feat(container): update kyverno ( 3.2.7 β 3.3.3 ) #1491
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![bot-akira[bot]](https://avatars.githubusercontent.com/in/825512?s=60&v=4){kind=small}
--- kubernetes/apps/kyverno/kyverno/app Kustomization: flux-system/kyverno HelmRelease: kyverno/kyverno
+++ kubernetes/apps/kyverno/kyverno/app Kustomization: flux-system/kyverno HelmRelease: kyverno/kyverno
@@ -12,13 +12,13 @@
spec:
chart: kyverno
sourceRef:
kind: HelmRepository
name: kyverno-charts
namespace: flux-system
- version: 3.2.7
+ version: 3.3.3
install:
remediation:
retries: 3
interval: 30m
uninstall:
keepHistory: false
--- kubernetes/apps/cert-manager/cert-manager/app Kustomization: flux-system/cluster-apps-cert-manager ConfigMap: cert-manager/cert-manager-dashboard
+++ kubernetes/apps/cert-manager/cert-manager/app Kustomization: flux-system/cluster-apps-cert-manager ConfigMap: cert-manager/cert-manager-dashboard
@@ -3,13 +3,13 @@
data:
cert-manager-dashboard.json: "\n\n\n\n\n\n<!DOCTYPE html>\n<html class=\"gl-light\
\ ui-neutral with-top-bar with-header \" lang=\"en\">\n<head prefix=\"og: http://ogp.me/ns#\"\
>\n<meta charset=\"utf-8\">\n<meta content=\"IE=edge\" http-equiv=\"X-UA-Compatible\"\
>\n<meta content=\"width=device-width, initial-scale=1\" name=\"viewport\">\n\
<title>dashboards/cert-manager.json \xB7 master \xB7 uneeq-oss / cert-manager-mixin\
- \ \xB7 GitLab</title>\n<script nonce=\"7yeHZ7TjJFzEwV/SuZbPoA==\">\n//<![CDATA[\n\
+ \ \xB7 GitLab</title>\n<script nonce=\"VzWwNP1pDZCleP8PYGMvGw==\">\n//<![CDATA[\n\
window.gon={};gon.api_version=\"v4\";gon.default_avatar_url=\"https://gitlab.com/assets/no_avatar-849f9c04a3a0d0cea2424ae97b27447dc64a7dbfae83c036c45b403392f0e8ba.png\"\
;gon.max_file_size=100;gon.asset_host=null;gon.webpack_public_path=\"/assets/webpack/\"\
;gon.relative_url_root=\"\";gon.user_color_mode=\"gl-light\";gon.user_color_scheme=\"\
white\";gon.markdown_surround_selection=null;gon.markdown_automatic_lists=null;gon.math_rendering_limits_enabled=true;gon.analytics_url=\"\
https://collector.prd-278964.gl-product-analytics.com\";gon.analytics_id=\"715db59f-f350-4bfd-aef8-e7a7f0c023f0\"\
;gon.sentry_dsn=\"https://f5573e26de8f4293b285e556c35dfd6e@new-sentry.gitlab.net/4\"\
@@ -36,13 +36,13 @@
:false,\"advancedContextResolver\":true,\"asyncSidebarCounts\":true,\"inlineBlame\"\
:false,\"explainCodeChat\":false,\"upgradePdfjs\":true};gon.roadmap_epics_limit=1000;gon.subscriptions_url=\"\
https://customers.gitlab.com\";gon.subscriptions_legacy_sign_in_url=\"https://customers.gitlab.com/customers/sign_in?legacy=true\"\
;gon.billing_accounts_url=\"https://customers.gitlab.com/billing_accounts\";gon.payment_form_url=\"\
https://customers.gitlab.com/payment_forms/cc_validation\";gon.payment_validation_form_id=\"\
payment_method_validation\";gon.licensed_features={\"remoteDevelopment\":true};\n\
- //]]>\n</script>\n\n\n<script nonce=\"7yeHZ7TjJFzEwV/SuZbPoA==\">\n//<![CDATA[\n\
+ //]]>\n</script>\n\n\n<script nonce=\"VzWwNP1pDZCleP8PYGMvGw==\">\n//<![CDATA[\n\
var gl = window.gl || {};\ngl.startup_calls = null;\ngl.startup_graphql_calls\
\ = [{\"query\":\"query getBlobInfo(\\n $projectPath: ID!\\n $filePath: [String!]!\\\
n $ref: String!\\n $refType: RefType\\n $shouldFetchRawText: Boolean!\\n) {\\\
n project(fullPath: $projectPath) {\\n __typename\\n id\\n repository\
\ {\\n __typename\\n empty\\n blobs(paths: $filePath, ref: $ref,\
\ refType: $refType) {\\n __typename\\n nodes {\\n __typename\\\
@@ -68,13 +68,13 @@
\ request checks\n headers: {\n 'X-Requested-With': 'XMLHttpRequest'\n\
\ },\n // fetch won\u2019t send cookies in older browsers, unless\
\ you set the credentials init option.\n // We set to `same-origin` which\
\ is default value in modern browsers.\n // See https://github.com/whatwg/fetch/pull/585\
\ for more information.\n credentials: 'same-origin'\n })\n };\n\
\ });\n}\nif (gl.startup_graphql_calls && window.fetch) {\n const headers =\
- \ {\"X-CSRF-Token\":\"Y3V0JVoAA9fe6nCXWmxZu48e3kENZrLejgAGazb2zqCdHxRTGRnI0F1d4VBSlWDcknMVgLVUkoWg7zZ3QwqAPg\"\
+ \ {\"X-CSRF-Token\":\"E2hw2a4ljpTDNCIzmq-Bo90DETmSeTBfKHQUcE_3YvjeebWBMhI6l3zaj3Rm7NjcqVGGiu-dfXVKIjvj1kX5QQ\"\
,\"x-gitlab-feature-category\":\"source_code_management\"};\n const url = `https://gitlab.com/api/graphql`\n\
\n const opts = {\n method: \"POST\",\n headers: {\n \"Content-Type\"\
: \"application/json\",\n ...headers,\n }\n };\n\n gl.startup_graphql_calls\
\ = gl.startup_graphql_calls.map(call => ({\n ...call,\n fetchCall: fetch(url,\
\ {\n ...opts,\n credentials: 'same-origin',\n body: JSON.stringify(call)\n\
