diff --git a/apps.yaml b/apps.yaml index eb90674d4c..72a26ed41d 100644 --- a/apps.yaml +++ b/apps.yaml @@ -139,7 +139,7 @@ appsInfo: isAlpha: true kyverno: title: Kyverno - appVersion: 1.17.2 + appVersion: 1.18.0 repo: https://github.com/kyverno/kyverno maintainers: Nirmata relatedLinks: diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index 74de7f078b..157445e9be 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -71,7 +71,7 @@ dependencies: version: 84.5.0 repository: https://prometheus-community.github.io/helm-charts - name: kyverno - version: 3.7.2 + version: 3.8.0 repository: https://kyverno.github.io/kyverno/ - name: loki version: 6.55.0 diff --git a/charts/kyverno/Chart.lock b/charts/kyverno/Chart.lock index 4162c5b600..ac0f0ba26a 100644 --- a/charts/kyverno/Chart.lock +++ b/charts/kyverno/Chart.lock @@ -1,10 +1,10 @@ dependencies: - name: grafana repository: "" - version: 3.7.2 + version: 3.8.0 - name: crds repository: "" - version: 3.7.2 + version: 3.8.0 - name: kyverno-api repository: https://kyverno.github.io/api version: 0.0.1-alpha.2 @@ -14,5 +14,5 @@ dependencies: - name: reports-server repository: https://kyverno.github.io/reports-server/ version: 0.1.6 -digest: sha256:a1539782e49a65e5702114dec4979f104e13afb9a2a286ff438b8eeb9a499161 -generated: "2026-04-23T21:15:16.784833+08:00" +digest: sha256:9afcbe4924ea65f5148ef768ff42e1473278ab5c7836173c38e4bc778c90c3cf +generated: "2026-04-29T12:39:35.411754+02:00" diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 951c4e5ec0..50dc58abf9 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -14,16 +14,16 @@ annotations: artifacthub.io/operator: "false" artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: v1.17.2 +appVersion: v1.18.0 dependencies: - condition: grafana.enabled name: grafana repository: "" - version: 3.7.2 + version: 3.8.0 - condition: crds.install name: crds repository: "" - version: 3.7.2 + version: 3.8.0 - condition: crds.install name: kyverno-api repository: https://kyverno.github.io/api @@ -56,4 +56,4 @@ name: kyverno sources: - https://github.com/kyverno/kyverno type: application -version: 3.7.2 +version: 3.8.0 diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index e16a911bb7..7585305795 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -2,7 +2,7 @@ Kubernetes Native Policy Management -![Version: 3.7.2](https://img.shields.io/badge/Version-3.7.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.17.2](https://img.shields.io/badge/AppVersion-v1.17.2-informational?style=flat-square) +![Version: 3.8.0](https://img.shields.io/badge/Version-3.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.18.0](https://img.shields.io/badge/AppVersion-v1.18.0-informational?style=flat-square) ## About @@ -293,7 +293,10 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | crds.migration.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | | crds.migration.podResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | | crds.migration.podResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | -| crds.migration.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount | +| crds.migration.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount. When set to false, a projected service account token is used instead which provides time-limited and audience-bound tokens for improved security. | +| crds.migration.serviceAccount.projectedServiceAccountToken | object | `{"audience":"","expirationSeconds":3600}` | Projected service account token configuration (only used when automountServiceAccountToken is false) | +| crds.migration.serviceAccount.projectedServiceAccountToken.expirationSeconds | int | `3600` | Token expiration time in seconds. The kubelet will request a new token before the token expires. | +| crds.migration.serviceAccount.projectedServiceAccountToken.audience | string | `""` | Audience for the projected service account token. If not set, the token will have no audience restriction. | ### Config @@ -310,6 +313,7 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | config.excludeRoles | list | `[]` | Exclude roles | | config.excludeClusterRoles | list | `[]` | Exclude roles | | config.generateSuccessEvents | bool | `false` | Generate success events. | +| config.successEventActions | string | "" (empty, all success events are emitted when generateSuccessEvents is true) | Comma-separated list of event actions for which success events should be generated. When set, only success events matching the specified actions are emitted. Requires `generateSuccessEvents` to be `true`. Valid values: "Resource Mutated", "Resource Passed", "Resource Generated", "Resource Cleaned Up". Example: "Resource Mutated" or "Resource Mutated,Resource Generated". | | config.maxContextSize | string | 2Mi | Maximum cumulative size of context data during policy evaluation. Supports Kubernetes quantity format (e.g., 100Mi, 2Gi) or plain bytes (e.g., 2097152). Limits memory used by context variables to prevent unbounded growth. Increase if policies legitimately need large context data (e.g., processing large ConfigMaps). Set to 0 to disable the limit (not recommended for production). | | config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. | | config.updateRequestThreshold | int | `1000` | Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. | @@ -364,6 +368,7 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | features.generateMutatingAdmissionPolicy.enabled | bool | `false` | Enables the feature | | features.dumpPatches.enabled | bool | `false` | Enables the feature | | features.globalContext.maxApiCallResponseLength | int | `2000000` | Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended) | +| features.globalContext.apiCallTimeout | string | `"30s"` | Timeout for HTTP API calls made by policies. A value of 0s means no timeout. | | features.logging.format | string | `"text"` | Logging format | | features.logging.verbosity | int | `2` | Logging verbosity | | features.omitEvents.eventTypes | list | `["PolicyApplied","PolicySkipped"]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) | @@ -386,6 +391,7 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | admissionController.autoscaling.minReplicas | int | `1` | Minimum number of pods | | admissionController.autoscaling.maxReplicas | int | `10` | Maximum number of pods | | admissionController.autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilization percentage | +| admissionController.autoscaling.targetMemoryUtilizationPercentage | int | `nil` | Target memory utilization percentage | | admissionController.autoscaling.behavior | object | `{}` | Configurable scaling behavior | | admissionController.featuresOverride | object | `{"admissionReports":{"backPressureThreshold":1000}}` | Overrides features defined at the root level | | admissionController.featuresOverride.admissionReports.backPressureThreshold | int | `1000` | Max number of admission reports allowed in flight until the admission controller stops creating new ones | @@ -394,7 +400,10 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | admissionController.rbac.viewRoleName | string | `"view"` | The view role to use in the rolebinding | | admissionController.rbac.serviceAccount.name | string | `nil` | The ServiceAccount name | | admissionController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | -| admissionController.rbac.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount | +| admissionController.rbac.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount. When set to false, a projected service account token is used instead which provides time-limited and audience-bound tokens for improved security. | +| admissionController.rbac.serviceAccount.projectedServiceAccountToken | object | `{"audience":"","expirationSeconds":3600}` | Projected service account token configuration (only used when automountServiceAccountToken is false) | +| admissionController.rbac.serviceAccount.projectedServiceAccountToken.expirationSeconds | int | `3600` | Token expiration time in seconds. The kubelet will request a new token before the token expires. | +| admissionController.rbac.serviceAccount.projectedServiceAccountToken.audience | string | `""` | Audience for the projected service account token. If not set, the token will have no audience restriction. | | admissionController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | | admissionController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | admissionController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. | @@ -420,6 +429,7 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | admissionController.crdWatcher | bool | `false` | Enable/Disable custom resource watcher to invalidate cache | | admissionController.podLabels | object | `{}` | Additional labels to add to each pod | | admissionController.podAnnotations | object | `{}` | Additional annotations to add to each pod | +| admissionController.labels | object | `{}` | Deployment labels. | | admissionController.annotations | object | `{}` | Deployment annotations. | | admissionController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | | admissionController.priorityClassName | string | `""` | Optional priority class | @@ -456,7 +466,7 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | admissionController.initContainer.image.pullPolicy | string | `nil` | Image pull policy If missing, defaults to image.pullPolicy | | admissionController.initContainer.