feat(container): update image kyverno to v3.3.2 #1063
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![spicerabot[bot]](https://avatars.githubusercontent.com/u/141093654?s=60&v=4){kind=small}
--- kubernetes/apps/kyverno/kyverno/app Kustomization: flux-system/kyverno HelmRelease: kyverno/kyverno
+++ kubernetes/apps/kyverno/kyverno/app Kustomization: flux-system/kyverno HelmRelease: kyverno/kyverno
@@ -13,13 +13,13 @@
spec:
chart: kyverno
sourceRef:
kind: HelmRepository
name: kyverno-charts
namespace: flux-system
- version: 3.2.8
+ version: 3.3.2
interval: 30m
timeout: 15m
values:
admissionController:
rbac:
clusterRole: |
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-cleanup-jobs
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-cleanup-jobs
@@ -1,11 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: kyverno-cleanup-jobs
- namespace: kyverno
- labels:
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-
--- HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-grafana-grafana
+++ HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-grafana-grafana
@@ -6,2882 +6,3445 @@
namespace: kyverno
labels:
grafana_dashboard: '1'
data:
kyverno-dashboard.json: |
{
- "__inputs": [
+ "annotations": {
+ "list": [
{
- "name": "DS_PROMETHEUS_KYVERNO",
- "label": "Prometheus Data Source exposing Kyverno's metrics",
- "description": "Prometheus Data Source exposing Kyverno's metrics",
- "type": "datasource"
+ "builtIn": 1,
+ "datasource": {
+ "type": "datasource",
+ "uid": "grafana"
+ },
+ "enable": true,
+ "hide": true,
+ "iconColor": "rgba(0, 211, 255, 1)",
+ "name": "Annotations & Alerts",
+ "target": {
+ "limit": 100,
+ "matchAny": false,
+ "tags": [],
+ "type": "dashboard"
+ },
+ "type": "dashboard"
}
- ],
- "annotations": {
- "list": [
- {
- "builtIn": 1,
- "datasource": "-- Grafana --",
- "enable": true,
- "hide": true,
- "iconColor": "rgba(0, 211, 255, 1)",
- "name": "Annotations & Alerts",
- "target": {
- "limit": 100,
- "matchAny": false,
- "tags": [],
- "type": "dashboard"
- },
- "type": "dashboard"
- }
- ]
+ ]
},
"description": "",
"editable": true,
- "gnetId": null,
+ "fiscalYearStartMonth": 0,
"graphTooltip": 0,
- "id": 2,
- "iteration": 1628375170149,
+ "id": 472,
"links": [],
"panels": [
- {
- "datasource": "${DS_PROMETHEUS_KYVERNO}",
- "gridPos": {
- "h": 6,
- "w": 24,
- "x": 0,
- "y": 0
- },
- "id": 42,
- "options": {
- "content": "# Kyverno\nA Kubernetes-native policy management engine\n\n#### About this dashboard\n\nThis dashboard represents generic insights that can be extracted from a cluster with Kyverno running.\n\n#### For more details around the metrics\n\nCheckout the [official docs of Kyverno metrics](https://kyverno.io/docs/monitoring/)",
- "mode": "markdown"
- },
- "pluginVersion": "8.1.0",
- "timeFrom": null,
- "timeShift": null,
- "transparent": true,
- "type": "text"
- },
- {
- "collapsed": false,
- "datasource": "${DS_PROMETHEUS_KYVERNO}",
- "fieldConfig": {
- "defaults": {},
- "overrides": []
- },
- "gridPos": {
- "h": 1,
- "w": 24,
- "x": 0,
- "y": 6
- },
- "id": 12,
- "panels": [],
- "title": "Latest Status",
- "type": "row"
- },
- {
- "datasource": "${DS_PROMETHEUS_KYVERNO}",
- "fieldConfig": {
- "defaults": {
- "color": {
- "mode": "thresholds"
- },
- "mappings": [],
- "max": 100,
- "min": 0,
- "thresholds": {
- "mode": "absolute",
- "steps": [
- {
- "color": "text",
- "value": null
- },
- {
- "value": 0,
- "color": "green"
- },
- {
- "color": "#eab839",
- "value": 25
- },
- {
- "color": "red",
- "value": 50
- },
- {
- "color": "red",
- "value": 100
- }
- ]
- },
- "unit": "percent"
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "gridPos": {
+ "h": 6,
+ "w": 24,
+ "x": 0,
+ "y": 0
+ },
+ "id": 42,
+ "options": {
+ "code": {
+ "language": "plaintext",
+ "showLineNumbers": false,
+ "showMiniMap": false
+ },
+ "content": "# Kyverno\nA Kubernetes-native policy management engine\n\n#### About this dashboard\n\nThis dashboard represents generic insights that can be extracted from a cluster with Kyverno running.\n\n#### For more details around the metrics\n\nCheckout the [official docs of Kyverno metrics](https://kyverno.io/docs/monitoring/)",
+ "mode": "markdown"
+ },
+ "pluginVersion": "11.2.0",
+ "targets": [
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "refId": "A"
+ }
+ ],
