout: 25s
+
--- HelmRelease: kyverno-system/kyverno ServiceMonitor: kyverno-system/kyverno-background-controller
+++ HelmRelease: kyverno-system/kyverno ServiceMonitor: kyverno-system/kyverno-background-controller
@@ -0,0 +1,25 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: kyverno-background-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+ namespaceSelector:
+ matchNames:
+ - kyverno-system
+ endpoints:
+ - port: metrics-port
+ interval: 30s
+ scrapeTimeout: 25s
+
--- HelmRelease: kyverno-system/kyverno ServiceMonitor: kyverno-system/kyverno-cleanup-controller
+++ HelmRelease: kyverno-system/kyverno ServiceMonitor: kyverno-system/kyverno-cleanup-controller
@@ -0,0 +1,25 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: kyverno-cleanup-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: cleanup-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+ namespaceSelector:
+ matchNames:
+ - kyverno-system
+ endpoints:
+ - port: metrics-port
+ interval: 30s
+ scrapeTimeout: 25s
+
--- HelmRelease: kyverno-system/kyverno ServiceMonitor: kyverno-system/kyverno-reports-controller
+++ HelmRelease: kyverno-system/kyverno ServiceMonitor: kyverno-system/kyverno-reports-controller
@@ -0,0 +1,25 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: kyverno-reports-controller
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+spec:
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/part-of: kyverno
+ namespaceSelector:
+ matchNames:
+ - kyverno-system
+ endpoints:
+ - port: metrics-port
+ interval: 30s
+ scrapeTimeout: 25s
+
--- HelmRelease: kyverno-system/kyverno Job: kyverno-system/kyverno-hook-post-upgrade
+++ HelmRelease: kyverno-system/kyverno Job: kyverno-system/kyverno-hook-post-upgrade
@@ -0,0 +1,52 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: kyverno-hook-post-upgrade
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: hooks
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ annotations:
+ helm.sh/hook: post-upgrade
+ helm.sh/hook-delete-policy: hook-succeeded,hook-failed
+spec:
+ backoffLimit: 2
+ template:
+ spec:
+ serviceAccount: kyverno-admission-controller
+ restartPolicy: Never
+ containers:
+ - name: kubectl
+ image: bitnami/kubectl:1.28.5
+ imagePullPolicy: null
+ command:
+ - /bin/bash
+ - -c
+ - "NAMESPACES=$(kubectl get namespaces --no-headers=true | awk '{print $1}')\n\
+ \nfor ns in ${NAMESPACES[@]};\ndo\n COUNT=$(kubectl get policyreports.wgpolicyk8s.io\
+ \ -n $ns --no-headers=true | awk '/pol/{print $1}' | wc -l)\n\n if [ $COUNT\
+ \ -gt 0 ]; then\n echo \"deleting $COUNT policyreports in namespace $ns\"\
+ \n kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true\
+ \ | awk '/pol/{print $1}' | xargs kubectl delete -n $ns policyreports.wgpolicyk8s.io\n\
+ \ else\n echo \"no policyreports in namespace $ns\"\n fi\ndone\n\n\
+ COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true\
+ \ | awk '/pol/{print $1}' | wc -l)\n \nif [ $COUNT -gt 0 ]; then\n echo\
+ \ \"deleting $COUNT clusterpolicyreports\"\n kubectl get clusterpolicyreports.wgpolicyk8s.io\
+ \ --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io\n\
+ else\n echo \"no clusterpolicyreports\"\nfi\n"
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+
--- HelmRelease: kyverno-system/kyverno Job: kyverno-system/kyverno-hook-pre-delete
+++ HelmRelease: kyverno-system/kyverno Job: kyverno-system/kyverno-hook-pre-delete
@@ -0,0 +1,45 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: kyverno-hook-pre-delete
+ namespace: kyverno-system
+ labels:
+ app.kubernetes.io/component: hooks
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ annotations:
+ helm.sh/hook: pre-delete
+ helm.sh/hook-delete-policy: hook-succeeded,hook-failed
+spec:
+ backoffLimit: 2
+ template:
+ spec:
+ serviceAccount: kyverno-admission-controller
+ restartPolicy: Never
+ containers:
+ - name: kubectl
+ image: bitnami/kubectl:1.28.5
+ imagePullPolicy: null
+ command:
+ - sh
+ - -c
+ - |-
+ kubectl scale -n kyverno-system deployment -l app.kubernetes.io/part-of=kyverno --replicas=0
+ sleep 30
+ kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
+ kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ |
--- kubernetes/flux Kustomization: flux-system/cluster HelmRepository: flux-system/kyverno
+++ kubernetes/flux Kustomization: flux-system/cluster HelmRepository: flux-system/kyverno
@@ -0,0 +1,13 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: kyverno
+ namespace: flux-system
+spec:
+ interval: 2h
+ url: https://kyverno.github.io/kyverno/
+
--- kubernetes/apps Kustomization: flux-system/cluster-apps Namespace: flux-system/kyverno-system
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Namespace: flux-system/kyverno-system
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ kustomize.toolkit.fluxcd.io/prune: disabled
+ name: kyverno-system
+
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/kyverno
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/kyverno
@@ -0,0 +1,34 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: kyverno
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: kyverno
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ interval: 2h
+ path: ./kubernetes/apps/kyverno-system/kyverno/app
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ - kind: Secret
+ name: cluster-secrets
+ prune: true
+ retryInterval: 1m
+ sourceRef:
+ kind: GitRepository
+ name: home-kubernetes
+ targetNamespace: kyverno-system
+ timeout: 5m
+ wait: false
+
--- kubernetes/apps/kyverno-system/kyverno/app Kustomization: flux-system/kyverno HelmRelease: kyverno-system/kyverno
+++ kubernetes/apps/kyverno-system/kyverno/app Kustomization: flux-system/kyverno HelmRelease: kyverno-system/kyverno
@@ -0,0 +1,83 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: kyverno
+ kustomize.toolkit.fluxcd.io/name: kyverno
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: kyverno
+ namespace: kyverno-system
+spec:
+ chart:
+ spec:
+ chart: kyverno
+ sourceRef:
+ kind: HelmRepository
+ name: kyverno
+ namespace: flux-system
+ version: 3.1.4
+ install:
+ remediation:
+ retries: 3
+ interval: 2h
+ uninstall:
+ keepHistory: false
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ values:
+ admissionController:
+ rbac:
+ clusterRole:
+ extraResources:
+ - apiGroups:
+ - ''
+ resources:
+ - pods
+ verbs:
+ - create
+ - update
+ - delete
+ replicas: 3
+ serviceMonitor:
+ enabled: true
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/component: kyverno
+ app.kubernetes.io/instance: kyverno
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ backgroundController:
+ rbac:
+ clusterRole:
+ extraResources:
+ - apiGroups:
+ - ''
+ resources:
+ - pods
+ verbs:
+ - create
+ - update
+ - patch
+ - delete
+ - get
+ - list
+ serviceMonitor:
+ enabled: true
+ cleanupController:
+ serviceMonitor:
+ enabled: true
+ crds:
+ install: true
+ grafana:
+ annotations:
+ grafana_folder: ''
+ enabled: true
+ reportsController:
+ serviceMonitor:
+ enabled: true
+ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.