\ })\n }))\n}\n\n\n//]]>\n</script>\n\n<link rel=\"prefetch\" href=\"/assets/webpack/monaco.71f3161d.chunk.js\"\
@@ -86,27 +86,27 @@
\ /><link rel=\"stylesheet\" href=\"/assets/page_bundles/notes_shared-59155f50552b89e84451143840d7e8eccff4d0b52532219d6cfe318a64c59c2f.css\"\
\ />\n<link rel=\"stylesheet\" href=\"/assets/application_utilities-0bfb919a8a7eb0e89544dfe328e69461ccb276a565685fdb6ae3b14f3db3f41b.css\"\
\ />\n<link rel=\"stylesheet\" href=\"/assets/tailwind-72fdee340154524f5c6f88c7648b200197a6b07fd089b87d0e4f6aca67f836d4.css\"\
\ />\n\n\n<link rel=\"stylesheet\" href=\"/assets/fonts-fae5d3f79948bd85f18b6513a025f863b19636e85b09a1492907eb4b1bb0557b.css\"\
\ />\n<link rel=\"stylesheet\" href=\"/assets/highlight/themes/white-5ffbb706faebead681b01c8b52e92c6c0d35ad5b1c11d39012c90bcaf7892ca8.css\"\
\ />\n\n<script src=\"/assets/webpack/runtime.0fb84afe.bundle.js\" defer=\"defer\"\
- \ nonce=\"7yeHZ7TjJFzEwV/SuZbPoA==\"></script>\n<script src=\"/assets/webpack/main.f16ee39f.chunk.js\"\
- \ defer=\"defer\" nonce=\"7yeHZ7TjJFzEwV/SuZbPoA==\"></script>\n<script src=\"\
- /assets/webpack/tracker.0de79909.chunk.js\" defer=\"defer\" nonce=\"7yeHZ7TjJFzEwV/SuZbPoA==\"\
+ \ nonce=\"VzWwNP1pDZCleP8PYGMvGw==\"></script>\n<script src=\"/assets/webpack/main.f16ee39f.chunk.js\"\
+ \ defer=\"defer\" nonce=\"VzWwNP1pDZCleP8PYGMvGw==\"></script>\n<script src=\"\
+ /assets/webpack/tracker.0de79909.chunk.js\" defer=\"defer\" nonce=\"VzWwNP1pDZCleP8PYGMvGw==\"\
></script>\n<script src=\"/assets/webpack/analytics.1b3bd16a.chunk.js\" defer=\"\
- defer\" nonce=\"7yeHZ7TjJFzEwV/SuZbPoA==\"></script>\n<script nonce=\"7yeHZ7TjJFzEwV/SuZbPoA==\"\
+ defer\" nonce=\"VzWwNP1pDZCleP8PYGMvGw==\"></script>\n<script nonce=\"VzWwNP1pDZCleP8PYGMvGw==\"\
>\n//<![CDATA[\nwindow.snowplowOptions = {\"namespace\":\"gl\",\"hostname\":\"\
snowplow.trx.gitlab.net\",\"cookieDomain\":\".gitlab.com\",\"appId\":\"gitlab\"\
,\"formTracking\":true,\"linkClickTracking\":true}\n\ngl = window.gl || {};\n\
gl.snowplowStandardContext = {\"schema\":\"iglu:com.gitlab/gitlab_standard/jsonschema/1-1-1\"\
,\"data\":{\"environment\":\"production\",\"source\":\"gitlab-rails\",\"correlation_id\"\
- :\"01JCV62NVR3MVFDZCRB0CY78VC\",\"plan\":\"free\",\"extra\":{},\"user_id\":null,\"\
+ :\"01JCV62GVMTRQGJ0MV1E89S9PM\",\"plan\":\"free\",\"extra\":{},\"user_id\":null,\"\
global_user_id\":null,\"is_gitlab_team_member\":null,\"namespace_id\":6108262,\"\
project_id\":20535911,\"feature_enabled_by_namespace_ids\":null,\"realm\":\"saas\"\
- ,\"instance_id\":\"ea8bf810-1d6f-4a6a-b4fd-93e8cbd8b57f\",\"host_name\":\"gitlab-webservice-web-bcd75b9c5-lmkrg\"\
- ,\"instance_version\":\"17.6.0\",\"context_generated_at\":\"2024-11-16T19:09:29.522Z\"\
+ ,\"instance_id\":\"ea8bf810-1d6f-4a6a-b4fd-93e8cbd8b57f\",\"host_name\":\"gitlab-webservice-web-bcd75b9c5-95v8h\"\
+ ,\"instance_version\":\"17.6.0\",\"context_generated_at\":\"2024-11-16T19:09:24.419Z\"\
}}\ngl.snowplowPseudonymizedPageUrl = \"https://gitlab.com/namespace6108262/project20535911/-/blob/:repository_path\"\
;\ngl.maskedDefaultReferrerUrl = null;\ngl.ga4MeasurementId = 'G-ENFH3X7M5Y';\n\
\n\n//]]>\n</script>\n<link rel=\"preload\" href=\"/assets/application_utilities-0bfb919a8a7eb0e89544dfe328e69461ccb276a565685fdb6ae3b14f3db3f41b.css\"\
\ as=\"style\" type=\"text/css\" nonce=\"WQlw1Dg/Rd45+QbCzx3atA==\">\n<link rel=\"\
preload\" href=\"/assets/application-2e7ef83e15987978e4f0904abad50886880a9d77f4ea046aa896d08a3bf0f609.css\"\
\ as=\"style\" type=\"text/css\" nonce=\"WQlw1Dg/Rd45+QbCzx3atA==\">\n<link rel=\"\
@@ -116,72 +116,72 @@
\ crossorigin=\"\" href=\"/assets/gitlab-sans/GitLabSans-1e0a5107ea3bbd4be93e8ad2c503467e43166cd37e4293570b490e0812ede98b.woff2\"\
\ rel=\"preload\">\n<link as=\"font\" crossorigin=\"\" href=\"/assets/gitlab-sans/GitLabSans-Italic-38eaf1a569a54ab28c58b92a4a8de3afb96b6ebc250cf372003a7b38151848cc.woff2\"\
\ rel=\"preload\">\n<link as=\"font\" crossorigin=\"\" href=\"/assets/gitlab-mono/GitLabMono-08d2c5e8ff8fd3d2d6ec55bc7713380f8981c35f9d2df14e12b835464d6e8f23.woff2\"\
\ rel=\"preload\">\n<link as=\"font\" crossorigin=\"\" href=\"/assets/gitlab-mono/GitLabMono-Italic-38e58d8df29485a20c550da1d0111e2c2169f6dcbcf894f2cd3afbdd97bcc588.woff2\"\
\ rel=\"preload\">\n<link rel=\"preload\" href=\"/assets/fonts-fae5d3f79948bd85f18b6513a025f863b19636e85b09a1492907eb4b1bb0557b.css\"\
\ as=\"style\" type=\"text/css\" nonce=\"WQlw1Dg/Rd45+QbCzx3atA==\">\n\n\n\n<script\
- \ src=\"/assets/webpack/sentry.5eed0c3a.chunk.js\" defer=\"defer\" nonce=\"7yeHZ7TjJFzEwV/SuZbPoA==\"\