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | | admissionController.initContainer.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | -| admissionController.initContainer.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context | +| admissionController.initContainer.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context | | admissionController.initContainer.extraArgs | object | `{}` | Additional container args. | | admissionController.initContainer.extraEnvVars | list | `[]` | Additional container environment variables. | | admissionController.container.image.registry | string | `nil` | Image registry | @@ -466,11 +476,13 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | admissionController.container.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | admissionController.container.resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits | | admissionController.container.resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests | -| admissionController.container.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context | +| admissionController.container.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context | | admissionController.container.extraArgs | object | `{}` | Additional container args. | | admissionController.container.extraEnvVars | list | `[]` | Additional container environment variables. | | admissionController.extraInitContainers | list | `[]` | Array of extra init containers | | admissionController.extraContainers | list | `[]` | Array of extra containers to run alongside kyverno | +| admissionController.extraVolumes | list | `[]` | Additional volumes to be mounted in the pod | +| admissionController.extraVolumeMounts | list | `[]` | Additional volumeMounts to be mounted to the main container | | admissionController.service.port | int | `443` | Service port. | | admissionController.service.type | string | `"ClusterIP"` | Service type. | | admissionController.service.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | @@ -501,6 +513,8 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | admissionController.metering.disabled | bool | `false` | Disable metrics export | | admissionController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` | | admissionController.metering.port | int | `8000` | Prometheus endpoint port | +| admissionController.metering.secure | bool | `false` | Is TLS required for endpoint | +| admissionController.metering.tlsKeyAlgorithm | string | `"RSA"` | Key algorithm for self-signed TLS certificates. Supported values: RSA, ECDSA, Ed25519 | | admissionController.metering.collector | string | `""` | Otel collector endpoint | | admissionController.metering.creds | string | `""` | Otel collector credentials | | admissionController.profiling.enabled | bool | `false` | Enable profiling | @@ -519,7 +533,10 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | backgroundController.rbac.viewRoleName | string | `"view"` | The view role to use in the rolebinding | | backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name | | backgroundController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | -| backgroundController.rbac.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount | +| backgroundController.rbac.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount. When set to false, a projected service account token is used instead which provides time-limited and audience-bound tokens for improved security. | +| backgroundController.rbac.serviceAccount.projectedServiceAccountToken | object | `{"audience":"","expirationSeconds":3600}` | Projected service account token configuration (only used when automountServiceAccountToken is false) | +| backgroundController.rbac.serviceAccount.projectedServiceAccountToken.expirationSeconds | int | `3600` | Token expiration time in seconds. The kubelet will request a new token before the token expires. | +| backgroundController.rbac.serviceAccount.projectedServiceAccountToken.audience | string | `""` | Audience for the projected service account token. If not set, the token will have no audience restriction. | | backgroundController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | | backgroundController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | backgroundController.image.registry | string | `nil` | Image registry | @@ -533,6 +550,7 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | backgroundController.resyncPeriod | string | `"15m"` | Resync period for informers | | backgroundController.podLabels | object | `{}` | Additional labels to add to each pod | | backgroundController.podAnnotations | object | `{}` | Additional annotations to add to each pod | +| backgroundController.labels | object | `{}` | Deployment labels. | | backgroundController.annotations | object | `{}` | Deployment annotations. | | backgroundController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | | backgroundController.priorityClassName | string | `""` | Optional priority class | @@ -551,13 +569,15 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | backgroundController.nodeAffinity | object | `{}` | Node affinity constraints. | | backgroundController.topologySpreadConstraints | list | `[]` | Topology spread constraints. | | backgroundController.podSecurityContext | object | `{}` | Security context for the pod | -| backgroundController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | +| backgroundController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | | backgroundController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. | | backgroundController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. | | backgroundController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | | backgroundController.podDisruptionBudget.unhealthyPodEvictionPolicy | string | `nil` | Unhealthy pod eviction policy to be used. Possible values are `IfHealthyBudget` or `AlwaysAllow`. | | backgroundController.caCertificates.data | string | `nil` | CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates | | backgroundController.caCertificates.volume | object | `{}` | Volume to be mounted for CA certificates Not used when `.Values.backgroundController.caCertificates.data` is defined | +| backgroundController.extraVolumes | list | `[]` | Additional volumes to be mounted in the pod | +| backgroundController.extraVolumeMounts | list | `[]` | Additional volumeMounts to be mounted to the main container | | backgroundController.metricsService.create | bool | `true` | Create service. | | backgroundController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. | | backgroundController.metricsService.type | string | `"ClusterIP"` | Service type. | @@ -583,6 +603,8 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | backgroundController.metering.disabled | bool | `false` | Disable metrics export | | backgroundController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` | | backgroundController.metering.port | int | `8000` | Prometheus endpoint port | +| backgroundController.metering.secure | bool | `false` | Is TLS required for endpoint | +| backgroundController.metering.tlsKeyAlgorithm | string | `"RSA"` | Key algorithm for self-signed TLS certificates. Supported values: RSA, ECDSA, Ed25519 | | backgroundController.metering.collector | string | `""` | Otel collector endpoint | | backgroundController.metering.creds | string | `""` | Otel collector credentials | | backgroundController.server | object | `{"port":9443}` | backgroundController server port in case you are using hostNetwork: true, you might want to change the port the backgroundController is listening to | @@ -600,7 +622,10 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | cleanupController.rbac.create | bool | `true` | Create RBAC resources | | cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name | | cleanupController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | -| cleanupController.rbac.