feat(base-cluster/kyverno): allow setting kyverno resources

[cwrau]

chore: migrate kyverno config

Summary by CodeRabbit

• New Features

  • Enhanced Kyverno cluster deployment with pod disruption budgets for improved availability.
  • Extended OAuth proxy authentication configuration with resource allocation options.

• Chores

  • Optimized resource management by consolidating resource definitions and adding critical priority scheduling for Kyverno controllers.
  • Set resource presets and constraints for improved cluster performance.

[gemini-code-assist]

Summary of Changes

Hello @cwrau, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the Kyverno configuration within the base-cluster Helm chart to provide greater flexibility and control over its resource allocation and operational parameters. By centralizing resource definitions and applying them consistently across all Kyverno controllers, it streamlines management and allows for fine-tuning performance based on deployment needs. This change enhances the chart's configurability and ensures better resource utilization for the Kyverno components.

Highlights

• Kyverno Resource Configuration: The Kyverno chart now allows for explicit resource (CPU/memory) configuration for its controllers (admission, background, reports, cleanup) via the values.yaml file, leveraging a common resource template.
• Controller-Specific Settings: The priorityClassName and podDisruptionBudget settings have been moved from a global Kyverno configuration to be applied individually to each Kyverno controller, providing more granular control.
• Schema Updates: The values.schema.json has been updated to include resources and resourcesPreset properties under the Kyverno configuration, enabling validation for the new resource settings.
• Default Resource Preset: A default resourcesPreset of nano and specific memory/CPU requests have been added to the values.yaml for Kyverno, optimizing its resource consumption by default.

Changelog

• charts/base-cluster/templates/kyverno/kyverno.yaml
  • Removed top-level priorityClassName, podDisruptionBudget, replicaCount, resources, and initResources definitions.
  • Moved priorityClassName to be configured individually for admissionController, backgroundController, reportsController, and cleanupController.
  • Moved podDisruptionBudget to be configured under admissionController.
  • Introduced a shared resources definition using common.resources template and applied it to all Kyverno controllers.
• charts/base-cluster/values.schema.json
  • Added resources property with a reference to #/defs/resourceRequirements under the Kyverno schema.
  • Added resourcesPreset property with a reference to #/defs/resourcesPreset under the Kyverno schema.
• charts/base-cluster/values.yaml
  • Added resourcesPreset: nano to the Kyverno configuration.
  • Added default resources requests for memory (64Mi) and CPU (100m) under the Kyverno configuration.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

📝 Walkthrough

Walkthrough

Kyverno Helm configuration enhanced with system-critical priority classes, pod disruption budgets, and resource management constraints. Resource definitions consolidated via YAML anchors, with schema validation and default values added for resource requirements and presets.

Changes

Cohort / File(s)	Summary
Kyverno HelmRelease Template charts/base-cluster/templates/kyverno/kyverno.yaml	Added priorityClassName: system-cluster-critical to all controllers. Introduced podDisruptionBudget for admission controller with minAvailable: 1. Consolidated resource definitions using YAML anchors for reuse across background, reports, and cleanup controllers. Removed legacy standalone PDB and large default resource blocks.
Schema and Values Configuration charts/base-cluster/values.schema.json, charts/base-cluster/values.yaml	Extended OAuth proxy authentication schema with resourcesPreset and resources properties. Added default resource constraints (resourcesPreset: nano, resources.requests: {memory: 64Mi, cpu: 100m}) to kyverno configuration.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• tasches
• teutonet-bot
• marvinWolff

Poem

🐰 Hops of joy through resource lands,
Pod disruptions now at bay,
Priority marked with critical hands,
Anchors keep the config tidy and neat,
Kyverno's feast is now complete! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(base-cluster/kyverno): allow setting kyverno resources' directly and clearly describes the main change: enabling resource configuration for Kyverno in the base-cluster chart.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/base-cluster/allow-setting-kyverno-resources

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR migrates Kyverno configuration in the base-cluster Helm chart to allow configuring Kyverno resource requests/limits (and a preset) via the chart’s values.yaml, with schema support.

Changes:

• Add kyverno.resourcesPreset and kyverno.resources defaults to charts/base-cluster/values.yaml.
• Extend charts/base-cluster/values.schema.json to validate the new Kyverno resource fields.
• Update the Kyverno HelmRelease values to apply resources (and priorityClass/PDB placement) across Kyverno controllers.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
charts/base-cluster/values.yaml	Adds default Kyverno resource preset + requests.
charts/base-cluster/values.schema.json	Adds schema entries for kyverno.resources and kyverno.resourcesPreset.
charts/base-cluster/templates/kyverno/kyverno.yaml	Wires resource configuration into Kyverno controller values (but currently has a blocking bug in how common.resources is called).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@charts/base-cluster/templates/kyverno/kyverno.yaml`:
- Line 76: The resources helper is being called with only
.Values.kyverno.resources which omits resourcesPreset and causes presets (e.g.,
nano) to be ignored; update the include call to pass the whole kyverno values
object instead (use include "common.resources" .Values.kyverno | nindent 8) so
the common.resources helper receives both .resources and .resourcesPreset; keep
the surrounding key (resources:) and nindent 8 unchanged.

[gemini-code-assist]

Code Review

This pull request makes Kyverno resources configurable, which is a good improvement. However, the changes introduce two potential issues. Firstly, the resource configuration for the critical Kyverno init container has been removed, which could lead to startup failures. Secondly, the new default resource values for Kyverno's main containers are significantly lower than before and lack memory limits, posing a risk of instability and OOMKills for this essential cluster component. I have provided two review comments with high severity to address these concerns, including code suggestions to rectify them.