+ "transparent": true,
+ "type": "text"
+ },
+ {
+ "collapsed": false,
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "gridPos": {
+ "h": 1,
+ "w": 24,
+ "x": 0,
+ "y": 6
+ },
+ "id": 12,
+ "panels": [],
+ "targets": [
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "refId": "A"
+ }
+ ],
+ "title": "Latest Status",
+ "type": "row"
+ },
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "mappings": [],
+ "max": 100,
+ "min": 0,
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "text",
+ "value": null
},
- "overrides": []
- },
- "gridPos": {
- "h": 6,
- "w": 6,
- "x": 0,
- "y": 7
- },
- "id": 29,
- "options": {
- "reduceOptions": {
- "calcs": [
- "lastNotNull"
+ {
+ "color": "green",
+ "value": 0
+ },
+ {
+ "color": "#eab839",
+ "value": 25
+ },
+ {
+ "color": "red",
+ "value": 50
+ },
+ {
+ "color": "red",
+ "value": 100
+ }
+ ]
+ },
+ "unit": "percent"
+ },
+ "overrides": []
+ },
+ "gridPos": {
+ "h": 6,
+ "w": 6,
+ "x": 0,
+ "y": 7
+ },
+ "id": 29,
+ "options": {
+ "minVizHeight": 75,
+ "minVizWidth": 75,
+ "orientation": "auto",
+ "reduceOptions": {
+ "calcs": [
+ "lastNotNull"
+ ],
+ "fields": "",
+ "values": false
+ },
+ "showThresholdLabels": false,
+ "showThresholdMarkers": true,
+ "sizing": "auto",
+ "text": {}
+ },
+ "pluginVersion": "11.2.0",
+ "targets": [
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "exemplar": true,
+ "expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\", cluster=~\"$cluster\"}[24h]) or vector(0))*100/sum(increase(kyverno_policy_results_total{cluster=~\"$cluster\"}[24h]))",
+ "interval": "",
+ "legendFormat": "",
+ "refId": "A"
+ }
+ ],
+ "title": "Rule Execution Failure Rate (Last 24 Hours)",
+ "transparent": true,
+ "type": "gauge"
+ },
+ {
+ "datasource": {
+ "uid": "${DS_PROMETHEUS_KYVERNO}"
+ },
+ "fieldConfig": {
+ "defaults": {
+ "color": {
+ "mode": "thresholds"
+ },
+ "mappings": [],
+ "noValue": "0",
+ "thresholds": {
+ "mode": "absolute",
+ "steps": [
+ {
+ "color": "green",
+ "value": null
[Diff truncated by flux-local]
--- HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno
+++ HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno
@@ -16,15 +16,13 @@
defaultRegistry: docker.io
generateSuccessEvents: 'false'
excludeGroups: system:nodes
resourceFilters: '[*/*,kyverno,*] [Event,*,*] [*/*,kube-system,*] [*/*,kube-public,*]
[*/*,kube-node-lease,*] [Node,*,*] [Node/*,*,*] [APIService,*,*] [APIService/*,*,*]
[TokenReview,*,*] [SubjectAccessReview,*,*] [SelfSubjectAccessReview,*,*] [Binding,*,*]
- [Pod/binding,*,*] [ReplicaSet,*,*] [ReplicaSet/*,*,*] [AdmissionReport,*,*] [AdmissionReport/*,*,*]
- [ClusterAdmissionReport,*,*] [ClusterAdmissionReport/*,*,*] [BackgroundScanReport,*,*]
- [BackgroundScanReport/*,*,*] [ClusterBackgroundScanReport,*,*] [ClusterBackgroundScanReport/*,*,*]
+ [Pod/binding,*,*] [ReplicaSet,*,*] [ReplicaSet/*,*,*] [EphemeralReport,*,*] [ClusterEphemeralReport,*,*]
[ClusterRole,*,kyverno:admission-controller] [ClusterRole,*,kyverno:admission-controller:core]
[ClusterRole,*,kyverno:admission-controller:additional] [ClusterRole,*,kyverno:background-controller]
[ClusterRole,*,kyverno:background-controller:core] [ClusterRole,*,kyverno:background-controller:additional]
[ClusterRole,*,kyverno:cleanup-controller] [ClusterRole,*,kyverno:cleanup-controller:core]
[ClusterRole,*,kyverno:cleanup-controller:additional] [ClusterRole,*,kyverno:reports-controller]
[ClusterRole,*,kyverno:reports-controller:core] [ClusterRole,*,kyverno:reports-controller:additional]
@@ -61,9 +59,10 @@
[Service,kyverno,kyverno-cleanup-controller] [Service/*,kyverno,kyverno-cleanup-controller]
[Service,kyverno,kyverno-cleanup-controller-metrics] [Service/*,kyverno,kyverno-cleanup-controller-metrics]
[Service,kyverno,kyverno-reports-controller-metrics] [Service/*,kyverno,kyverno-reports-controller-metrics]
[ServiceMonitor,kyverno,kyverno-admission-controller] [ServiceMonitor,kyverno,kyverno-background-controller]
[ServiceMonitor,kyverno,kyverno-cleanup-controller] [ServiceMonitor,kyverno,kyverno-reports-controller]
[Secret,kyverno,kyverno-svc.kyverno.svc.*] [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*]'
+ updateRequestThreshold: '1000'
webhooks: '[{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}],"matchLabels":null},"objectSelector":{"matchExpressions":[{"key":"webhooks.kyverno.io/exclude","operator":"DoesNotExist"}]}}]'