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount | +| cleanupController.rbac.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount. When set to false, a projected service account token is used instead which provides time-limited and audience-bound tokens for improved security. | +| cleanupController.rbac.serviceAccount.projectedServiceAccountToken | object | `{"audience":"","expirationSeconds":3600}` | Projected service account token configuration (only used when automountServiceAccountToken is false) | +| cleanupController.rbac.serviceAccount.projectedServiceAccountToken.expirationSeconds | int | `3600` | Token expiration time in seconds. The kubelet will request a new token before the token expires. | +| cleanupController.rbac.serviceAccount.projectedServiceAccountToken.audience | string | `""` | Audience for the projected service account token. If not set, the token will have no audience restriction. | | cleanupController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | cleanupController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. | | cleanupController.tlsKeyAlgorithm | string | `"RSA"` | Key algorithm for self-signed TLS certificates. Supported values: RSA, ECDSA, Ed25519 Only used when createSelfSignedCert is false (Kyverno-managed certificates). | @@ -630,6 +655,7 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | cleanupController.resyncPeriod | string | `"15m"` | Resync period for informers | | cleanupController.podLabels | object | `{}` | Additional labels to add to each pod | | cleanupController.podAnnotations | object | `{}` | Additional annotations to add to each pod | +| cleanupController.labels | object | `{}` | Deployment labels. | | cleanupController.annotations | object | `{}` | Deployment annotations. | | cleanupController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | | cleanupController.priorityClassName | string | `""` | Optional priority class | @@ -652,11 +678,13 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | cleanupController.nodeAffinity | object | `{}` | Node affinity constraints. | | cleanupController.topologySpreadConstraints | list | `[]` | Topology spread constraints. | | cleanupController.podSecurityContext | object | `{}` | Security context for the pod | -| cleanupController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | +| cleanupController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | | cleanupController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. | | cleanupController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. | | cleanupController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | | cleanupController.podDisruptionBudget.unhealthyPodEvictionPolicy | string | `nil` | Unhealthy pod eviction policy to be used. Possible values are `IfHealthyBudget` or `AlwaysAllow`. | +| cleanupController.extraVolumes | list | `[]` | Additional volumes to be mounted in the pod | +| cleanupController.extraVolumeMounts | list | `[]` | Additional volumeMounts to be mounted to the main container | | cleanupController.service.port | int | `443` | Service port. | | cleanupController.service.type | string | `"ClusterIP"` | Service type. | | cleanupController.service.nodePort | string | `nil` | Service node port. Only used if `service.type` is `NodePort`. | @@ -687,6 +715,8 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | cleanupController.metering.disabled | bool | `false` | Disable metrics export | | cleanupController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` | | cleanupController.metering.port | int | `8000` | Prometheus endpoint port | +| cleanupController.metering.secure | bool | `false` | Is TLS required for endpoint | +| cleanupController.metering.tlsKeyAlgorithm | string | `"RSA"` | Key algorithm for self-signed TLS certificates. Supported values: RSA, ECDSA, Ed25519 | | cleanupController.metering.collector | string | `""` | Otel collector endpoint | | cleanupController.metering.creds | string | `""` | Otel collector credentials | | cleanupController.profiling.enabled | bool | `false` | Enable profiling | @@ -705,7 +735,10 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | reportsController.rbac.viewRoleName | string | `"view"` | The view role to use in the rolebinding | | reportsController.rbac.serviceAccount.name | string | `nil` | Service account name | | reportsController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | -| reportsController.rbac.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount | +| reportsController.rbac.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount. When set to false, a projected service account token is used instead which provides time-limited and audience-bound tokens for improved security. | +| reportsController.rbac.serviceAccount.projectedServiceAccountToken | object | `{"audience":"","expirationSeconds":3600}` | Projected service account token configuration (only used when automountServiceAccountToken is false) | +| reportsController.rbac.serviceAccount.projectedServiceAccountToken.expirationSeconds | int | `3600` | Token expiration time in seconds. The kubelet will request a new token before the token expires. | +| reportsController.rbac.serviceAccount.projectedServiceAccountToken.audience | string | `""` | Audience for the projected service account token. If not set, the token will have no audience restriction. | | reportsController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | | reportsController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | reportsController.image.registry | string | `nil` | Image registry | @@ -719,6 +752,7 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | reportsController.resyncPeriod | string | `"15m"` | Resync period for informers | | reportsController.podLabels | object | `{}` | Additional labels to add to each pod | | reportsController.podAnnotations | object | `{}` | Additional annotations to add to each pod | +| reportsController.labels | object | `{}` | Deployment labels. | | reportsController.annotations | object | `{}` | Deployment annotations. | | reportsController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy | | reportsController.priorityClassName | string | `""` | Optional priority class | @@ -739,7 +773,7 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | reportsController.nodeAffinity | object | `{}` | Node affinity constraints. | | reportsController.topologySpreadConstraints | list | `[]` | Topology spread constraints. | | reportsController.podSecurityContext | object | `{}` | Security context for the pod | -| reportsController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | +| reportsController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | | reportsController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. | | reportsController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. | | reportsController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. | @@ -748,6 +782,8 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | reportsController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. | | reportsController.caCertificates.data | string | `nil` | CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates | | reportsController.caCertificates.volume | object | `{}` | Volume to be mounted for CA certificates Not used when `.Values.reportsController.caCertificates.data` is defined | +| reportsController.extraVolumes | list | `[]` | Additional volumes to be mounted in the pod | +| reportsController.extraVolumeMounts | list | `[]` | Additional volumeMounts to be mounted to the main container | | reportsController.metricsService.create | bool | `true` | Create service. | | reportsController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. | | reportsController.metricsService.type | string | `"ClusterIP"` | Service type. | @@ -773,6 +809,8 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | reportsController.metering.disabled | bool | `false` | Disable metrics export | | reportsController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` | | reportsController.metering.port | int | `8000` | Prometheus endpoint port | +| reportsController.metering.secure | bool | `false` | Is TLS required for endpoint | +| reportsController.metering.tlsKeyAlgorithm | string | `"RSA"` | Key algorithm for self-signed TLS certificates. Supported values: RSA, ECDSA, Ed25519 | | reportsController.metering.collector | string | `nil` | Otel collector endpoint | | reportsController.metering.creds | string | `nil` | Otel collector credentials | | reportsController.server | object | `{"port":9443}` | reportsController server port in case you are using hostNetwork: true, you might want to change the port the reportsController is listening to | @@ -798,10 +836,9 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | Key | Type | Default | Description | |-----|------|---------|-------------| | webhooksCleanup.enabled | bool | `true` | Create a helm pre-delete hook to cleanup webhooks. | -| webhooksCleanup.autoDeleteWebhooks.enabled | bool | `false` | Allow webhooks controller to delete webhooks using finalizers | -| webhooksCleanup.image.registry | string | `"registry.k8s.io"` | Image registry | -| webhooksCleanup.image.repository | string | `"kubectl"` | Image repository | -| webhooksCleanup.image.tag | string | `"v1.34.3"` | Image tag Defaults to `latest` if omitted | +| webhooksCleanup.image.registry | string | `"ghcr.io"` | Image registry | +| webhooksCleanup.image.repository | string | `"kyverno/readiness-checker"` | Image repository | +| webhooksCleanup.image.tag | string | `nil` | Image tag Defaults to `latest` if omitted | | webhooksCleanup.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | | webhooksCleanup.imagePullSecrets | list | `[]` | Image pull secrets | | webhooksCleanup.podSecurityContext | object | `{}` | Security context for the pod | @@ -815,7 +852,10 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | webhooksCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | | webhooksCleanup.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | | webhooksCleanup.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | -| webhooksCleanup.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount | +| webhooksCleanup.serviceAccount.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount. When set to false, a projected service account token is used instead which provides time-limited and audience-bound tokens for improved security. | +| webhooksCleanup.serviceAccount.projectedServiceAccountToken | object | `{"audience":"","expirationSeconds":3600}` | Projected service account token configuration (only used when automountServiceAccountToken is false) | +| webhooksCleanup.serviceAccount.projectedServiceAccountToken.expirationSeconds | int | `3600` | Token expiration time in seconds. The kubelet will request a new token before the token expires. | +| webhooksCleanup.serviceAccount.projectedServiceAccountToken.audience | string | `""` | Audience for the projected service account token. If not set, the token will have no audience restriction. | ### Test @@ -824,13 +864,16 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | test.sleep | int | `20` | Sleep time before running test | | test.image.registry | string | `"ghcr.io"` | Image registry | | test.image.repository | string | `"kyverno/readiness-checker"` | Image repository | -| test.image.tag | string | `"v0.1.0"` | Image tag Defaults to `latest` if omitted | +| test.image.tag | string | `nil` | Image tag Defaults to `latest` if omitted | | test.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | | test.imagePullSecrets | list | `[]` | Image pull secrets | | test.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | | test.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | | test.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers | -| test.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount | +| test.automountServiceAccountToken | bool | `true` | Toggle automounting of the ServiceAccount. When set to false, a projected service account token is used instead which provides time-limited and audience-bound tokens for improved security. | +| test.projectedServiceAccountToken | object | `{"audience":"","expirationSeconds":3600}` | Projected service account token configuration (only used when automountServiceAccountToken is false) | +| test.projectedServiceAccountToken.expirationSeconds | int | `3600` | Token expiration time in seconds. The kubelet will request a new token before the token expires. | +| test.projectedServiceAccountToken.audience | string | `""` | Audience for the projected service account token. If not set, the token will have no audience restriction. | | test.nodeSelector | object | `{}` | Node labels for pod assignment | | test.podAnnotations | object | `{}` | Additional Pod annotations | | test.tolerations | list | `[]` | List of node taints to tolerate | @@ -851,6 +894,7 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | global.crdWatcher | bool | `false` | Enable/Disable custom resource watcher to invalidate cache | | global.caCertificates.data | string | `nil` | Global CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates Individual controller values will override this global value | | global.caCertificates.volume | object | `{}` | Global value to set single volume to be mounted for CA certificates for all deployments. Not used when `.Values.global.caCertificates.data` is defined Individual controller values will override this global value | +| global.priorityClassName | string | `""` | Global priority class name for pod priority. Non-global values will override the global value. | | global.extraEnvVars | list | `[]` | Additional container environment variables to apply to all containers and init containers | | global.nodeSelector | object | `{}` | Global node labels for pod assignment. Non-global values will override the global value. | | global.tolerations | list | `[]` | Global List of node taints to tolerate. Non-global values will override the global value. | @@ -864,7 +908,7 @@ The default audience is Kyverno-specific so leaked tokens are not accepted by th | reportsServer.enabled | bool | `false` | Enable reports-server deployment alongside Kyverno | | reportsServer.waitForReady | bool | `true` | Wait for reports-server to be ready before starting Kyverno components | | reportsServer.readinessTimeout | string | `"300s"` | Timeout for waiting for reports-server readiness (as duration string, e.g. 300s, 5m) | -| apiCallToken | object | `{"audience":"kyverno-svc.kyverno.io","expirationSeconds":3600}` | Scoped token injected into outbound APICall and CEL HTTP requests. This token carries a custom audience so that if leaked to an external service it cannot be replayed against the Kubernetes API server. | +| apiCallToken | object | `{"audience":"kyverno-svc.kyverno.io","expirationSeconds":3600}` | Scoped token injected into outbound APICall and CEL http requests. This token carries a custom audience so that if leaked to an external service it cannot be replayed against the Kubernetes API server. | | apiCallToken.audience | string | `"kyverno-svc.kyverno.io"` | Audience for the projected token used in outbound requests. Set this to the audience your receiving service validates in the OIDC token's `aud` claim. The default is `kyverno-svc.kyverno.io`, which is a Kyverno-specific audience and prevents the token from being accepted by the Kubernetes API server. | | apiCallToken.expirationSeconds | int | `3600` | Token lifetime in seconds for the projected outbound API call token. The default is `3600` (1 hour). The kubelet requests a replacement before the token expires, so lowering this reduces token lifetime while increasing rotation frequency. | | imagePullSecrets | object | `{}` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument | @@ -930,8 +974,8 @@ Kubernetes: `>=1.25.0-0` | Repository | Name | Version | |------------|------|---------| -| | crds | 3.7.2 | -| | grafana | 3.7.2 | +| | crds | 3.8.0 | +| | grafana | 3.8.0 | | https://kyverno.github.io/api | kyverno-api | 0.0.1-alpha.2 | | https://kyverno.github.io/reports-server/ | reports-server | 0.1.6 | | https://openreports.github.io/reports-api | openreports | 0.1.0 | diff --git a/charts/kyverno/charts/crds/Chart.yaml b/charts/kyverno/charts/crds/Chart.yaml index b48796cb14..87169c28e4 100644 --- a/charts/kyverno/charts/crds/Chart.yaml +++ b/charts/kyverno/charts/crds/Chart.yaml @@ -1,3 +1,3 @@ apiVersion: v2 name: crds -version: 3.7.2 +version: 3.8.0 diff --git a/charts/kyverno/charts/crds/README.md b/charts/kyverno/charts/crds/README.md index 19d0a45004..f385d412bc 100644 --- a/charts/kyverno/charts/crds/README.md +++ b/charts/kyverno/charts/crds/README.md @@ -1,6 +1,6 @@ # crds -![Version: 3.7.2](https://img.shields.io/badge/Version-3.7.2-informational?style=flat-square) +![Version: 3.8.0](https://img.shields.io/badge/Version-3.8.0-informational?style=flat-square) ## Values diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml index c9583d403d..90c6080200 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml @@ -319,7 +319,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -1612,7 +1613,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml index 32c7c1e97f..657e353616 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml @@ -319,7 +319,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -1612,7 +1613,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml index 0b0f118544..bda5dcb397 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -356,7 +356,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -1396,7 +1397,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -2481,7 +2483,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -2864,7 +2867,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -3621,7 +3625,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -4962,7 +4967,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -5440,7 +5446,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -6491,7 +6498,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -7588,7 +7596,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -7980,7 +7989,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -8750,7 +8760,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -10115,7 +10126,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -10646,7 +10658,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -11480,7 +11493,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -12359,7 +12373,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -12742,7 +12757,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -13664,7 +13680,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -14986,7 +15003,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -15452,7 +15470,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -16503,7 +16522,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -17600,7 +17620,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -17992,7 +18013,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -18762,7 +18784,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -20127,7 +20150,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml index 168f8cae84..3e2306f0d8 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml @@ -357,7 +357,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -1397,7 +1398,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -2482,7 +2484,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -2865,7 +2868,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -3622,7 +3626,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -4963,7 +4968,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -5442,7 +5448,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -6493,7 +6500,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -7590,7 +7598,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -7982,7 +7991,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -8752,7 +8762,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -10117,7 +10128,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -10649,7 +10661,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -11483,7 +11496,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -12362,7 +12376,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -12745,7 +12760,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -13667,7 +13683,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -14989,7 +15006,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -15455,7 +15473,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -16506,7 +16525,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -17603,7 +17623,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -17995,7 +18016,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -18765,7 +18787,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -20130,7 +20153,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array diff --git a/charts/kyverno/charts/grafana/Chart.yaml b/charts/kyverno/charts/grafana/Chart.yaml index cdd4733fa2..5c147bed66 100644 --- a/charts/kyverno/charts/grafana/Chart.yaml +++ b/charts/kyverno/charts/grafana/Chart.yaml @@ -1,3 +1,3 @@ apiVersion: v2 name: grafana -version: 3.7.2 +version: 3.8.0 diff --git a/charts/kyverno/charts/grafana/README.md b/charts/kyverno/charts/grafana/README.md index ef6fbde48c..2c0d834ff5 100644 --- a/charts/kyverno/charts/grafana/README.md +++ b/charts/kyverno/charts/grafana/README.md @@ -1,6 +1,6 @@ # grafana -![Version: 3.7.2](https://img.shields.io/badge/Version-3.7.2-informational?style=flat-square) +![Version: 3.8.0](https://img.shields.io/badge/Version-3.8.0-informational?style=flat-square) ## Values diff --git a/charts/kyverno/crds/kyverno.io/kyverno.io_cleanuppolicies.yaml b/charts/kyverno/crds/kyverno.io/kyverno.io_cleanuppolicies.yaml index c07fb425f2..8327c156f0 100644 --- a/charts/kyverno/crds/kyverno.io/kyverno.io_cleanuppolicies.yaml +++ b/charts/kyverno/crds/kyverno.io/kyverno.io_cleanuppolicies.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.7.2 - helm.sh/chart: crds-3.7.2 + app.kubernetes.io/version: 3.8.0 + helm.sh/chart: crds-3.8.0 annotations: controller-gen.kubebuilder.io/version: v0.20.0 name: cleanuppolicies.kyverno.io @@ -321,7 +321,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -1614,7 +1615,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array diff --git a/charts/kyverno/crds/kyverno.io/kyverno.io_clustercleanuppolicies.yaml b/charts/kyverno/crds/kyverno.io/kyverno.io_clustercleanuppolicies.yaml index 9649a3173e..d0707e2a9b 100644 --- a/charts/kyverno/crds/kyverno.io/kyverno.io_clustercleanuppolicies.yaml +++ b/charts/kyverno/crds/kyverno.io/kyverno.io_clustercleanuppolicies.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.7.2 - helm.sh/chart: crds-3.7.2 + app.kubernetes.io/version: 3.8.0 + helm.sh/chart: crds-3.8.0 annotations: controller-gen.kubebuilder.io/version: v0.20.0 name: clustercleanuppolicies.kyverno.io @@ -321,7 +321,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -1614,7 +1615,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array diff --git a/charts/kyverno/crds/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/crds/kyverno.io/kyverno.io_clusterpolicies.yaml index 2051977367..4a0d235a71 100644 --- a/charts/kyverno/crds/kyverno.io/kyverno.io_clusterpolicies.yaml +++ b/charts/kyverno/crds/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.7.2 - helm.sh/chart: crds-3.7.2 + app.kubernetes.io/version: 3.8.0 + helm.sh/chart: crds-3.8.0 annotations: controller-gen.kubebuilder.io/version: v0.20.0 name: clusterpolicies.kyverno.io @@ -358,7 +358,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -1398,7 +1399,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -2483,7 +2485,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -2866,7 +2869,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -3623,7 +3627,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -4964,7 +4969,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -5442,7 +5448,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -6493,7 +6500,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -7590,7 +7598,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -7982,7 +7991,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -8752,7 +8762,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -10117,7 +10128,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -10648,7 +10660,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -11482,7 +11495,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -12361,7 +12375,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -12744,7 +12759,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -13666,7 +13682,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -14988,7 +15005,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -15454,7 +15472,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -16505,7 +16524,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -17602,7 +17622,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -17994,7 +18015,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -18764,7 +18786,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -20129,7 +20152,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array diff --git a/charts/kyverno/crds/kyverno.io/kyverno.io_globalcontextentries.yaml b/charts/kyverno/crds/kyverno.io/kyverno.io_globalcontextentries.yaml index 5c7af1d784..ac399e737c 100644 --- a/charts/kyverno/crds/kyverno.io/kyverno.io_globalcontextentries.yaml +++ b/charts/kyverno/crds/kyverno.io/kyverno.io_globalcontextentries.