⬆️ kyverno 3.0.5

2025-09-17 18:24:14 +02:00 · 2023-08-26 10:53:59 +02:00
parent a69307a984
commit 094893c610
3 changed files with 56 additions and 17 deletions
--- a/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml
+++ b/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml
@@ -10,7 +10,7 @@ spec:
  chart:
    spec:
      chart: kyverno
-      version: 2.7.5
+      version: 3.0.5
      sourceRef:
        kind: HelmRepository
        name: kyverno
@@ -29,14 +29,55 @@ spec:
  uninstall:
    keepHistory: false
  values:
-    installCRDs: true
-    replicaCount: 1
-    serviceMonitor:
+    crds:
+      install: true
+    grafana:
      enabled: true
-    topologySpreadConstraints:
-      - maxSkew: 1
-        topologyKey: kubernetes.io/hostname
-        whenUnsatisfiable: DoNotSchedule
-        labelSelector:
-          matchLabels:
-            app.kubernetes.io/instance: kyverno
+      annotations:
+        grafana_folder: System
+    backgroundController:
+      serviceMonitor:
+        enabled: true
+      rbac:
+        clusterRole:
+          extraResources:
+            - apiGroups:
+                - ""
+              resources:
+                - pods
+              verbs:
+                - create
+                - update
+                - patch
+                - delete
+                - get
+                - list
+    cleanupController:
+      serviceMonitor:
+        enabled: true
+    reportsController:
+      serviceMonitor:
+        enabled: true
+    admissionController:
+      replicas: 3
+      serviceMonitor:
+        enabled: true
+      rbac:
+        clusterRole:
+          extraResources:
+            - apiGroups:
+                - ""
+              resources:
+                - pods
+              verbs:
+                - create
+                - update
+                - delete
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/instance: kyverno
+              app.kubernetes.io/component: kyverno
--- a/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml
+++ b/kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml
@@ -3,4 +3,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./delete-cpu-limits.yaml
+  - ./remove-cpu-limits.yaml
--- a/kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml
+++ b/kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml
@@ -7,20 +7,19 @@ metadata:
  annotations:
    policies.kyverno.io/title: Remove CPU limits
    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      This policy removes CPU limits from all Pods.
    pod-policies.kyverno.io/autogen-controllers: none
 spec:
-  mutateExistingOnPolicyUpdate: true
  generateExistingOnPolicyUpdate: true
  rules:
    - name: remove-containers-cpu-limits
      match:
        any:
          - resources:
-              kinds:
-                - Pod
+              kinds: ["Pod"]
      mutate:
        foreach:
          - list: "request.object.spec.containers"
@@ -31,8 +30,7 @@ spec:
      match:
        any:
          - resources:
-              kinds:
-                - Pod
+              kinds: ["Pod"]
      preconditions:
        all:
          - key: "{{ request.object.spec.initContainers[] || `[]` | length(@) }}"