+ \ src=\"/assets/webpack/sentry.5eed0c3a.chunk.js\" defer=\"defer\" nonce=\"VzWwNP1pDZCleP8PYGMvGw==\"\
></script>\n\n<script src=\"/assets/webpack/10.52a37906.chunk.js\" defer=\"defer\"\
- \ nonce=\"7yeHZ7TjJFzEwV/SuZbPoA==\"></script>\n<script src=\"/assets/webpack/12.b315250f.chunk.js\"\
- \ defer=\"defer\" nonce=\"7yeHZ7TjJFzEwV/SuZbPoA==\"></script>\n<script src=\"\
- /assets/webpack/14.3c86fb70.chunk.js\" defer=\"defer\" nonce=\"7yeHZ7TjJFzEwV/SuZbPoA==\"\
+ \ nonce=\"VzWwNP1pDZCleP8PYGMvGw==\"></script>\n<script src=\"/assets/webpack/12.b315250f.chunk.js\"\
+ \ defer=\"defer\" nonce=\"VzWwNP1pDZCleP8PYGMvGw==\"></script>\n<script src=\"\
+ /assets/webpack/14.3c86fb70.chunk.js\" defer=\"defer\" nonce=\"VzWwNP1pDZCleP8PYGMvGw==\"\
></script>\n<script src=\"/assets/webpack/commons-pages.groups.analytics.dashboards-pages.groups.harbor.repositories-pages.groups.iteration_ca-b07ae190.c914cf7a.chunk.js\"\
- \ defer=\"defer\" nonce=\"7yeHZ7TjJFzEwV/SuZbPoA==\"></script>\n<script src=\"\
[Diff truncated by flux-local] |
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-cleanup-jobs
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-cleanup-jobs
@@ -1,11 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: kyverno-cleanup-jobs
- namespace: kyverno
- labels:
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-
--- HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-grafana-grafana
+++ HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-grafana-grafana
@@ -6,2882 +6,3445 @@
namespace: kyverno
labels:
grafana_dashboard: '1'
data:
kyverno-dashboard.json: |
{
- "__inputs": [
+ "annotations": {
+ "list": [
{
- "name": "DS_PROMETHEUS_KYVERNO",
- "label": "Prometheus Data Source exposing Kyverno's metrics",
- "description": "Prometheus Data Source exposing Kyverno's metrics",
- "type": "datasource"
+ "builtIn": 1,
+ "datasource": {
+ "type": "datasource",
+ "uid": "grafana"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "target": {
+ "limit": 100,
+ "matchAny": false,
+ "tags": [],
+ "type": "dashboard"
+ },
+ "type": "dashboard"
}
- ],
- "annotations": {
- "list": [
- {
- "builtIn": 1,
- "datasource": "-- Grafana --",
- "enable": true,
- "hide": true,
- "iconColor": "rgba(0, 211, 255, 1)",
- "name": "Annotations & Alerts",
- "target": {
- "limit": 100,
- "matchAny": false,
- "tags": [],
- "type": "dashboard"
- },
- "type": "dashboard"
- }
- ]
+ ]
},
"description": "",
"editable": true,
- "gnetId": null,
+ "fiscalYearStartMonth": 0,
"graphTooltip": 0,
- "id": 2,
- "iteration": 1628375170149,
+ "id": 472,
"links": [],
"panels": [
- {
- "datasource": "${DS_PROMETHEUS_KYVERNO}",
- "gridPos": {
- "h": 6,
- "w": 24,
- "x": 0,
- "y": 0
- },
- "id": 42,
- "options": {
- "content": "# Kyverno\nA Kubernetes-native policy management engine\n\n#### About this dashboard\n\nThis dashboard represents generic insights that can be extracted from a cluster with Kyverno running.\n\n#### For more details around the metrics\n\nCheckout the [official docs of Kyverno metrics](https://kyverno.io/docs/monitoring/)",
- "mode": "markdown"
- },
- "pluginVersion": "8.1.0",
- "timeFrom": null,
- "timeShift": null,
- "transparent": true,
- "type": "text"
- },
- {
- "collapsed": false,
- "datasource": "${DS_PROMETHEUS_KYVERNO}",
- "fieldConfig": {
- "defaults": {},
- "overrides": []
- },
- "gridPos": {
- "h": 1,
- "w": 24,
- "x": 0,
- "y": 6
- },
- "id": 12,
- "panels": [],
- "title": "Latest Status",
- "type": "row"
- },
- {
- "datasource": "${DS_PROMETHEUS_KYVERNO}",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "max": 100,
- "min": 0,
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "text",
- "value": null
- },
- {
- "value": 0,
- "color": "green"
- },
- {
- "color": "#eab839",
- "value": 25
- },
- {
- "color": "red",
- "value": 50
- },
- {
- "color": "red",
- "value": 100
- }
- ]
- },
- "unit": "percent"
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "gridPos": {
+ "h": 6,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 42,
+ "options": {
+ "code": {
+ "language": "plaintext",
+ "showLineNumbers": false,
+ "showMiniMap": false
+ },
+ "content": "# Kyverno\nA Kubernetes-native policy management engine\n\n#### About this dashboard\n\nThis dashboard represents generic insights that can be extracted from a cluster with Kyverno running.\n\n#### For more details around the metrics\n\nCheckout the [official docs of Kyverno metrics](https://kyverno.io/docs/monitoring/)",
+ "mode": "markdown"
+ },
+ "pluginVersion": "11.2.0",
+ "targets": [
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "refId": "A"
+ }
+ ],
