Closed renovate[bot] closed 2 weeks ago
--- kubernetes/apps/observability/goldilocks/app Kustomization: flux-system/goldilocks HelmRelease: observability/goldilocks
+++ kubernetes/apps/observability/goldilocks/app Kustomization: flux-system/goldilocks HelmRelease: observability/goldilocks
@@ -14,13 +14,13 @@
chart: goldilocks
interval: 15m
sourceRef:
kind: HelmRepository
name: fairwinds
namespace: flux-system
- version: 8.0.2
+ version: 9.0.0
install:
remediation:
retries: 5
interval: 15m
upgrade:
remediation:
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-admission-controller
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-admission-controller
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: kyverno-admission-controller
- namespace: kyverno
- labels:
- app.kubernetes.io/component: admission-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-background-controller
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-background-controller
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: kyverno-background-controller
- namespace: kyverno
- labels:
- app.kubernetes.io/component: background-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-cleanup-controller
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-cleanup-controller
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: kyverno-cleanup-controller
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-cleanup-jobs
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-cleanup-jobs
@@ -1,11 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: kyverno-cleanup-jobs
- namespace: kyverno
- labels:
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-reports-controller
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-reports-controller
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: kyverno-reports-controller
- namespace: kyverno
- labels:
- app.kubernetes.io/component: reports-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-
--- HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno
+++ HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno
@@ -1,69 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: kyverno
- namespace: kyverno
- labels:
- app.kubernetes.io/component: config
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/resource-policy: keep
-data:
- enableDefaultRegistryMutation: 'true'
- defaultRegistry: docker.io
- generateSuccessEvents: 'false'
- excludeGroups: system:nodes
- resourceFilters: '[*/*,kyverno,*] [Event,*,*] [*/*,kube-system,*] [*/*,kube-public,*]
- [*/*,kube-node-lease,*] [Node,*,*] [Node/*,*,*] [APIService,*,*] [APIService/*,*,*]
- [TokenReview,*,*] [SubjectAccessReview,*,*] [SelfSubjectAccessReview,*,*] [Binding,*,*]
- [Pod/binding,*,*] [ReplicaSet,*,*] [ReplicaSet/*,*,*] [AdmissionReport,*,*] [AdmissionReport/*,*,*]
- [ClusterAdmissionReport,*,*] [ClusterAdmissionReport/*,*,*] [BackgroundScanReport,*,*]
- [BackgroundScanReport/*,*,*] [ClusterBackgroundScanReport,*,*] [ClusterBackgroundScanReport/*,*,*]
- [ClusterRole,*,kyverno:admission-controller] [ClusterRole,*,kyverno:admission-controller:core]
- [ClusterRole,*,kyverno:admission-controller:additional] [ClusterRole,*,kyverno:background-controller]
- [ClusterRole,*,kyverno:background-controller:core] [ClusterRole,*,kyverno:background-controller:additional]
- [ClusterRole,*,kyverno:cleanup-controller] [ClusterRole,*,kyverno:cleanup-controller:core]
- [ClusterRole,*,kyverno:cleanup-controller:additional] [ClusterRole,*,kyverno:reports-controller]
- [ClusterRole,*,kyverno:reports-controller:core] [ClusterRole,*,kyverno:reports-controller:additional]
- [ClusterRoleBinding,*,kyverno:admission-controller] [ClusterRoleBinding,*,kyverno:background-controller]
- [ClusterRoleBinding,*,kyverno:cleanup-controller] [ClusterRoleBinding,*,kyverno:reports-controller]
- [ServiceAccount,kyverno,kyverno-admission-controller] [ServiceAccount/*,kyverno,kyverno-admission-controller]
- [ServiceAccount,kyverno,kyverno-background-controller] [ServiceAccount/*,kyverno,kyverno-background-controller]
- [ServiceAccount,kyverno,kyverno-cleanup-controller] [ServiceAccount/*,kyverno,kyverno-cleanup-controller]
- [ServiceAccount,kyverno,kyverno-reports-controller] [ServiceAccount/*,kyverno,kyverno-reports-controller]
- [Role,kyverno,kyverno:admission-controller] [Role,kyverno,kyverno:background-controller]
- [Role,kyverno,kyverno:cleanup-controller] [Role,kyverno,kyverno:reports-controller]
- [RoleBinding,kyverno,kyverno:admission-controller] [RoleBinding,kyverno,kyverno:background-controller]
- [RoleBinding,kyverno,kyverno:cleanup-controller] [RoleBinding,kyverno,kyverno:reports-controller]
- [ConfigMap,kyverno,kyverno] [ConfigMap,kyverno,kyverno-metrics] [Deployment,kyverno,kyverno-admission-controller]
- [Deployment/*,kyverno,kyverno-admission-controller] [Deployment,kyverno,kyverno-background-controller]
- [Deployment/*,kyverno,kyverno-background-controller] [Deployment,kyverno,kyverno-cleanup-controller]
- [Deployment/*,kyverno,kyverno-cleanup-controller] [Deployment,kyverno,kyverno-reports-controller]
- [Deployment/*,kyverno,kyverno-reports-controller] [Pod,kyverno,kyverno-admission-controller-*]
- [Pod/*,kyverno,kyverno-admission-controller-*] [Pod,kyverno,kyverno-background-controller-*]
- [Pod/*,kyverno,kyverno-background-controller-*] [Pod,kyverno,kyverno-cleanup-controller-*]
- [Pod/*,kyverno,kyverno-cleanup-controller-*] [Pod,kyverno,kyverno-reports-controller-*]
- [Pod/*,kyverno,kyverno-reports-controller-*] [Job,kyverno,kyverno-hook-pre-delete]
- [Job/*,kyverno,kyverno-hook-pre-delete] [NetworkPolicy,kyverno,kyverno-admission-controller]
- [NetworkPolicy/*,kyverno,kyverno-admission-controller] [NetworkPolicy,kyverno,kyverno-background-controller]
- [NetworkPolicy/*,kyverno,kyverno-background-controller] [NetworkPolicy,kyverno,kyverno-cleanup-controller]
- [NetworkPolicy/*,kyverno,kyverno-cleanup-controller] [NetworkPolicy,kyverno,kyverno-reports-controller]
- [NetworkPolicy/*,kyverno,kyverno-reports-controller] [PodDisruptionBudget,kyverno,kyverno-admission-controller]
- [PodDisruptionBudget/*,kyverno,kyverno-admission-controller] [PodDisruptionBudget,kyverno,kyverno-background-controller]
- [PodDisruptionBudget/*,kyverno,kyverno-background-controller] [PodDisruptionBudget,kyverno,kyverno-cleanup-controller]
- [PodDisruptionBudget/*,kyverno,kyverno-cleanup-controller] [PodDisruptionBudget,kyverno,kyverno-reports-controller]