webhookAnnotations: '{"admissions.enforcer/disabled":"true"}'
--- HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-metrics
+++ HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-metrics
@@ -8,9 +8,10 @@
app.kubernetes.io/component: config
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
data:
namespaces: '{"exclude":[],"include":[]}'
+ metricsExposure: '{"kyverno_admission_requests_total":{"disabledLabelDimensions":["resource_namespace"]},"kyverno_admission_review_duration_seconds":{"disabledLabelDimensions":["resource_namespace"]},"kyverno_cleanup_controller_deletedobjects_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]},"kyverno_policy_execution_duration_seconds":{"disabledLabelDimensions":["resource_namespace","resource_request_operation"]},"kyverno_policy_results_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]},"kyverno_policy_rule_info_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]}}'
bucketBoundaries: 0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20,
25, 30
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller
@@ -8,10 +8,12 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-admission-controller: 'true'
+ - matchLabels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller:core
@@ -47,16 +47,12 @@
- clusterpolicies
- clusterpolicies/status
- updaterequests
- updaterequests/status
- globalcontextentries
- globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- policyexceptions
verbs:
- create
- delete
- get
- list
@@ -126,15 +122,7 @@
- create
- update
- patch
- get
- list
- watch
-- apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller
@@ -8,10 +8,12 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-background-controller: 'true'
+ - matchLabels:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller:core
@@ -16,13 +16,15 @@
verbs:
- get
- apiGroups:
- kyverno.io
resources:
- policies
+ - policies/status
- clusterpolicies
+ - clusterpolicies/status
- policyexceptions
- updaterequests
- updaterequests/status
- globalcontextentries
- globalcontextentries/status
verbs:
@@ -53,19 +55,25 @@
- get
- list
- patch
- update
- watch
- apiGroups:
- - '*'
+ - reports.kyverno.io
resources:
- - '*'
+ - ephemeralreports
+ - clusterephemeralreports
verbs:
+ - create
+ - delete
- get
- list
+ - patch
+ - update
- watch
+ - deletecollection
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
@@ -85,13 +93,12 @@
- patch
- delete
- apiGroups:
- ''
resources:
- configmaps
- - secrets
- resourcequotas
- limitranges
verbs:
- create
- update
- patch
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-controller
@@ -8,10 +8,12 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-cleanup-controller: 'true'
+ - matchLabels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-jobs
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-jobs
@@ -1,30 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kyverno:cleanup-jobs
- labels:
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-rules:
-- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - updaterequests
- verbs:
- - list
- - deletecollection
- - delete
-- apiGroups:
- - reports.kyverno.io
- resources:
- - ephemeralreports
- - clusterephemeralreports
- verbs:
- - list
- - deletecollection
- - delete
-
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:admin:reports
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:admin:reports
@@ -7,27 +7,12 @@
app.kubernetes.io/component: rbac
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
rbac.authorization.k8s.io/aggregate-to-admin: 'true'
rules:
-- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
- apiGroups:
- reports.kyverno.io
resources:
- ephemeralreports
- clusterephemeralreports
verbs:
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:view:reports
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:rbac:view:reports
@@ -8,23 +8,12 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
rbac.authorization.k8s.io/aggregate-to-view: 'true'
rules:
- apiGroups:
- - kyverno.io
- resources:
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- reports.kyverno.io
resources:
- ephemeralreports
- clusterephemeralreports
verbs:
- get
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller
@@ -8,10 +8,12 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
- matchLabels:
+ rbac.kyverno.io/aggregate-to-reports-controller: 'true'
+ - matchLabels:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller:core
@@ -15,28 +15,23 @@
- customresourcedefinitions
verbs:
- get
- apiGroups:
- ''
resources:
- - secrets
- configmaps
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- kyverno.io
resources:
- globalcontextentries
- globalcontextentries/status
- - admissionreports
- - clusteradmissionreports
- - backgroundscanreports
- - clusterbackgroundscanreports
- policyexceptions
- policies
- clusterpolicies
verbs:
- create
- delete
@@ -81,15 +76,7 @@
- events.k8s.io
resources:
- events
verbs:
- create
- patch
-- apiGroups:
- - '*'
- resources:
- - '*'
- verbs:
- - get
- - list
- - watch
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:cleanup-jobs
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:cleanup-jobs
@@ -1,18 +0,0 @@
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:cleanup-jobs
- labels:
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kyverno:cleanup-jobs
-subjects:
-- kind: ServiceAccount
- name: kyverno-cleanup-jobs
- namespace: kyverno
-
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:admission-controller
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:admission-controller
@@ -11,16 +11,18 @@
app.kubernetes.io/part-of: kyverno
rules:
- apiGroups:
- ''
resources:
- secrets
+ - serviceaccounts
verbs:
- get
- list
- watch
+ - patch
- create
- update
- delete
- apiGroups:
- ''
resources:
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:cleanup-controller
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:cleanup-controller
@@ -54,7 +54,15 @@
- delete
- get
- patch
- update
resourceNames:
- kyverno-cleanup-controller
+- apiGroups:
+ - apps
+ resources:
+ - deployments
+ verbs:
+ - get
+ - list
+ - watch
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:reports-controller
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:reports-controller
@@ -19,12 +19,20 @@
- list
- watch
resourceNames:
- kyverno
- kyverno-metrics
- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
--- HelmRelease: kyverno/kyverno Service: kyverno/kyverno-svc
+++ HelmRelease: kyverno/kyverno Service: kyverno/kyverno-svc
@@ -12,12 +12,13 @@
spec:
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
+ appProtocol: https
selector:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
type: ClusterIP
--- HelmRelease: kyverno/kyverno Service: kyverno/kyverno-cleanup-controller
+++ HelmRelease: kyverno/kyverno Service: kyverno/kyverno-cleanup-controller
@@ -12,12 +12,13 @@
spec:
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
+ appProtocol: https
selector:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
type: ClusterIP
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-admission-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-admission-controller
@@ -51,13 +51,13 @@
- admission-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-admission-controller
initContainers:
- name: kyverno-pre
- image: ghcr.io/kyverno/kyvernopre:v1.12.6
+ image: ghcr.io/kyverno/kyvernopre:v1.13.0
imagePullPolicy: IfNotPresent
args:
- --loggingFormat=text
- --v=2
resources:
limits:
@@ -76,12 +76,14 @@
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-admission-controller
+ - name: KYVERNO_ROLE_NAME
+ value: kyverno:admission-controller
- name: INIT_CONFIG
value: kyverno
- name: METRICS_CONFIG
value: kyverno-metrics
- name: KYVERNO_NAMESPACE
valueFrom:
@@ -94,39 +96,43 @@
- name: KYVERNO_DEPLOYMENT
value: kyverno-admission-controller
- name: KYVERNO_SVC
value: kyverno-svc
containers:
- name: kyverno
- image: ghcr.io/kyverno/kyverno:v1.12.6
+ image: ghcr.io/kyverno/kyverno:v1.13.0
imagePullPolicy: IfNotPresent
args:
- --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca
- --tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair
- --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
+ - --reportsServiceAccountName=system:serviceaccount:kyverno:kyverno-reports-controller
- --servicePort=443
- --webhookServerPort=9443
+ - --resyncPeriod=15m
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --admissionReports=true
- --maxAdmissionReports=1000
- --autoUpdateWebhooks=true
- --enableConfigMapCaching=true