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "collapsed": false,
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 6
+ },
+ "id": 12,
+ "panels": [],
+ "targets": [
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "refId": "A"
+ }
+ ],
+ "title": "Latest Status",
+ "type": "row"
+ },
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "mappings": [],
+ "max": 100,
+ "min": 0,
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "text",
+ "value": null
},
- "overrides": []
- },
- "gridPos": {
- "h": 6,
- "w": 6,
- "x": 0,
- "y": 7
- },
- "id": 29,
- "options": {
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
+ {
+ "color": "green",
+ "value": 0
+ },
+ {
+ "color": "#eab839",
+ "value": 25
+ },
+ {
+ "color": "red",
+ "value": 50
+ },
+ {
+ "color": "red",
+ "value": 100
+ }
+ ]
+ },
+ "unit": "percent"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 6,
+ "w": 6,
+ "x": 0,
+ "y": 7
+ },
+ "id": 29,
+ "options": {
+ "minVizHeight": 75,
+ "minVizWidth": 75,
+ "orientation": "auto",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showThresholdLabels": false,
+ "showThresholdMarkers": true,
+ "sizing": "auto",
+ "text": {}
+ },
+ "pluginVersion": "11.2.0",
+ "targets": [
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "exemplar": true,
+ "expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\", cluster=~\"$cluster\"}[24h]) or vector(0))*100/sum(increase(kyverno_policy_results_total{cluster=~\"$cluster\"}[24h]))",
+ "interval": "",
+ "legendFormat": "",
+ "refId": "A"
+ }
+ ],
+ "title": "Rule Execution Failure Rate (Last 24 Hours)",
+ "transparent": true,
+ "type": "gauge"
+ },
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "mappings": [],
+ "noValue": "0",
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
[Diff truncated by flux-local]
--- HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno
+++ HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno
@@ -16,15 +16,13 @@
defaultRegistry: docker.io
generateSuccessEvents: 'false'
excludeGroups: system:nodes
resourceFilters: '[*/*,kyverno,*] [Event,*,*] [*/*,kube-system,*] [*/*,kube-public,*]
[*/*,kube-node-lease,*] [Node,*,*] [Node/*,*,*] [APIService,*,*] [APIService/*,*,*]
[TokenReview,*,*] [SubjectAccessReview,*,*] [SelfSubjectAccessReview,*,*] [Binding,*,*]
- [Pod/binding,*,*] [ReplicaSet,*,*] [ReplicaSet/*,*,*] [AdmissionReport,*,*] [AdmissionReport/*,*,*]
- [ClusterAdmissionReport,*,*] [ClusterAdmissionReport/*,*,*] [BackgroundScanReport,*,*]
- [BackgroundScanReport/*,*,*] [ClusterBackgroundScanReport,*,*] [ClusterBackgroundScanReport/*,*,*]
+ [Pod/binding,*,*] [ReplicaSet,*,*] [ReplicaSet/*,*,*] [EphemeralReport,*,*] [ClusterEphemeralReport,*,*]
[ClusterRole,*,kyverno:admission-controller] [ClusterRole,*,kyverno:admission-controller:core]
[ClusterRole,*,kyverno:admission-controller:additional] [ClusterRole,*,kyverno:background-controller]
[ClusterRole,*,kyverno:background-controller:core] [ClusterRole,*,kyverno:background-controller:additional]
[ClusterRole,*,kyverno:cleanup-controller] [ClusterRole,*,kyverno:cleanup-controller:core]
[ClusterRole,*,kyverno:cleanup-controller:additional] [ClusterRole,*,kyverno:reports-controller]
[ClusterRole,*,kyverno:reports-controller:core] [ClusterRole,*,kyverno:reports-controller:additional]
@@ -61,9 +59,10 @@
[Service,kyverno,kyverno-cleanup-controller] [Service/*,kyverno,kyverno-cleanup-controller]
[Service,kyverno,kyverno-cleanup-controller-metrics] [Service/*,kyverno,kyverno-cleanup-controller-metrics]
[Service,kyverno,kyverno-reports-controller-metrics] [Service/*,kyverno,kyverno-reports-controller-metrics]
[ServiceMonitor,kyverno,kyverno-admission-controller] [ServiceMonitor,kyverno,kyverno-background-controller]
[ServiceMonitor,kyverno,kyverno-cleanup-controller] [ServiceMonitor,kyverno,kyverno-reports-controller]
[Secret,kyverno,kyverno-svc.kyverno.svc.*] [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]'
+ updateRequestThreshold: '1000'
webhooks: '[{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}],"matchLabels":null},"objectSelector":{"matchExpressions":[{"key":"webhooks.kyverno.io/exclude","operator":"DoesNotExist"}]}}]'
webhookAnnotations: '{"admissions.enforcer/disabled":"true"}'
--- HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-metrics
+++ HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-metrics
@@ -8,9 +8,10 @@
app.kubernetes.io/component: config
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
data:
namespaces: '{"exclude":[],"include":[]}'