- [PodDisruptionBudget/*,kyverno,kyverno-reports-controller] [Service,kyverno,kyverno-svc]
- [Service/*,kyverno,kyverno-svc] [Service,kyverno,kyverno-svc-metrics] [Service/*,kyverno,kyverno-svc-metrics]
- [Service,kyverno,kyverno-background-controller-metrics] [Service/*,kyverno,kyverno-background-controller-metrics]
- [Service,kyverno,kyverno-cleanup-controller] [Service/*,kyverno,kyverno-cleanup-controller]
- [Service,kyverno,kyverno-cleanup-controller-metrics] [Service/*,kyverno,kyverno-cleanup-controller-metrics]
- [Service,kyverno,kyverno-reports-controller-metrics] [Service/*,kyverno,kyverno-reports-controller-metrics]
- [ServiceMonitor,kyverno,kyverno-admission-controller] [ServiceMonitor,kyverno,kyverno-background-controller]
- [ServiceMonitor,kyverno,kyverno-cleanup-controller] [ServiceMonitor,kyverno,kyverno-reports-controller]
- [Secret,kyverno,kyverno-svc.kyverno.svc.*] [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]'
- webhooks: '[{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]},{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}],"matchLabels":null}}]'
- webhookAnnotations: '{"admissions.enforcer/disabled":"true"}'
-
--- HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-metrics
+++ HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-metrics
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: kyverno-metrics
- namespace: kyverno
- labels:
- app.kubernetes.io/component: config
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-data:
- namespaces: '{"exclude":[],"include":[]}'
- bucketBoundaries: 0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20,
- 25, 30
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller
@@ -1,17 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:admission-controller
- labels:
- app.kubernetes.io/component: admission-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-aggregationRule:
- clusterRoleSelectors:
- - matchLabels:
- app.kubernetes.io/component: admission-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller:core
@@ -1,140 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:admission-controller:core
- labels:
- app.kubernetes.io/component: admission-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-rules:
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - get
-- apiGroups:
- - admissionregistration.k8s.io
- resources:
- - mutatingwebhookconfigurations
- - validatingwebhookconfigurations
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- - deletecollection
-- apiGroups:
- - rbac.authorization.k8s.io
- resources:
- - roles
- - clusterroles
- - rolebindings
- - clusterrolebindings
- verbs:
- - list
- - watch
-- apiGroups:
- - kyverno.io
- resources:
- - policies
- - policies/status
- - clusterpolicies
- - clusterpolicies/status
- - updaterequests
- - updaterequests/status
- - globalcontextentries
- - globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- - policyexceptions
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- - deletecollection
-- apiGroups:
- - reports.kyverno.io
- resources:
- - ephemeralreports
- - clusterephemeralreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- - deletecollection
-- apiGroups:
- - wgpolicyk8s.io
- resources:
- - policyreports
- - policyreports/status
- - clusterpolicyreports
- - clusterpolicyreports/status
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- - deletecollection
-- apiGroups:
- - ''
- - events.k8s.io
- resources:
- - events
- verbs:
- - create
- - update
- - patch
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
-- apiGroups:
- - ''
- resources:
- - configmaps
- - namespaces
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - create
- - update
- - patch
- - get
- - list
- - watch
-- apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller
@@ -1,17 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:background-controller
- labels:
- app.kubernetes.io/component: background-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-aggregationRule:
- clusterRoleSelectors:
- - matchLabels:
- app.kubernetes.io/component: background-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller:core
@@ -1,99 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:background-controller:core
- labels:
- app.kubernetes.io/component: background-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-rules:
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - get
-- apiGroups:
- - kyverno.io
- resources:
- - policies
- - clusterpolicies
- - policyexceptions
- - updaterequests
- - updaterequests/status
- - globalcontextentries
- - globalcontextentries/status
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- - deletecollection
-- apiGroups:
- - ''
- resources:
- - namespaces
- - configmaps
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- - events.k8s.io
- resources:
- - events
- verbs:
- - create
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - networking.k8s.io
- resources:
- - ingresses
- - ingressclasses
- - networkpolicies
- verbs:
- - create
- - update
- - patch
- - delete
-- apiGroups:
- - rbac.authorization.k8s.io
- resources:
- - rolebindings
- - roles
- verbs:
- - create
- - update
- - patch
- - delete
-- apiGroups:
- - ''
- resources:
- - configmaps
- - secrets
- - resourcequotas
- - limitranges
- verbs:
- - create
- - update
- - patch
- - delete
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-controller
@@ -1,17 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:cleanup-controller
- labels:
- app.kubernetes.io/component: cleanup-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-aggregationRule:
- clusterRoleSelectors:
- - matchLabels:
- app.kubernetes.io/component: cleanup-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-controller:core
@@ -1,89 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:cleanup-controller:core
- labels:
- app.kubernetes.io/component: cleanup-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-rules:
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - get
-- apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- verbs:
- - create
- - delete
- - get
- - list
- - update
- - watch
-- apiGroups:
- - ''
- resources:
- - namespaces
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - kyverno.io
- resources:
- - clustercleanuppolicies
- - cleanuppolicies
- verbs:
- - list
- - watch
-- apiGroups:
- - kyverno.io
- resources:
- - globalcontextentries