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.7.2 - helm.sh/chart: crds-3.7.2 + app.kubernetes.io/version: 3.8.0 + helm.sh/chart: crds-3.8.0 annotations: controller-gen.kubebuilder.io/version: v0.20.0 name: globalcontextentries.kyverno.io diff --git a/charts/kyverno/crds/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/crds/kyverno.io/kyverno.io_policies.yaml index d8398c444d..a4040b6808 100644 --- a/charts/kyverno/crds/kyverno.io/kyverno.io_policies.yaml +++ b/charts/kyverno/crds/kyverno.io/kyverno.io_policies.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.7.2 - helm.sh/chart: crds-3.7.2 + app.kubernetes.io/version: 3.8.0 + helm.sh/chart: crds-3.8.0 annotations: controller-gen.kubebuilder.io/version: v0.20.0 name: policies.kyverno.io @@ -359,7 +359,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -1399,7 +1400,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -2484,7 +2486,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -2867,7 +2870,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -3624,7 +3628,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -4965,7 +4970,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -5444,7 +5450,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -6495,7 +6502,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -7592,7 +7600,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -7984,7 +7993,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -8754,7 +8764,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -10119,7 +10130,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -10651,7 +10663,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -11485,7 +11498,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -12364,7 +12378,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -12747,7 +12762,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -13669,7 +13685,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -14991,7 +15008,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -15457,7 +15475,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -16508,7 +16527,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -17605,7 +17625,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -17997,7 +18018,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -18767,7 +18789,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array @@ -20132,7 +20155,8 @@ spec: secrets: description: |- Secrets specifies a list of secrets that are provided for credentials. - Secrets must live in the Kyverno namespace. + Secrets can be specified as a name (Kyverno namespace) or namespace/name. + imagePullSecrets from the resource namespace are also used. items: type: string type: array diff --git a/charts/kyverno/crds/kyverno.io/kyverno.io_policyexceptions.yaml b/charts/kyverno/crds/kyverno.io/kyverno.io_policyexceptions.yaml index 7b7b0697c8..956f607b92 100644 --- a/charts/kyverno/crds/kyverno.io/kyverno.io_policyexceptions.yaml +++ b/charts/kyverno/crds/kyverno.io/kyverno.io_policyexceptions.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.7.2 - helm.sh/chart: crds-3.7.2 + app.kubernetes.io/version: 3.8.0 + helm.sh/chart: crds-3.8.0 annotations: controller-gen.kubebuilder.io/version: v0.20.0 name: policyexceptions.kyverno.io diff --git a/charts/kyverno/crds/kyverno.io/kyverno.io_updaterequests.yaml b/charts/kyverno/crds/kyverno.io/kyverno.io_updaterequests.yaml index 63e9fe2fd7..886329b107 100644 --- a/charts/kyverno/crds/kyverno.io/kyverno.io_updaterequests.yaml +++ b/charts/kyverno/crds/kyverno.io/kyverno.io_updaterequests.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.7.2 - helm.sh/chart: crds-3.7.2 + app.kubernetes.io/version: 3.8.0 + helm.sh/chart: crds-3.8.0 annotations: controller-gen.kubebuilder.io/version: v0.20.0 name: updaterequests.kyverno.io diff --git a/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml b/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml index df0194603e..cd3d391aff 100644 --- a/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml +++ b/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.7.2 - helm.sh/chart: crds-3.7.2 + app.kubernetes.io/version: 3.8.0 + helm.sh/chart: crds-3.8.0 annotations: controller-gen.kubebuilder.io/version: v0.20.0 name: clusterephemeralreports.reports.kyverno.io diff --git a/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml b/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml index 7424d7b2c4..8c0e402b22 100644 --- a/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml +++ b/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.7.2 - helm.sh/chart: crds-3.7.2 + app.kubernetes.io/version: 3.8.0 + helm.sh/chart: crds-3.8.0 annotations: controller-gen.kubebuilder.io/version: v0.20.0 name: ephemeralreports.reports.kyverno.io diff --git a/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml b/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml index cbcbb8bef8..8e340cc8ad 100644 --- a/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml +++ b/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.7.2 - helm.sh/chart: crds-3.7.2 + app.kubernetes.io/version: 3.8.0 + helm.sh/chart: crds-3.8.0 annotations: controller-gen.kubebuilder.io/version: v0.20.0 name: clusterpolicyreports.wgpolicyk8s.io diff --git a/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml b/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml index 838a138482..b60deff305 100644 --- a/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml +++ b/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.7.2 - helm.sh/chart: crds-3.7.2 + app.kubernetes.io/version: 3.8.0 + helm.sh/chart: crds-3.8.0 annotations: controller-gen.kubebuilder.io/version: v0.20.0 name: policyreports.wgpolicyk8s.io diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl index de4a8e2f28..bdf0044370 100644 --- a/charts/kyverno/templates/_helpers.tpl +++ b/charts/kyverno/templates/_helpers.tpl @@ -70,6 +70,7 @@ {{- end -}} {{- with .globalContext -}} {{- $flags = append $flags (print "--maxAPICallResponseLength=" (int .maxApiCallResponseLength)) -}} + {{- $flags = append $flags (print "--apiCallTimeout=" .apiCallTimeout) -}} {{- end -}} {{- with .logging -}} {{- $flags = append $flags (print "--loggingFormat=" .format) -}} diff --git a/charts/kyverno/templates/admission-controller/_helpers.tpl b/charts/kyverno/templates/admission-controller/_helpers.tpl index 0be041a2eb..ed1db87e41 100644 --- a/charts/kyverno/templates/admission-controller/_helpers.tpl +++ b/charts/kyverno/templates/admission-controller/_helpers.tpl @@ -6,6 +6,7 @@ {{- define "kyverno.admission-controller.labels" -}} {{- template "kyverno.labels.merge" (list + (include "kyverno.labels.name" (include "kyverno.admission-controller.name" .)) (include "kyverno.labels.common" .) (include "kyverno.admission-controller.matchLabels" .) ) -}} @@ -36,4 +37,4 @@ {{- define "kyverno.admission-controller.caCertificatesConfigMapName" -}} {{ printf "%s-ca-certificates" (include "kyverno.admission-controller.name" .) }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/kyverno/templates/admission-controller/clusterrole.yaml b/charts/kyverno/templates/admission-controller/clusterrole.yaml index bdb04e5289..ee64c9efa0 100644 --- a/charts/kyverno/templates/admission-controller/clusterrole.yaml +++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml @@ -16,14 +16,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "kyverno.admission-controller.roleName" . }}:core - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - finalizers: - - kyverno.io/webhooks - - kyverno.io/exceptionwebhooks - - kyverno.io/globalcontextwebhooks - {{- end }} - {{- end }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} rules: @@ -203,31 +195,6 @@ rules: - get - list - watch - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - - clusterrolebindings - resourceNames: - - {{ template "kyverno.admission-controller.roleName" . }} - - {{ template "kyverno.admission-controller.roleName" . }}:core - - {{ template "kyverno.admission-controller.roleName" . }}:temporary - verbs: - - get - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - - clusterrolebindings - verbs: - - create - - list - {{- end }} - {{- end }} {{- with .Values.admissionController.rbac.coreClusterRole.extraResources }} {{- toYaml . | nindent 2 }} {{- end }} diff --git a/charts/kyverno/templates/admission-controller/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml index 89f5edff16..e33acc8f68 100644 --- a/charts/kyverno/templates/admission-controller/deployment.yaml +++ b/charts/kyverno/templates/admission-controller/deployment.yaml @@ -5,16 +5,11 @@ kind: Deployment metadata: name: {{ template "kyverno.admission-controller.name" . }} namespace: {{ template "kyverno.namespace" . }} - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - finalizers: - - kyverno.io/webhooks - - kyverno.io/exceptionwebhooks - - kyverno.io/globalcontextwebhooks - {{- end }} - {{- end }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} + {{- with .Values.admissionController.labels }} + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} {{- with .Values.admissionController.annotations }} annotations: {{- tpl (toYaml .) $ | nindent 4 }} @@ -62,7 +57,7 @@ spec: topologySpreadConstraints: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.admissionController.priorityClassName }} + {{- with .Values.admissionController.priorityClassName | default .Values.global.priorityClassName }} priorityClassName: {{ . | quote }} {{- end }} {{- with .Values.admissionController.hostNetwork }} @@ -173,9 +168,6 @@ spec: - --webhookServerPort={{ .Values.admissionController.webhookServer.port }} - --resyncPeriod={{ .Values.admissionController.resyncPeriod | default .Values.global.resyncPeriod }} - --crdWatcher={{ .Values.admissionController.crdWatcher | default .Values.global.crdWatcher }} - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - - --autoDeleteWebhooks - {{- end }} {{- if .Values.admissionController.tracing.enabled }} - --enableTracing - --tracingAddress={{ .Values.admissionController.tracing.address }} @@ -188,6 +180,11 @@ spec: {{- if not .Values.admissionController.metering.disabled }} - --otelConfig={{ .Values.admissionController.metering.config }} - --metricsPort={{ .Values.admissionController.metering.port }} + {{- if .Values.admissionController.metering.secure }} + - --metricsCASecretName={{ template "kyverno.admission-controller.name" . }}.{{ template "kyverno.namespace" . }}.metering.kyverno-tls-ca + - --metricsTLSSecretName={{ template "kyverno.admission-controller.name" . }}.{{ template "kyverno.namespace" . }}.metering.kyverno-tls-pair + - --metricsKeyAlgorithm={{ .Values.admissionController.metering.tlsKeyAlgorithm | default "RSA" }} + {{- end }} {{- with .Values.admissionController.metering.collector }} - --otelCollector={{ . }} {{- end }} @@ -304,6 +301,9 @@ spec: mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true {{- end }} + {{- with .Values.admissionController.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} volumes: - name: sigstore {{- toYaml (required "A valid .Values.admissionController.sigstoreVolume entry is required" .Values.admissionController.sigstoreVolume) | nindent 8 }} @@ -328,7 +328,7 @@ spec: path: token expirationSeconds: {{ .Values.apiCallToken.expirationSeconds | default 3600 }} {{- with .Values.apiCallToken.audience }} - audience: {{ . | quote }} + audience: {{ . }} {{- end }} {{- if not $automountSAToken }} - name: serviceaccount-token @@ -336,8 +336,11 @@ spec: defaultMode: 0444 sources: - serviceAccountToken: - expirationSeconds: 3607 + expirationSeconds: {{ .Values.admissionController.rbac.serviceAccount.projectedServiceAccountToken.expirationSeconds | default 3600 }} path: token + {{- with .Values.admissionController.rbac.serviceAccount.projectedServiceAccountToken.audience }} + audience: {{ . }} + {{- end }} - configMap: name: kube-root-ca.crt items: @@ -350,4 +353,7 @@ spec: apiVersion: v1 fieldPath: metadata.namespace {{- end }} + {{- with .Values.admissionController.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- end -}} diff --git a/charts/kyverno/templates/admission-controller/horizontalpodautoscaler.yaml b/charts/kyverno/templates/admission-controller/horizontalpodautoscaler.yaml index d8488c2d66..b29fc0284c 100644 --- a/charts/kyverno/templates/admission-controller/horizontalpodautoscaler.yaml +++ b/charts/kyverno/templates/admission-controller/horizontalpodautoscaler.yaml @@ -14,12 +14,22 @@ spec: minReplicas: {{ .Values.admissionController.autoscaling.minReplicas }} maxReplicas: {{ .Values.admissionController.autoscaling.maxReplicas }} metrics: + {{- if .Values.admissionController.autoscaling.targetCPUUtilizationPercentage }} - resource: name: cpu target: averageUtilization: {{ .Values.admissionController.autoscaling.targetCPUUtilizationPercentage }} type: Utilization type: Resource + {{- end }} + {{- if .Values.admissionController.autoscaling.targetMemoryUtilizationPercentage }} + - resource: + name: memory + target: + averageUtilization: {{ .Values.admissionController.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + type: Resource + {{- end }} {{- with .Values.admissionController.autoscaling.behavior }} behavior: {{- tpl (toYaml .) $ | nindent 4 }} diff --git a/charts/kyverno/templates/admission-controller/role.yaml b/charts/kyverno/templates/admission-controller/role.yaml index a7dfc72ace..7fe0af3187 100644 --- a/charts/kyverno/templates/admission-controller/role.yaml +++ b/charts/kyverno/templates/admission-controller/role.yaml @@ -4,14 +4,6 @@ kind: Role metadata: name: {{ template "kyverno.admission-controller.roleName" . }} namespace: {{ template "kyverno.namespace" . }} - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - finalizers: - - kyverno.io/webhooks - - kyverno.io/exceptionwebhooks - - kyverno.io/globalcontextwebhooks - {{- end }} - {{- end }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} rules: @@ -49,29 +41,6 @@ rules: - get - patch - update - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - resourceNames: - - {{ template "kyverno.admission-controller.roleName" . }} - - {{ template "kyverno.admission-controller.roleName" . }}:temporary - verbs: - - get - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - {{- end }} - {{- end }} # Allow update of Kyverno deployment annotations - apiGroups: - apps diff --git a/charts/kyverno/templates/admission-controller/rolebinding.yaml b/charts/kyverno/templates/admission-controller/rolebinding.yaml index 47a9fcf7f5..b2045b17b6 100644 --- a/charts/kyverno/templates/admission-controller/rolebinding.yaml +++ b/charts/kyverno/templates/admission-controller/rolebinding.yaml @@ -4,14 +4,6 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ template "kyverno.admission-controller.roleName" . }} namespace: {{ template "kyverno.namespace" . }} - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - finalizers: - - kyverno.io/webhooks - - kyverno.io/exceptionwebhooks - - kyverno.io/globalcontextwebhooks - {{- end }} - {{- end }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} roleRef: diff --git a/charts/kyverno/templates/admission-controller/serviceaccount.yaml b/charts/kyverno/templates/admission-controller/serviceaccount.yaml index 8b0e40a91f..29b70ff1a6 100644 --- a/charts/kyverno/templates/admission-controller/serviceaccount.yaml +++ b/charts/kyverno/templates/admission-controller/serviceaccount.yaml @@ -4,14 +4,6 @@ kind: ServiceAccount metadata: name: {{ template "kyverno.admission-controller.serviceAccountName" . }} namespace: {{ template "kyverno.namespace" . }} - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - finalizers: - - kyverno.io/webhooks - - kyverno.io/exceptionwebhooks - - kyverno.io/globalcontextwebhooks - {{- end }} - {{- end }} labels: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} {{- with .Values.admissionController.rbac.serviceAccount.annotations }} diff --git a/charts/kyverno/templates/background-controller/_helpers.tpl b/charts/kyverno/templates/background-controller/_helpers.tpl index 10aac22b48..99b4590c0e 100644 --- a/charts/kyverno/templates/background-controller/_helpers.tpl +++ b/charts/kyverno/templates/background-controller/_helpers.tpl @@ -6,6 +6,7 @@ {{- define "kyverno.background-controller.labels" -}} {{- template "kyverno.labels.merge" (list + (include "kyverno.labels.name" (include "kyverno.background-controller.name" .)) (include "kyverno.labels.common" .) (include "kyverno.background-controller.matchLabels" .) ) -}} diff --git a/charts/kyverno/templates/background-controller/deployment.yaml b/charts/kyverno/templates/background-controller/deployment.yaml index a1af030b41..d4d557d332 100644 --- a/charts/kyverno/templates/background-controller/deployment.yaml +++ b/charts/kyverno/templates/background-controller/deployment.yaml @@ -8,6 +8,9 @@ metadata: namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.background-controller.labels" . | nindent 4 }} + {{- with .Values.backgroundController.labels }} + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} {{- with .Values.backgroundController.annotations }} annotations: {{- tpl (toYaml .) $ | nindent 4 }} @@ -53,7 +56,7 @@ spec: topologySpreadConstraints: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.backgroundController.priorityClassName }} + {{- with .Values.backgroundController.priorityClassName | default .Values.global.priorityClassName }} priorityClassName: {{ . | quote }} {{- end }} {{- with .Values.backgroundController.hostNetwork }} @@ -118,6 +121,11 @@ spec: {{- if not .Values.backgroundController.metering.disabled }} - --otelConfig={{ .Values.backgroundController.metering.config }} - --metricsPort={{ .Values.backgroundController.metering.port }} + {{- if .Values.backgroundController.metering.secure }} + - --metricsCASecretName={{ template "kyverno.background-controller.name" . }}.