+ metricsExposure: '{"kyverno_admission_requests_total":{"disabledLabelDimensions":["resource_namespace"]},"kyverno_admission_review_duration_seconds":{"disabledLabelDimensions":["resource_namespace"]},"kyverno_cleanup_controller_deletedobjects_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]},"kyverno_policy_execution_duration_seconds":{"disabledLabelDimensions":["resource_namespace","resource_request_operation"]},"kyverno_policy_results_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]},"kyverno_policy_rule_info_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]}}'
bucketBoundaries: 0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20,
25, 30
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller
@@ -8,10 +8,12 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-admission-controller: 'true'
+ - matchLabels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller:core
@@ -47,16 +47,12 @@
- clusterpolicies
- clusterpolicies/status
- updaterequests
- updaterequests/status
- globalcontextentries
- globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- policyexceptions
verbs:
- create
- delete
- get
- list
@@ -126,15 +122,7 @@
- create
- update
- patch
- get
- list
- watch
-- apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller
@@ -8,10 +8,12 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-background-controller: 'true'
+ - matchLabels:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller:core
@@ -16,13 +16,15 @@
verbs:
- get
- apiGroups:
- kyverno.io
resources:
- policies
+ - policies/status
- clusterpolicies
+ - clusterpolicies/status
- policyexceptions
- updaterequests
- updaterequests/status
- globalcontextentries
- globalcontextentries/status
verbs:
@@ -53,19 +55,25 @@
- get
- list
- patch
- update
- watch
- apiGroups:
- - '*'
+ - reports.kyverno.io
resources:
- - '*'
+ - ephemeralreports
+ - clusterephemeralreports
verbs:
+ - create
+ - delete
- get
- list
+ - patch
+ - update
- watch
+ - deletecollection
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
@@ -85,13 +93,12 @@
- patch
- delete
- apiGroups:
- ''
resources:
- configmaps
- - secrets
- resourcequotas
- limitranges
verbs:
- create
- update
- patch
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-controller
@@ -8,10 +8,12 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-cleanup-controller: 'true'
+ - matchLabels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-jobs
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-jobs
@@ -1,30 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:cleanup-jobs
- labels:
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-rules:
-- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - updaterequests
- verbs:
- - list
- - deletecollection
- - delete
-- apiGroups:
- - reports.kyverno.io
- resources:
- - ephemeralreports
- - clusterephemeralreports
- verbs:
- - list
- - deletecollection
- - delete
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:admin:reports
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:admin:reports
@@ -7,27 +7,12 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
rbac.authorization.k8s.io/aggregate-to-admin: 'true'
rules:
-- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- apiGroups:
- reports.kyverno.io
resources:
- ephemeralreports
- clusterephemeralreports
verbs:
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:view:reports
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:view:reports
@@ -8,23 +8,12 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
rbac.authorization.k8s.io/aggregate-to-view: 'true'
rules:
- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- reports.kyverno.io
resources:
- ephemeralreports
- clusterephemeralreports
verbs:
- get
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller
@@ -8,10 +8,12 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-reports-controller: 'true'
+ - matchLabels:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller:core
@@ -15,28 +15,23 @@
- customresourcedefinitions
verbs:
- get
- apiGroups:
- ''
resources:
- - secrets
- configmaps
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- kyverno.io
resources:
- globalcontextentries
- globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- policyexceptions
- policies
- clusterpolicies
verbs:
- create
- delete
@@ -81,15 +76,7 @@
- events.k8s.io
resources:
- events
verbs:
- create
- patch
-- apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:cleanup-jobs
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:cleanup-jobs
@@ -1,18 +0,0 @@
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:cleanup-jobs
- labels:
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kyverno:cleanup-jobs
-subjects:
-- kind: ServiceAccount
- name: kyverno-cleanup-jobs
- namespace: kyverno
-
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:admission-controller
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:admission-controller
@@ -11,16 +11,18 @@
app.kubernetes.io/part-of: kyverno
rules:
- apiGroups:
- ''
resources:
- secrets
+ - serviceaccounts
verbs:
- get
- list
- watch
+ - patch
- create
- update
- delete
- apiGroups:
- ''
resources:
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:cleanup-controller
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:cleanup-controller
@@ -54,7 +54,15 @@
- delete
- get
- patch
- update
resourceNames:
- kyverno-cleanup-controller
+- apiGroups:
+ - apps
+ resources:
+ - deployments
+ verbs:
+ - get
+ - list
+ - watch
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:reports-controller
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:reports-controller
@@ -19,12 +19,20 @@
- list
- watch
resourceNames:
- kyverno
- kyverno-metrics
- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
--- HelmRelease: kyverno/kyverno Service: kyverno/kyverno-svc
+++ HelmRelease: kyverno/kyverno Service: kyverno/kyverno-svc
@@ -12,12 +12,13 @@
spec:
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
+ appProtocol: https
selector:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
type: ClusterIP
--- HelmRelease: kyverno/kyverno Service: kyverno/kyverno-cleanup-controller
+++ HelmRelease: kyverno/kyverno Service: kyverno/kyverno-cleanup-controller
@@ -12,12 +12,13 @@
spec:
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
+ appProtocol: https
selector:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
type: ClusterIP
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-admission-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-admission-controller
@@ -51,13 +51,13 @@
- admission-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-admission-controller
initContainers:
- name: kyverno-pre
- image: ghcr.io/kyverno/kyvernopre:v1.12.6
+ image: ghcr.io/kyverno/kyvernopre:v1.13.0
imagePullPolicy: IfNotPresent
args:
- --loggingFormat=text
- --v=2
resources:
limits:
@@ -76,12 +76,14 @@
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-admission-controller
+ - name: KYVERNO_ROLE_NAME
+ value: kyverno:admission-controller
- name: INIT_CONFIG
value: kyverno
- name: METRICS_CONFIG
value: kyverno-metrics
- name: KYVERNO_NAMESPACE
valueFrom:
@@ -94,39 +96,43 @@
- name: KYVERNO_DEPLOYMENT
value: kyverno-admission-controller
- name: KYVERNO_SVC
value: kyverno-svc
containers:
- name: kyverno
- image: ghcr.io/kyverno/kyverno:v1.12.6
+ image: ghcr.io/kyverno/kyverno:v1.13.0
imagePullPolicy: IfNotPresent
args:
- --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca
- --tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair
- --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
+ - --reportsServiceAccountName=system:serviceaccount:kyverno:kyverno-reports-controller
- --servicePort=443
- --webhookServerPort=9443
+ - --resyncPeriod=15m
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --admissionReports=true
- --maxAdmissionReports=1000
- --autoUpdateWebhooks=true
- --enableConfigMapCaching=true
- --enableDeferredLoading=true
- --dumpPayload=false
- --forceFailurePolicyIgnore=false
- --generateValidatingAdmissionPolicy=false
+ - --dumpPatches=false
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
+ - --enablePolicyException=false
- --protectManagedResources=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
resources:
limits:
memory: 384Mi
requests:
cpu: 100m
memory: 128Mi
@@ -159,12 +165,14 @@
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-admission-controller
+ - name: KYVERNO_ROLE_NAME
+ value: kyverno:admission-controller
- name: KYVERNO_SVC
value: kyverno-svc
- name: TUF_ROOT
value: /.sigstore
- name: KYVERNO_DEPLOYMENT
value: kyverno-admission-controller
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-background-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-background-controller
@@ -43,32 +43,34 @@
- background-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-background-controller
containers:
- name: controller
- image: ghcr.io/kyverno/background-controller:v1.12.6
+ image: ghcr.io/kyverno/background-controller:v1.13.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics
protocol: TCP
args:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
+ - --resyncPeriod=15m
- --enableConfigMapCaching=true
- --enableDeferredLoading=true
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
+ - --enablePolicyException=false