- - globalcontextentries/status
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- - deletecollection
-- apiGroups:
- - kyverno.io
- resources:
- - clustercleanuppolicies/status
- - cleanuppolicies/status
- verbs:
- - update
-- apiGroups:
- - ''
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- - events.k8s.io
- resources:
- - events
- verbs:
- - create
- - patch
- - update
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-jobs
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-jobs
@@ -1,30 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:cleanup-jobs
- labels:
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-rules:
-- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - updaterequests
- verbs:
- - list
- - deletecollection
- - delete
-- apiGroups:
- - reports.kyverno.io
- resources:
- - ephemeralreports
- - clusterephemeralreports
- verbs:
- - list
- - deletecollection
- - delete
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:admin:policies
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:admin:policies
@@ -1,28 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:rbac:admin:policies
- labels:
- app.kubernetes.io/component: rbac
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- rbac.authorization.k8s.io/aggregate-to-admin: 'true'
-rules:
-- apiGroups:
- - kyverno.io
- resources:
- - cleanuppolicies
- - clustercleanuppolicies
- - policies
- - clusterpolicies
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:view:policies
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:view:policies
@@ -1,24 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:rbac:view:policies
- labels:
- app.kubernetes.io/component: rbac
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- rbac.authorization.k8s.io/aggregate-to-view: 'true'
-rules:
-- apiGroups:
- - kyverno.io
- resources:
- - cleanuppolicies
- - clustercleanuppolicies
- - policies
- - clusterpolicies
- verbs:
- - get
- - list
- - watch
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:admin:policyreports
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:admin:policyreports
@@ -1,26 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:rbac:admin:policyreports
- labels:
- app.kubernetes.io/component: rbac
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- rbac.authorization.k8s.io/aggregate-to-admin: 'true'
-rules:
-- apiGroups:
- - wgpolicyk8s.io
- resources:
- - policyreports
- - clusterpolicyreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:view:policyreports
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:view:policyreports
@@ -1,22 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:rbac:view:policyreports
- labels:
- app.kubernetes.io/component: rbac
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- rbac.authorization.k8s.io/aggregate-to-view: 'true'
-rules:
-- apiGroups:
- - wgpolicyk8s.io
- resources:
- - policyreports
- - clusterpolicyreports
- verbs:
- - get
- - list
- - watch
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:admin:reports
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:admin:reports
@@ -1,41 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:rbac:admin:reports
- labels:
- app.kubernetes.io/component: rbac
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- rbac.authorization.k8s.io/aggregate-to-admin: 'true'
-rules:
-- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - reports.kyverno.io
- resources:
- - ephemeralreports
- - clusterephemeralreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:view:reports
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:view:reports
@@ -1,33 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:rbac:view:reports
- labels:
- app.kubernetes.io/component: rbac
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- rbac.authorization.k8s.io/aggregate-to-view: 'true'
-rules:
-- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - reports.kyverno.io
- resources:
- - ephemeralreports
- - clusterephemeralreports
- verbs:
- - get
- - list
- - watch
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:admin:updaterequests
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:admin:updaterequests
@@ -1,25 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:rbac:admin:updaterequests
- labels:
- app.kubernetes.io/component: rbac
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- rbac.authorization.k8s.io/aggregate-to-admin: 'true'
-rules:
-- apiGroups:
- - kyverno.io
- resources:
- - updaterequests
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:view:updaterequests
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:view:updaterequests
@@ -1,21 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:rbac:view:updaterequests
- labels:
- app.kubernetes.io/component: rbac
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- rbac.authorization.k8s.io/aggregate-to-view: 'true'
-rules:
-- apiGroups:
- - kyverno.io
- resources:
- - updaterequests
- verbs:
- - get
- - list
- - watch
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller
@@ -1,17 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:reports-controller
- labels:
- app.kubernetes.io/component: reports-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-aggregationRule:
- clusterRoleSelectors:
- - matchLabels:
- app.kubernetes.io/component: reports-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller:core
@@ -1,95 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:reports-controller:core
- labels:
- app.kubernetes.io/component: reports-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-rules:
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - get
-- apiGroups:
- - ''
- resources:
- - secrets
- - configmaps
- - namespaces
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - kyverno.io
- resources:
- - globalcontextentries
- - globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- - policyexceptions
- - policies
- - clusterpolicies
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- - deletecollection
-- apiGroups:
- - reports.kyverno.io
- resources:
- - ephemeralreports
- - clusterephemeralreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- - deletecollection
-- apiGroups:
- - wgpolicyk8s.io
- resources:
- - policyreports
- - policyreports/status
- - clusterpolicyreports
- - clusterpolicyreports/status
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- - deletecollection
-- apiGroups:
- - ''
- - events.k8s.io
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
-
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:admission-controller
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:admission-controller
@@ -1,19 +0,0 @@
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:admission-controller
- labels:
- app.kubernetes.io/component: admission-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kyverno:admission-controller
-subjects:
-- kind: ServiceAccount
- name: kyverno-admission-controller
- namespace: kyverno
-
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:background-controller
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:background-controller
@@ -1,19 +0,0 @@
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:background-controller
- labels:
- app.kubernetes.io/component: background-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kyverno:background-controller
-subjects:
-- kind: ServiceAccount
- name: kyverno-background-controller
- namespace: kyverno
-
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:cleanup-controller
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:cleanup-controller
@@ -1,19 +0,0 @@
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:cleanup-controller
- labels:
- app.kubernetes.io/component: cleanup-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kyverno:cleanup-controller
-subjects:
-- kind: ServiceAccount
- name: kyverno-cleanup-controller
- namespace: kyverno
-
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:cleanup-jobs
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:cleanup-jobs
@@ -1,18 +0,0 @@
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:cleanup-jobs
- labels:
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kyverno:cleanup-jobs
-subjects:
-- kind: ServiceAccount
- name: kyverno-cleanup-jobs
- namespace: kyverno
-
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:reports-controller
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:reports-controller
@@ -1,19 +0,0 @@
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:reports-controller
- labels:
- app.kubernetes.io/component: reports-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kyverno:reports-controller
-subjects:
-- kind: ServiceAccount
- name: kyverno-reports-controller
- namespace: kyverno
-
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:admission-controller
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:admission-controller
@@ -1,56 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: kyverno:admission-controller
- namespace: kyverno
- labels:
- app.kubernetes.io/component: admission-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-rules:
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - list
- - watch
- - create
- - update
- - delete
-- apiGroups:
- - ''
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
- resourceNames:
- - kyverno
- - kyverno-metrics
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - create
- - delete
- - get
- - patch
- - update
-- apiGroups:
- - apps
- resources:
- - deployments
- - deployments/scale
- verbs:
- - get
- - list
- - watch
- - patch
- - update
-
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:background-controller
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:background-controller
@@ -1,49 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: kyverno:background-controller
- labels:
- app.kubernetes.io/component: background-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- namespace: kyverno
-rules:
-- apiGroups:
- - ''
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
- resourceNames:
- - kyverno
- - kyverno-metrics
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - create
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - delete
- - get
- - patch
- - update
- resourceNames:
- - kyverno-background-controller
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - list
- - watch
-
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:cleanup-controller
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:cleanup-controller
@@ -1,60 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: kyverno:cleanup-controller
- labels:
- app.kubernetes.io/component: cleanup-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- namespace: kyverno
-rules:
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - create
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - delete
- - get
- - list
- - update
- - watch
- resourceNames:
- - kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca
- - kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair
-- apiGroups:
- - ''
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
- resourceNames:
- - kyverno
- - kyverno-metrics
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - create
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - delete
- - get
- - patch
- - update
- resourceNames:
- - kyverno-cleanup-controller
-
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:reports-controller
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:reports-controller
@@ -1,41 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: kyverno:reports-controller
- labels:
- app.kubernetes.io/component: reports-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- namespace: kyverno
-rules:
-- apiGroups:
- - ''
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
- resourceNames:
- - kyverno
- - kyverno-metrics
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - create
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - delete
- - get
- - patch
- - update
- resourceNames:
- - kyverno-reports-controller
-
--- HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:admission-controller
+++ HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:admission-controller
@@ -1,20 +0,0 @@
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:admission-controller
- namespace: kyverno
- labels:
- app.kubernetes.io/component: admission-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: kyverno:admission-controller
-subjects:
-- kind: ServiceAccount
- name: kyverno-admission-controller
- namespace: kyverno
-
--- HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:background-controller
+++ HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:background-controller
@@ -1,20 +0,0 @@
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:background-controller
- labels:
- app.kubernetes.io/component: background-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- namespace: kyverno
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: kyverno:background-controller
-subjects:
-- kind: ServiceAccount
- name: kyverno-background-controller
- namespace: kyverno
-
--- HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:cleanup-controller
+++ HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:cleanup-controller
@@ -1,20 +0,0 @@
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:cleanup-controller
- labels:
- app.kubernetes.io/component: cleanup-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- namespace: kyverno
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: kyverno:cleanup-controller
-subjects:
-- kind: ServiceAccount
- name: kyverno-cleanup-controller
- namespace: kyverno
-
--- HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:reports-controller
+++ HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:reports-controller
@@ -1,20 +0,0 @@
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:reports-controller
- labels:
- app.kubernetes.io/component: reports-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- namespace: kyverno
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: kyverno:reports-controller
-subjects:
-- kind: ServiceAccount
- name: kyverno-reports-controller
- namespace: kyverno
-
--- HelmRelease: kyverno/kyverno Service: kyverno/kyverno-svc
+++ HelmRelease: kyverno/kyverno Service: kyverno/kyverno-svc
@@ -1,23 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: kyverno-svc
- namespace: kyverno
- labels:
- app.kubernetes.io/component: admission-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- ports:
- - port: 443
- targetPort: https
- protocol: TCP
- name: https
- selector:
- app.kubernetes.io/component: admission-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
- type: ClusterIP
-
--- HelmRelease: kyverno/kyverno Service: kyverno/kyverno-svc-metrics
+++ HelmRelease: kyverno/kyverno Service: kyverno/kyverno-svc-metrics
@@ -1,23 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: kyverno-svc-metrics
- namespace: kyverno
- labels:
- app.kubernetes.io/component: admission-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- ports:
- - port: 8000
- targetPort: 8000
- protocol: TCP
- name: metrics-port
- selector:
- app.kubernetes.io/component: admission-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
- type: ClusterIP
-
--- HelmRelease: kyverno/kyverno Service: kyverno/kyverno-background-controller-metrics
+++ HelmRelease: kyverno/kyverno Service: kyverno/kyverno-background-controller-metrics
@@ -1,23 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: kyverno-background-controller-metrics
- namespace: kyverno
- labels:
- app.kubernetes.io/component: background-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- ports:
- - port: 8000
- targetPort: 8000
- protocol: TCP
- name: metrics-port
- selector:
- app.kubernetes.io/component: background-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
- type: ClusterIP
-
--- HelmRelease: kyverno/kyverno Service: kyverno/kyverno-cleanup-controller
+++ HelmRelease: kyverno/kyverno Service: kyverno/kyverno-cleanup-controller
@@ -1,23 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: kyverno-cleanup-controller
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- ports:
- - port: 443
- targetPort: https
- protocol: TCP
- name: https
- selector:
- app.kubernetes.io/component: cleanup-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
- type: ClusterIP
-
--- HelmRelease: kyverno/kyverno Service: kyverno/kyverno-cleanup-controller-metrics
+++ HelmRelease: kyverno/kyverno Service: kyverno/kyverno-cleanup-controller-metrics
@@ -1,23 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: kyverno-cleanup-controller-metrics
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- ports:
- - port: 8000
- targetPort: 8000
- protocol: TCP
- name: metrics-port
- selector:
- app.kubernetes.io/component: cleanup-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
- type: ClusterIP
-
--- HelmRelease: kyverno/kyverno Service: kyverno/kyverno-reports-controller-metrics
+++ HelmRelease: kyverno/kyverno Service: kyverno/kyverno-reports-controller-metrics
@@ -1,23 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: kyverno-reports-controller-metrics
- namespace: kyverno
- labels:
- app.kubernetes.io/component: reports-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- ports:
- - port: 8000
- targetPort: 8000
- protocol: TCP
- name: metrics-port
- selector:
- app.kubernetes.io/component: reports-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
- type: ClusterIP
-
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-admission-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-admission-controller
@@ -1,197 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: kyverno-admission-controller
- namespace: kyverno
- labels:
- app.kubernetes.io/component: admission-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- replicas: null
- revisionHistoryLimit: 10
- strategy:
- rollingUpdate:
- maxSurge: 1
- maxUnavailable: 40%
- type: RollingUpdate
- selector:
- matchLabels:
- app.kubernetes.io/component: admission-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
- template:
- metadata:
- labels:
- app.kubernetes.io/component: admission-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- spec:
- dnsPolicy: ClusterFirst
- affinity:
- podAntiAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key: app.kubernetes.io/component
- operator: In
- values:
- - admission-controller
- topologyKey: kubernetes.io/hostname
- weight: 1
- serviceAccountName: kyverno-admission-controller
- initContainers:
- - name: kyverno-pre
- image: ghcr.io/kyverno/kyvernopre:v1.12.5
- imagePullPolicy: IfNotPresent
- args:
- - --loggingFormat=text
- - --v=2
- resources:
- limits:
- cpu: 100m
- memory: 256Mi
- requests:
- cpu: 10m
- memory: 64Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- env:
- - name: KYVERNO_SERVICEACCOUNT_NAME
- value: kyverno-admission-controller
- - name: INIT_CONFIG
- value: kyverno
- - name: METRICS_CONFIG
- value: kyverno-metrics
- - name: KYVERNO_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: KYVERNO_POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: KYVERNO_DEPLOYMENT
- value: kyverno-admission-controller
- - name: KYVERNO_SVC
