diff --git a/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml b/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml index 2087464ce..f2e4aae9c 100644 --- a/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml +++ b/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml @@ -10,7 +10,7 @@ spec: chart: spec: chart: kyverno - version: 2.7.5 + version: 3.0.5 sourceRef: kind: HelmRepository name: kyverno @@ -29,14 +29,55 @@ spec: uninstall: keepHistory: false values: - installCRDs: true - replicaCount: 1 - serviceMonitor: + crds: + install: true + grafana: enabled: true - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/instance: kyverno + annotations: + grafana_folder: System + backgroundController: + serviceMonitor: + enabled: true + rbac: + clusterRole: + extraResources: + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - update + - patch + - delete + - get + - list + cleanupController: + serviceMonitor: + enabled: true + reportsController: + serviceMonitor: + enabled: true + admissionController: + replicas: 3 + serviceMonitor: + enabled: true + rbac: + clusterRole: + extraResources: + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - update + - delete + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/instance: kyverno + app.kubernetes.io/component: kyverno diff --git a/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml b/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml index f0fc66ffe..5e3e3fac3 100644 --- a/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml +++ b/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml @@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./delete-cpu-limits.yaml + - ./remove-cpu-limits.yaml diff --git a/kubernetes/apps/kyverno/kyverno/policies/delete-cpu-limits.yaml b/kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml similarity index 91% rename from kubernetes/apps/kyverno/kyverno/policies/delete-cpu-limits.yaml rename to kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml index f89e42e55..a16c63fe9 100644 --- a/kubernetes/apps/kyverno/kyverno/policies/delete-cpu-limits.yaml +++ b/kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml @@ -7,20 +7,19 @@ metadata: annotations: policies.kyverno.io/title: Remove CPU limits policies.kyverno.io/category: Best Practices + policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- This policy removes CPU limits from all Pods. pod-policies.kyverno.io/autogen-controllers: none spec: - mutateExistingOnPolicyUpdate: true generateExistingOnPolicyUpdate: true rules: - name: remove-containers-cpu-limits match: any: - resources: - kinds: - - Pod + kinds: ["Pod"] mutate: foreach: - list: "request.object.spec.containers" @@ -31,8 +30,7 @@ spec: match: any: - resources: - kinds: - - Pod + kinds: ["Pod"] preconditions: all: - key: "{{ request.object.spec.initContainers[] || `[]` | length(@) }}"