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-background-controller
- name: KYVERNO_DEPLOYMENT
value: kyverno-background-controller
- name: INIT_CONFIG
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-cleanup-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-cleanup-controller
@@ -43,13 +43,13 @@
- cleanup-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-cleanup-controller
containers:
- name: controller
- image: ghcr.io/kyverno/cleanup-controller:v1.12.6
+ image: ghcr.io/kyverno/cleanup-controller:v1.13.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
@@ -58,12 +58,13 @@
args:
- --caSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca
- --tlsSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair
- --servicePort=443
- --cleanupServerPort=9443
- --webhookServerPort=9443
+ - --resyncPeriod=15m
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --enableDeferredLoading=true
- --dumpPayload=false
- --maxAPICallResponseLength=2000000
@@ -81,12 +82,14 @@
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-cleanup-controller
+ - name: KYVERNO_ROLE_NAME
+ value: kyverno:cleanup-controller
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-cleanup-controller
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-reports-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-reports-controller
@@ -43,25 +43,26 @@
- reports-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-reports-controller
containers:
- name: controller
- image: ghcr.io/kyverno/reports-controller:v1.12.6
+ image: ghcr.io/kyverno/reports-controller:v1.13.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics
protocol: TCP
args:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
+ - --resyncPeriod=15m
- --admissionReports=true
- --aggregateReports=true
- --policyReports=true
- --validatingAdmissionPolicyReports=false
- --backgroundScan=true
- --backgroundScanWorkers=2
@@ -70,16 +71,16 @@
- --enableConfigMapCaching=true
- --enableDeferredLoading=true
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
- - --reportsChunkSize=0
+ - --enablePolicyException=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-reports-controller
- name: KYVERNO_DEPLOYMENT
value: kyverno-reports-controller
- name: INIT_CONFIG
--- HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-admission-reports
+++ HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-admission-reports
@@ -1,51 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-admission-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- schedule: '*/10 * * * *'
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata: null
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many reports found ($COUNT), cleaning up..."
- kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
-
--- HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-cluster-admission-reports
+++ HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-cluster-admission-reports
@@ -1,51 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-cluster-admission-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- schedule: '*/10 * * * *'
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata: null
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many reports found ($COUNT), cleaning up..."
- kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
-
--- HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-cluster-ephemeral-reports
+++ HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-cluster-ephemeral-reports
@@ -1,51 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-cluster-ephemeral-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- schedule: '*/10 * * * *'
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata: null
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get clusterephemeralreports.reports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many clusterephemeralreports found ($COUNT), cleaning up..."
- kubectl delete clusterephemeralreports.reports.kyverno.io -A --all
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
-
--- HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-ephemeral-reports
+++ HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-ephemeral-reports
@@ -1,51 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-ephemeral-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- schedule: '*/10 * * * *'
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata: null
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get ephemeralreports.reports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many ephemeralreports found ($COUNT), cleaning up..."