- value: kyverno-svc
- containers:
- - name: kyverno
- image: ghcr.io/kyverno/kyverno:v1.12.5
- imagePullPolicy: IfNotPresent
- args:
- - --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca
- - --tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair
- - --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
- - --servicePort=443
- - --webhookServerPort=9443
- - --disableMetrics=false
- - --otelConfig=prometheus
- - --metricsPort=8000
- - --admissionReports=true
- - --maxAdmissionReports=1000
- - --autoUpdateWebhooks=true
- - --enableConfigMapCaching=true
- - --enableDeferredLoading=true
- - --dumpPayload=false
- - --forceFailurePolicyIgnore=false
- - --generateValidatingAdmissionPolicy=false
- - --maxAPICallResponseLength=2000000
- - --loggingFormat=text
- - --v=2
- - --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
- - --protectManagedResources=false
- - --allowInsecureRegistry=false
- - --registryCredentialHelpers=default,google,amazon,azure,github
- resources:
- limits:
- memory: 384Mi
- requests:
- cpu: 100m
- memory: 128Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- ports:
- - containerPort: 9443
- name: https
- protocol: TCP
- - containerPort: 8000
- name: metrics-port
- protocol: TCP
- env:
- - name: INIT_CONFIG
- value: kyverno
- - name: METRICS_CONFIG
- value: kyverno-metrics
- - name: KYVERNO_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: KYVERNO_POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: KYVERNO_SERVICEACCOUNT_NAME
- value: kyverno-admission-controller
- - name: KYVERNO_SVC
- value: kyverno-svc
- - name: TUF_ROOT
- value: /.sigstore
- - name: KYVERNO_DEPLOYMENT
- value: kyverno-admission-controller
- startupProbe:
- failureThreshold: 20
- httpGet:
- path: /health/liveness
- port: 9443
- scheme: HTTPS
- initialDelaySeconds: 2
- periodSeconds: 6
- livenessProbe:
- failureThreshold: 2
- httpGet:
- path: /health/liveness
- port: 9443
- scheme: HTTPS
- initialDelaySeconds: 15
- periodSeconds: 30
- successThreshold: 1
- timeoutSeconds: 5
- readinessProbe:
- failureThreshold: 6
- httpGet:
- path: /health/readiness
- port: 9443
- scheme: HTTPS
- initialDelaySeconds: 5
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 5
- volumeMounts:
- - mountPath: /.sigstore
- name: sigstore
- volumes:
- - name: sigstore
- emptyDir: {}
-
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-background-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-background-controller
@@ -1,102 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: kyverno-background-controller
- namespace: kyverno
- labels:
- app.kubernetes.io/component: background-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- replicas: null
- revisionHistoryLimit: 10
- strategy:
- rollingUpdate:
- maxSurge: 1
- maxUnavailable: 40%
- type: RollingUpdate
- selector:
- matchLabels:
- app.kubernetes.io/component: background-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
- template:
- metadata:
- labels:
- app.kubernetes.io/component: background-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- spec:
- dnsPolicy: ClusterFirst
- affinity:
- podAntiAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key: app.kubernetes.io/component
- operator: In
- values:
- - background-controller
- topologyKey: kubernetes.io/hostname
- weight: 1
- serviceAccountName: kyverno-background-controller
- containers:
- - name: controller
- image: ghcr.io/kyverno/background-controller:v1.12.5
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 9443
- name: https
- protocol: TCP
- - containerPort: 8000
- name: metrics
- protocol: TCP
- args:
- - --disableMetrics=false
- - --otelConfig=prometheus
- - --metricsPort=8000
- - --enableConfigMapCaching=true
- - --enableDeferredLoading=true
- - --maxAPICallResponseLength=2000000
- - --loggingFormat=text
- - --v=2
- - --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
- env:
- - name: KYVERNO_SERVICEACCOUNT_NAME
- value: kyverno-background-controller
- - name: KYVERNO_DEPLOYMENT
- value: kyverno-background-controller
- - name: INIT_CONFIG
- value: kyverno
- - name: METRICS_CONFIG
- value: kyverno-metrics
- - name: KYVERNO_POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: KYVERNO_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- resources:
- limits:
- memory: 128Mi
- requests:
- cpu: 100m
- memory: 64Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
-
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-cleanup-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-cleanup-controller
@@ -1,137 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: kyverno-cleanup-controller
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- replicas: null
- revisionHistoryLimit: 10
- strategy:
- rollingUpdate:
- maxSurge: 1
- maxUnavailable: 40%
- type: RollingUpdate
- selector:
- matchLabels:
- app.kubernetes.io/component: cleanup-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
- template:
- metadata:
- labels:
- app.kubernetes.io/component: cleanup-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- spec:
- dnsPolicy: ClusterFirst
- affinity:
- podAntiAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key: app.kubernetes.io/component
- operator: In
- values:
- - cleanup-controller
- topologyKey: kubernetes.io/hostname
- weight: 1
- serviceAccountName: kyverno-cleanup-controller
- containers:
- - name: controller
- image: ghcr.io/kyverno/cleanup-controller:v1.12.5
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 9443
- name: https
- protocol: TCP
- - containerPort: 8000
- name: metrics
- protocol: TCP
- args:
- - --caSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca
- - --tlsSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair
- - --servicePort=443
- - --cleanupServerPort=9443
- - --webhookServerPort=9443
- - --disableMetrics=false
- - --otelConfig=prometheus
- - --metricsPort=8000
- - --enableDeferredLoading=true
- - --dumpPayload=false
- - --maxAPICallResponseLength=2000000
- - --loggingFormat=text
- - --v=2
- - --protectManagedResources=false
- - --ttlReconciliationInterval=1m
- env:
- - name: KYVERNO_DEPLOYMENT
- value: kyverno-cleanup-controller
- - name: INIT_CONFIG
- value: kyverno
- - name: METRICS_CONFIG
- value: kyverno-metrics
- - name: KYVERNO_POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: KYVERNO_SERVICEACCOUNT_NAME
- value: kyverno-cleanup-controller
- - name: KYVERNO_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: KYVERNO_SVC