- --enableDeferredLoading=true
- --dumpPayload=false
- --forceFailurePolicyIgnore=false
- --generateValidatingAdmissionPolicy=false
+ - --dumpPatches=false
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
+ - --enablePolicyException=false
- --protectManagedResources=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
resources:
limits:
memory: 384Mi
requests:
cpu: 100m
memory: 128Mi
@@ -159,12 +165,14 @@
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-admission-controller
+ - name: KYVERNO_ROLE_NAME
+ value: kyverno:admission-controller
- name: KYVERNO_SVC
value: kyverno-svc
- name: TUF_ROOT
value: /.sigstore
- name: KYVERNO_DEPLOYMENT
value: kyverno-admission-controller
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-background-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-background-controller
@@ -43,32 +43,34 @@
- background-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-background-controller
containers:
- name: controller
- image: ghcr.io/kyverno/background-controller:v1.12.6
+ image: ghcr.io/kyverno/background-controller:v1.13.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics
protocol: TCP
args:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
+ - --resyncPeriod=15m
- --enableConfigMapCaching=true
- --enableDeferredLoading=true
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
+ - --enablePolicyException=false
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-background-controller
- name: KYVERNO_DEPLOYMENT
value: kyverno-background-controller
- name: INIT_CONFIG
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-cleanup-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-cleanup-controller
@@ -43,13 +43,13 @@
- cleanup-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-cleanup-controller
containers:
- name: controller
- image: ghcr.io/kyverno/cleanup-controller:v1.12.6
+ image: ghcr.io/kyverno/cleanup-controller:v1.13.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
@@ -58,12 +58,13 @@
args:
- --caSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca
- --tlsSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair
- --servicePort=443
- --cleanupServerPort=9443
- --webhookServerPort=9443
+ - --resyncPeriod=15m
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --enableDeferredLoading=true
- --dumpPayload=false
- --maxAPICallResponseLength=2000000
@@ -81,12 +82,14 @@
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-cleanup-controller
+ - name: KYVERNO_ROLE_NAME
+ value: kyverno:cleanup-controller
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-cleanup-controller
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-reports-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-reports-controller
@@ -43,25 +43,26 @@
- reports-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-reports-controller
containers:
- name: controller
- image: ghcr.io/kyverno/reports-controller:v1.12.6
+ image: ghcr.io/kyverno/reports-controller:v1.13.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics
protocol: TCP
args:
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
+ - --resyncPeriod=15m
- --admissionReports=true
- --aggregateReports=true
- --policyReports=true
- --validatingAdmissionPolicyReports=false
- --backgroundScan=true
- --backgroundScanWorkers=2
@@ -70,16 +71,16 @@
- --enableConfigMapCaching=true
- --enableDeferredLoading=true
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- - --enablePolicyException=true
- - --reportsChunkSize=0
+ - --enablePolicyException=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
+ - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: kyverno-reports-controller
- name: KYVERNO_DEPLOYMENT
value: kyverno-reports-controller
- name: INIT_CONFIG
--- HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-admission-reports
+++ HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-admission-reports
@@ -1,58 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-admission-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- schedule: '*/10 * * * *'
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata:
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- app.kubernetes.io/version: 3.2.8
- helm.sh/chart: kyverno-3.2.8
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many reports found ($COUNT), cleaning up..."
- kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
-
--- HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-cluster-admission-reports
+++ HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-cluster-admission-reports
@@ -1,58 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-cluster-admission-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- schedule: '*/10 * * * *'
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata:
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- app.kubernetes.io/version: 3.2.8
- helm.sh/chart: kyverno-3.2.8
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many reports found ($COUNT), cleaning up..."
- kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate'
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
-
--- HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-cluster-ephemeral-reports
+++ HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-cluster-ephemeral-reports
@@ -1,58 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-cluster-ephemeral-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- schedule: '*/10 * * * *'
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata:
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- app.kubernetes.io/version: 3.2.8
- helm.sh/chart: kyverno-3.2.8
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get clusterephemeralreports.reports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many clusterephemeralreports found ($COUNT), cleaning up..."
- kubectl delete clusterephemeralreports.reports.kyverno.io -A --all
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
-
--- HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-ephemeral-reports
+++ HelmRelease: kyverno/kyverno CronJob: kyverno/kyverno-cleanup-ephemeral-reports
@@ -1,58 +0,0 @@
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: kyverno-cleanup-ephemeral-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
-spec:
- schedule: '*/10 * * * *'
- concurrencyPolicy: Forbid
- successfulJobsHistoryLimit: 1
- failedJobsHistoryLimit: 1
- jobTemplate:
- spec:
- backoffLimit: 3
- template:
- metadata:
- labels:
- app.kubernetes.io/component: cleanup
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- app.kubernetes.io/version: 3.2.8
- helm.sh/chart: kyverno-3.2.8
- spec:
- serviceAccountName: kyverno-cleanup-jobs
- containers:
- - name: cleanup
- image: bitnami/kubectl:1.28.5
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- COUNT=$(kubectl get ephemeralreports.reports.kyverno.io -A | wc -l)
- if [ "$COUNT" -gt 10000 ]; then
- echo "too many ephemeralreports found ($COUNT), cleaning up..."
- kubectl delete ephemeralreports.reports.kyverno.io -A --all
- else
- echo "($COUNT) reports found, no clean up needed"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsNonRoot: true
- seccompProfile:
- type: RuntimeDefault
- restartPolicy: OnFailure
-
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-remove-configmap
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-remove-configmap
@@ -7,10 +7,10 @@
labels:
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
annotations:
- helm.sh/hook: pre-delete
+ helm.sh/hook: post-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: '0'
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:remove-configmap
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:remove-configmap
@@ -7,13 +7,13 @@
labels:
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
annotations:
- helm.sh/hook: pre-delete
+ helm.sh/hook: post-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: '0'
rules:
- apiGroups:
- ''
resources:
--- HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:remove-configmap
+++ HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:remove-configmap
@@ -7,13 +7,13 @@
labels:
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
annotations:
- helm.sh/hook: pre-delete
+ helm.sh/hook: post-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: '0'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kyverno:remove-configmap
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-clean-reports
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-clean-reports
@@ -18,30 +18,41 @@
metadata: null
spec:
serviceAccount: kyverno-admission-controller
restartPolicy: Never
containers:
- name: kubectl
- image: bitnami/kubectl:1.28.5
+ image: bitnami/kubectl:1.30.2
imagePullPolicy: null
command:
- /bin/bash
- -c
- - "set -euo pipefail\nNAMESPACES=$(kubectl get namespaces --no-headers=true\
- \ | awk '{print $1}')\n\nfor ns in ${NAMESPACES[@]};\ndo\n COUNT=$(kubectl\
- \ get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print\
- \ $1}' | wc -l)\n\n if [ $COUNT -gt 0 ]; then\n echo \"deleting $COUNT\
- \ policyreports in namespace $ns\"\n kubectl get policyreports.wgpolicyk8s.io\
- \ -n $ns --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete\
- \ -n $ns policyreports.wgpolicyk8s.io\n else\n echo \"no policyreports\
- \ in namespace $ns\"\n fi\ndone\n\nCOUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io\