- kubectl delete ephemeralreports.reports.kyverno.io -A --all
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
-
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-remove-configmap
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-remove-configmap
@@ -7,10 +7,10 @@
labels:
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
annotations:
- helm.sh/hook: pre-delete
+ helm.sh/hook: post-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: '0'
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:remove-configmap
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:remove-configmap
@@ -7,13 +7,13 @@
labels:
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
annotations:
- helm.sh/hook: pre-delete
+ helm.sh/hook: post-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: '0'
rules:
- apiGroups:
- ''
resources:
--- HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:remove-configmap
+++ HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:remove-configmap
@@ -7,13 +7,13 @@
labels:
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
annotations:
- helm.sh/hook: pre-delete
+ helm.sh/hook: post-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: '0'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kyverno:remove-configmap
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-clean-reports
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-clean-reports
@@ -18,30 +18,41 @@
metadata: null
spec:
serviceAccount: kyverno-admission-controller
restartPolicy: Never
containers:
- name: kubectl
- image: bitnami/kubectl:1.28.5
+ image: bitnami/kubectl:1.30.2
imagePullPolicy: null
command:
- /bin/bash
- -c
- - "set -euo pipefail\nNAMESPACES=$(kubectl get namespaces --no-headers=true\
- \ | awk '{print $1}')\n\nfor ns in ${NAMESPACES[@]};\ndo\n COUNT=$(kubectl\
- \ get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print\
- \ $1}' | wc -l)\n\n if [ $COUNT -gt 0 ]; then\n echo \"deleting $COUNT\
- \ policyreports in namespace $ns\"\n kubectl get policyreports.wgpolicyk8s.io\
- \ -n $ns --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete\
- \ -n $ns policyreports.wgpolicyk8s.io\n else\n echo \"no policyreports\
- \ in namespace $ns\"\n fi\ndone\n\nCOUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io\
- \ --no-headers=true | awk '/pol/{print $1}' | wc -l)\n \nif [ $COUNT -gt\
- \ 0 ]; then\n echo \"deleting $COUNT clusterpolicyreports\"\n kubectl\
- \ get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print\
- \ $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io\nelse\n\
- \ echo \"no clusterpolicyreports\"\nfi\n"
+ - |
+ set -euo pipefail
+ NAMESPACES=$(kubectl get namespaces --no-headers=true | awk '{print $1}')
+
+ for ns in ${NAMESPACES[@]};
+ do
+ COUNT=$(kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | wc -l)
+
+ if [ $COUNT -gt 0 ]; then
+ echo "deleting $COUNT policyreports in namespace $ns"
+ kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete -n $ns policyreports.wgpolicyk8s.io
+ else
+ echo "no policyreports in namespace $ns"
+ fi
+ done
+
+ COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | wc -l)
+
+ if [ $COUNT -gt 0 ]; then
+ echo "deleting $COUNT clusterpolicyreports"
+ kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io
+ else
+ echo "no clusterpolicyreports"
+ fi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-migrate-resources
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-migrate-resources
@@ -19,26 +19,18 @@
metadata: null
spec:
serviceAccount: kyverno-migrate-resources
restartPolicy: Never
containers:
- name: kubectl
- image: ghcr.io/kyverno/kyverno-cli:v1.12.6
+ image: ghcr.io/kyverno/kyverno-cli:v1.13.0
imagePullPolicy: IfNotPresent
args:
- migrate
- --resource
- - admissionreports.kyverno.io
- - --resource
- - backgroundscanreports.kyverno.io
- - --resource
- cleanuppolicies.kyverno.io
- - --resource
- - clusteradmissionreports.kyverno.io
- - --resource
- - clusterbackgroundscanreports.kyverno.io
- --resource
- clustercleanuppolicies.kyverno.io
- --resource
- clusterpolicies.kyverno.io
- --resource
- globalcontextentries.kyverno.io
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-remove-configmap
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-remove-configmap
@@ -7,25 +7,25 @@
labels:
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
annotations:
- helm.sh/hook: pre-delete
+ helm.sh/hook: post-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: '10'
spec:
backoffLimit: 2
template:
metadata: null
spec:
serviceAccount: kyverno-remove-configmap
restartPolicy: Never
containers:
- name: kubectl
- image: bitnami/kubectl:1.28.5
+ image: bitnami/kubectl:1.30.2
imagePullPolicy: null
command:
- /bin/bash
- -c
- |-
set -euo pipefail
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-scale-to-zero
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-scale-to-zero
@@ -19,13 +19,13 @@
metadata: null
spec:
serviceAccount: kyverno-admission-controller
restartPolicy: Never
containers:
- name: kubectl
- image: bitnami/kubectl:1.28.5
+ image: bitnami/kubectl:1.30.2
imagePullPolicy: null
command:
- /bin/bash
- -c
- |-
set -euo pipefail
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:admission-controller:view
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:admission-controller:view
@@ -0,0 +1,19 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:admission-controller:view
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+- kind: ServiceAccount
+ name: kyverno-admission-controller
+ namespace: kyverno
+
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:background-controller:view
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:background-controller:view
@@ -0,0 +1,19 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:background-controller:view
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+- kind: ServiceAccount
+ name: kyverno-background-controller
+ namespace: kyverno
+
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:reports-controller:view
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:reports-controller:view
@@ -0,0 +1,19 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:reports-controller:view
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+- kind: ServiceAccount
+ name: kyverno-reports-controller
+ namespace: kyverno
+ |
π¦ MegaLinter status: β SUCCESS
See detailed report in MegaLinter reports MegaLinter is graciously provided by |
bot-akira
bot
force-pushed
the
renovate/kyverno-3.x
branch
2 times, most recently
from
782f14f
to
f1b8b1e
Compare
bot-akira
bot
changed the title
bot-akira
bot
force-pushed
the
renovate/kyverno-3.x
branch
from
f1b8b1e
to
be022cd
Compare
bot-akira
bot
changed the title
bot-akira
bot
force-pushed
the
renovate/kyverno-3.x
branch
10 times, most recently
from
f697730
to
5e99399
Compare
bot-akira
bot
force-pushed
the
renovate/kyverno-3.x
branch
4 times, most recently
from
37dbe9b
to
07da866
Compare
bot-akira
bot
changed the title
bot-akira
bot
force-pushed
the
renovate/kyverno-3.x
branch
from
07da866
to
707dabc
Compare
bot-akira
bot
force-pushed
the
renovate/kyverno-3.x
branch
from
707dabc
to
a4130c1
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.2.7->3.3.3Configuration
π Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.