- value: kyverno-cleanup-controller
- resources:
- limits:
- memory: 128Mi
- requests:
- cpu: 100m
- memory: 64Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- startupProbe:
- failureThreshold: 20
- httpGet:
- path: /health/liveness
- port: 9443
- scheme: HTTPS
- initialDelaySeconds: 2
- periodSeconds: 6
- livenessProbe:
- failureThreshold: 2
- httpGet:
- path: /health/liveness
- port: 9443
- scheme: HTTPS
- initialDelaySeconds: 15
- periodSeconds: 30
- successThreshold: 1
- timeoutSeconds: 5
- readinessProbe:
- failureThreshold: 6
- httpGet:
- path: /health/readiness
- port: 9443
- scheme: HTTPS
- initialDelaySeconds: 5
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 5
-
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-reports-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-reports-controller
@@ -1,121 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: kyverno-reports-controller
- namespace: kyverno
- labels:
- app.kubernetes.io/component: reports-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- replicas: null
- revisionHistoryLimit: 10
- strategy:
- rollingUpdate:
- maxSurge: 1
- maxUnavailable: 40%
- type: RollingUpdate
- selector:
- matchLabels:
- app.kubernetes.io/component: reports-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/part-of: kyverno
- template:
- metadata:
- labels:
- app.kubernetes.io/component: reports-controller
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- spec:
- dnsPolicy: ClusterFirst
- affinity:
- podAntiAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- - podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key: app.kubernetes.io/component
- operator: In
- values:
- - reports-controller
- topologyKey: kubernetes.io/hostname
- weight: 1
- serviceAccountName: kyverno-reports-controller
- containers:
- - name: controller
- image: ghcr.io/kyverno/reports-controller:v1.12.5
- imagePullPolicy: IfNotPresent
- ports:
- - containerPort: 9443
- name: https
- protocol: TCP
- - containerPort: 8000
- name: metrics
- protocol: TCP
- args:
- - --disableMetrics=false
- - --otelConfig=prometheus
- - --metricsPort=8000
- - --admissionReports=true
- - --aggregateReports=true
- - --policyReports=true
- - --validatingAdmissionPolicyReports=false
- - --backgroundScan=true
- - --backgroundScanWorkers=2
- - --backgroundScanInterval=1h
- - --skipResourceFilters=true
- - --enableConfigMapCaching=true
- - --enableDeferredLoading=true
- - --maxAPICallResponseLength=2000000
- - --loggingFormat=text
- - --v=2
- - --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
- - --reportsChunkSize=0
- - --allowInsecureRegistry=false
- - --registryCredentialHelpers=default,google,amazon,azure,github
- env:
- - name: KYVERNO_SERVICEACCOUNT_NAME
- value: kyverno-reports-controller
- - name: KYVERNO_DEPLOYMENT
- value: kyverno-reports-controller
- - name: INIT_CONFIG
- value: kyverno
- - name: METRICS_CONFIG
- value: kyverno-metrics
- - name: KYVERNO_POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- - name: KYVERNO_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- - name: TUF_ROOT
- value: /.sigstore
- resources:
- limits:
- memory: 128Mi
- requests:
- cpu: 100m
- memory: 64Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- volumeMounts:
- - mountPath: /.sigstore
- name: sigstore
- volumes:
- - name: sigstore
- emptyDir: {}
-
--- HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-admission-reports
+++ HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-admission-reports
@@ -1,51 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-admission-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- schedule: '*/10 * * * *'
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata: null
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many reports found ($COUNT), cleaning up..."
- kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
-
--- HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-cluster-admission-reports
+++ HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-cluster-admission-reports
@@ -1,51 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-cluster-admission-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- schedule: '*/10 * * * *'
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata: null
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many reports found ($COUNT), cleaning up..."
- kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
-
--- HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-cluster-ephemeral-reports
+++ HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-cluster-ephemeral-reports
@@ -1,51 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-cluster-ephemeral-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- schedule: '*/10 * * * *'
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata: null
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get clusterephemeralreports.reports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many clusterephemeralreports found ($COUNT), cleaning up..."
- kubectl delete clusterephemeralreports.reports.kyverno.io -A --all
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
-
--- HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-ephemeral-reports
+++ HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-ephemeral-reports
@@ -1,51 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-ephemeral-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- schedule: '*/10 * * * *'
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata: null
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get ephemeralreports.reports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many ephemeralreports found ($COUNT), cleaning up..."
- kubectl delete ephemeralreports.reports.kyverno.io -A --all
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
-
--- HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-update-requests
+++ HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-update-requests
@@ -1,51 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-update-requests
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- schedule: '*/10 * * * *'
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata: null
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get updaterequests.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many updaterequests found ($COUNT), cleaning up..."