- \ --no-headers=true | awk '/pol/{print $1}' | wc -l)\n \nif [ $COUNT -gt\
- \ 0 ]; then\n echo \"deleting $COUNT clusterpolicyreports\"\n kubectl\
- \ get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print\
- \ $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io\nelse\n\
- \ echo \"no clusterpolicyreports\"\nfi\n"
+ - |
+ set -euo pipefail
+ NAMESPACES=$(kubectl get namespaces --no-headers=true | awk '{print $1}')
+
+ for ns in ${NAMESPACES[@]};
+ do
+ COUNT=$(kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | wc -l)
+
+ if [ $COUNT -gt 0 ]; then
+ echo "deleting $COUNT policyreports in namespace $ns"
+ kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete -n $ns policyreports.wgpolicyk8s.io
+ else
+ echo "no policyreports in namespace $ns"
+ fi
+ done
+
+ COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | wc -l)
+
+ if [ $COUNT -gt 0 ]; then
+ echo "deleting $COUNT clusterpolicyreports"
+ kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io
+ else
+ echo "no clusterpolicyreports"
+ fi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-migrate-resources
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-migrate-resources
@@ -19,26 +19,18 @@
metadata: null
spec:
serviceAccount: kyverno-migrate-resources
restartPolicy: Never
containers:
- name: kubectl
- image: ghcr.io/kyverno/kyverno-cli:v1.12.6
+ image: ghcr.io/kyverno/kyverno-cli:v1.13.0
imagePullPolicy: IfNotPresent
args:
- migrate
- --resource
- - admissionreports.kyverno.io
- - --resource
- - backgroundscanreports.kyverno.io
- - --resource
- cleanuppolicies.kyverno.io
- - --resource
- - clusteradmissionreports.kyverno.io
- - --resource
- - clusterbackgroundscanreports.kyverno.io
- --resource
- clustercleanuppolicies.kyverno.io
- --resource
- clusterpolicies.kyverno.io
- --resource
- globalcontextentries.kyverno.io
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-remove-configmap
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-remove-configmap
@@ -7,25 +7,25 @@
labels:
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
annotations:
- helm.sh/hook: pre-delete
+ helm.sh/hook: post-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: '10'
spec:
backoffLimit: 2
template:
metadata: null
spec:
serviceAccount: kyverno-remove-configmap
restartPolicy: Never
containers:
- name: kubectl
- image: bitnami/kubectl:1.28.5
+ image: bitnami/kubectl:1.30.2
imagePullPolicy: null
command:
- /bin/bash
- -c
- |-
set -euo pipefail
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-scale-to-zero
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-scale-to-zero
@@ -19,13 +19,13 @@
metadata: null
spec:
serviceAccount: kyverno-admission-controller
restartPolicy: Never
containers:
- name: kubectl
- image: bitnami/kubectl:1.28.5
+ image: bitnami/kubectl:1.30.2
imagePullPolicy: null
command:
- /bin/bash
- -c
- |-
set -euo pipefail
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:admission-controller:view
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:admission-controller:view
@@ -0,0 +1,19 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:admission-controller:view
+ labels:
+ app.kubernetes.io/component: admission-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+- kind: ServiceAccount
+ name: kyverno-admission-controller
+ namespace: kyverno
+
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:background-controller:view
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:background-controller:view
@@ -0,0 +1,19 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:background-controller:view
+ labels:
+ app.kubernetes.io/component: background-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+- kind: ServiceAccount
+ name: kyverno-background-controller
+ namespace: kyverno
+
--- HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:reports-controller:view
+++ HelmRelease: kyverno/kyverno ClusterRoleBinding: kyverno/kyverno:reports-controller:view
@@ -0,0 +1,19 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kyverno:reports-controller:view
+ labels:
+ app.kubernetes.io/component: reports-controller
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: view
+subjects:
+- kind: ServiceAccount
+ name: kyverno-reports-controller
+ namespace: kyverno
+ |
spicerabot
bot
force-pushed
the
renovate/kyverno-3.x
branch
11 times, most recently
from
dc6b329
to
98849d7
Compare
spicerabot
bot
changed the title
spicerabot
bot
force-pushed
the
renovate/kyverno-3.x
branch
3 times, most recently
from
37076ce
to
a6175d5
Compare
spicerabot
bot
changed the title
spicerabot
bot
force-pushed
the
renovate/kyverno-3.x
branch
7 times, most recently
from
6c1bb7b
to
1f7619b
Compare
spicerabot
bot
force-pushed
the
renovate/kyverno-3.x
branch
26 times, most recently
from
0d66365
to
d547f43
Compare
spicerabot
bot
force-pushed
the
renovate/kyverno-3.x
branch
from
d547f43
to
a8543d4
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.2.8->3.3.2Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.