- kubectl delete updaterequests.kyverno.io --all -n kyverno
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
-
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-migrate-resources
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-migrate-resources
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: kyverno-migrate-resources
- namespace: kyverno
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- helm.sh/hook-weight: '100'
-
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-remove-configmap
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-remove-configmap
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: kyverno-remove-configmap
- namespace: kyverno
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: pre-delete
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- helm.sh/hook-weight: '0'
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:migrate-resources
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:migrate-resources
@@ -1,36 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:migrate-resources
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
- helm.sh/hook-weight: '100'
-rules:
-- apiGroups:
- - kyverno.io
- resources:
- - '*'
- verbs:
- - get
- - list
- - update
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - get
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions/status
- verbs:
- - update
-
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:migrate-resources
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:migrate-resources
@@ -1,23 +0,0 @@
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:migrate-resources
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
- helm.sh/hook-weight: '100'
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kyverno:migrate-resources
-subjects:
-- kind: ServiceAccount
- name: kyverno-migrate-resources
- namespace: kyverno
-
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:remove-configmap
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:remove-configmap
@@ -1,25 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: kyverno:remove-configmap
- namespace: kyverno
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: pre-delete
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
- helm.sh/hook-weight: '0'
-rules:
-- apiGroups:
- - ''
- resources:
- - configmaps
- verbs:
- - list
- - get
- - delete
-
--- HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:remove-configmap
+++ HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:remove-configmap
@@ -1,25 +0,0 @@
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:remove-configmap
- namespace: kyverno
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: pre-delete
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
- helm.sh/hook-weight: '0'
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: kyverno:remove-configmap
- namespace: kyverno
-subjects:
-- kind: ServiceAccount
- name: kyverno-remove-configmap
- namespace: kyverno
-
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-clean-reports
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-clean-reports
@@ -1,54 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: kyverno-clean-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
-spec:
- backoffLimit: 2
- template:
- metadata: null
- spec:
- serviceAccount: kyverno-admission-controller
- restartPolicy: Never
- containers:
- - name: kubectl
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - "set -euo pipefail\nNAMESPACES=$(kubectl get namespaces --no-headers=true\
- \ | awk '{print $1}')\n\nfor ns in ${NAMESPACES[@]};\ndo\n COUNT=$(kubectl\
- \ get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print\
- \ $1}' | wc -l)\n\n if [ $COUNT -gt 0 ]; then\n echo \"deleting $COUNT\
- \ policyreports in namespace $ns\"\n kubectl get policyreports.wgpolicyk8s.io\
- \ -n $ns --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete\
- \ -n $ns policyreports.wgpolicyk8s.io\n else\n echo \"no policyreports\
- \ in namespace $ns\"\n fi\ndone\n\nCOUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io\
- \ --no-headers=true | awk '/pol/{print $1}' | wc -l)\n \nif [ $COUNT -gt\
- \ 0 ]; then\n echo \"deleting $COUNT clusterpolicyreports\"\n kubectl\
- \ get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print\
- \ $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io\nelse\n\
- \ echo \"no clusterpolicyreports\"\nfi\n"
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
-
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-migrate-resources
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-migrate-resources
@@ -1,63 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: kyverno-migrate-resources
- namespace: kyverno
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
- helm.sh/hook-weight: '200'
-spec:
- backoffLimit: 2
- template:
- metadata: null
- spec:
- serviceAccount: kyverno-migrate-resources
- restartPolicy: Never
- containers:
- - name: kubectl
- image: ghcr.io/kyverno/kyverno-cli:v1.12.5
- imagePullPolicy: IfNotPresent
- args:
- - migrate
- - --resource
- - admissionreports.kyverno.io
- - --resource
- - backgroundscanreports.kyverno.io
- - --resource
- - cleanuppolicies.kyverno.io
- - --resource
- - clusteradmissionreports.kyverno.io
- - --resource
- - clusterbackgroundscanreports.kyverno.io
- - --resource
- - clustercleanuppolicies.kyverno.io
- - --resource
- - clusterpolicies.kyverno.io
- - --resource
- - globalcontextentries.kyverno.io
- - --resource
- - policies.kyverno.io
- - --resource
- - policyexceptions.kyverno.io
- - --resource
- - updaterequests.kyverno.io
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
-
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-remove-configmap
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-remove-configmap
@@ -1,45 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: kyverno-remove-configmap
- namespace: kyverno
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: pre-delete
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
- helm.sh/hook-weight: '10'
-spec:
- backoffLimit: 2
- template:
- metadata: null
- spec:
- serviceAccount: kyverno-remove-configmap
- restartPolicy: Never
- containers:
- - name: kubectl
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |-
- set -euo pipefail
- kubectl delete cm -n kyverno kyverno
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
-
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-scale-to-zero
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-scale-to-zero
@@ -1,48 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: kyverno-scale-to-zero
- namespace: kyverno
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: pre-delete
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
- helm.sh/hook-weight: '100'
-spec:
- backoffLimit: 2
- template:
- metadata: null
- spec:
- serviceAccount: kyverno-admission-controller
- restartPolicy: Never
- containers:
- - name: kubectl
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |-
- set -euo pipefail
- kubectl scale -n kyverno deployment -l app.kubernetes.io/part-of=kyverno --replicas=0
- sleep 30
- kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
- kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
-
This PR contains the following updates:
8.0.2
->9.0.0
Configuration
📅 Schedule: Branch creation - "after 8am every weekday,before 7pm every weekday" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.