{{ template "kyverno.namespace" . }}.metering.kyverno-tls-ca + - --metricsTLSSecretName={{ template "kyverno.background-controller.name" . }}.{{ template "kyverno.namespace" . }}.metering.kyverno-tls-pair + - --metricsKeyAlgorithm={{ .Values.backgroundController.metering.tlsKeyAlgorithm | default "RSA" }} + {{- end }} {{- with .Values.backgroundController.metering.collector }} - --otelCollector={{ . }} {{- end }} @@ -138,6 +146,7 @@ spec: "logging" "omitEvents" "policyExceptions" + "controllerRuntimeMetrics" ) | nindent 12 }} {{- range $key, $value := .Values.backgroundController.extraArgs }} {{- if $value }} @@ -192,6 +201,9 @@ spec: mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true {{- end }} + {{- with .Values.backgroundController.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} volumes: - name: apicall-token projected: @@ -201,7 +213,7 @@ spec: path: token expirationSeconds: {{ .Values.apiCallToken.expirationSeconds | default 3600 }} {{- with .Values.apiCallToken.audience }} - audience: {{ . | quote }} + audience: {{ . }} {{- end }} {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data }} - name: ca-certificates @@ -222,8 +234,11 @@ spec: defaultMode: 0444 sources: - serviceAccountToken: - expirationSeconds: 3607 + expirationSeconds: {{ .Values.backgroundController.rbac.serviceAccount.projectedServiceAccountToken.expirationSeconds | default 3600 }} path: token + {{- with .Values.backgroundController.rbac.serviceAccount.projectedServiceAccountToken.audience }} + audience: {{ . }} + {{- end }} - configMap: name: kube-root-ca.crt items: @@ -236,5 +251,8 @@ spec: apiVersion: v1 fieldPath: metadata.namespace {{- end }} + {{- with .Values.backgroundController.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/background-controller/role.yaml b/charts/kyverno/templates/background-controller/role.yaml index c18d1186df..5cbe34f249 100644 --- a/charts/kyverno/templates/background-controller/role.yaml +++ b/charts/kyverno/templates/background-controller/role.yaml @@ -36,6 +36,24 @@ rules: - update resourceNames: - kyverno-background-controller +{{- if .Values.backgroundController.metering.secure }} + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - apiGroups: + - '' + resources: + - secrets + verbs: + - delete + - update + resourceNames: + - {{ template "kyverno.background-controller.name" . }}.{{ template "kyverno.namespace" . }}.metering.kyverno-tls-ca + - {{ template "kyverno.background-controller.name" . }}.{{ template "kyverno.namespace" . }}.metering.kyverno-tls-pair +{{- end }} - apiGroups: - '' resources: diff --git a/charts/kyverno/templates/cleanup-controller/_helpers.tpl b/charts/kyverno/templates/cleanup-controller/_helpers.tpl index 1804291d39..984f056b1e 100644 --- a/charts/kyverno/templates/cleanup-controller/_helpers.tpl +++ b/charts/kyverno/templates/cleanup-controller/_helpers.tpl @@ -6,6 +6,7 @@ {{- define "kyverno.cleanup-controller.labels" -}} {{- template "kyverno.labels.merge" (list + (include "kyverno.labels.name" (include "kyverno.cleanup-controller.name" .)) (include "kyverno.labels.common" .) (include "kyverno.cleanup-controller.matchLabels" .) ) -}} diff --git a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml index 5f9cf3d65f..0b1abddd81 100644 --- a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml +++ b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml @@ -17,13 +17,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "kyverno.cleanup-controller.roleName" . }}:core - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - finalizers: - - kyverno.io/policywebhooks - - kyverno.io/ttlwebhooks - {{- end }} - {{- end }} labels: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} rules: @@ -130,31 +123,6 @@ rules: - subjectaccessreviews verbs: - create - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - - clusterrolebindings - resourceNames: - - {{ template "kyverno.cleanup-controller.roleName" . }} - - {{ template "kyverno.cleanup-controller.roleName" . }}:core - - {{ template "kyverno.cleanup-controller.roleName" . }}:temporary - verbs: - - get - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - - clusterrolebindings - verbs: - - create - - list - {{- end }} - {{- end }} {{- with .Values.cleanupController.rbac.clusterRole.extraResources }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/charts/kyverno/templates/cleanup-controller/deployment.yaml b/charts/kyverno/templates/cleanup-controller/deployment.yaml index 34b3d19048..4482c8df13 100644 --- a/charts/kyverno/templates/cleanup-controller/deployment.yaml +++ b/charts/kyverno/templates/cleanup-controller/deployment.yaml @@ -6,15 +6,11 @@ kind: Deployment metadata: name: {{ template "kyverno.cleanup-controller.name" . }} namespace: {{ template "kyverno.namespace" . }} - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - finalizers: - - kyverno.io/policywebhooks - - kyverno.io/ttlwebhooks - {{- end }} - {{- end }} labels: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} + {{- with .Values.cleanupController.labels }} + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} {{- with .Values.cleanupController.annotations }} annotations: {{- tpl (toYaml .) $ | nindent 4 }} @@ -60,7 +56,7 @@ spec: topologySpreadConstraints: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.cleanupController.priorityClassName }} + {{- with .Values.cleanupController.priorityClassName | default .Values.global.priorityClassName }} priorityClassName: {{ . | quote }} {{- end }} {{- with .Values.cleanupController.hostNetwork }} @@ -119,9 +115,6 @@ spec: - --servicePort={{ .Values.cleanupController.service.port }} - --resyncPeriod={{ .Values.cleanupController.resyncPeriod | default .Values.global.resyncPeriod }} - --cleanupServerPort={{ .Values.cleanupController.server.port }} - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - - --autoDeleteWebhooks - {{- end }} {{- if .Values.cleanupController.tracing.enabled }} - --enableTracing - --tracingAddress={{ .Values.cleanupController.tracing.address }} @@ -134,6 +127,11 @@ spec: {{- if not .Values.cleanupController.metering.disabled }} - --otelConfig={{ .Values.cleanupController.metering.config }} - --metricsPort={{ .Values.cleanupController.metering.port }} + {{- if .Values.cleanupController.metering.secure }} + - --metricsCASecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.metering.kyverno-tls-ca + - --metricsTLSSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.metering.kyverno-tls-pair + - --metricsKeyAlgorithm={{ .Values.cleanupController.metering.tlsKeyAlgorithm | default "RSA" }} + {{- end }} {{- with .Values.cleanupController.metering.collector }} - --otelCollector={{ . }} {{- end }} @@ -211,6 +209,9 @@ spec: mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true {{- end }} + {{- with .Values.cleanupController.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} volumes: - name: apicall-token projected: @@ -220,7 +221,7 @@ spec: path: token expirationSeconds: {{ .Values.apiCallToken.expirationSeconds | default 3600 }} {{- with .Values.apiCallToken.audience }} - audience: {{ . | quote }} + audience: {{ . }} {{- end }} {{- if not $automountSAToken }} - name: serviceaccount-token @@ -228,8 +229,11 @@ spec: defaultMode: 0444 sources: - serviceAccountToken: - expirationSeconds: 3607 + expirationSeconds: {{ .Values.cleanupController.rbac.serviceAccount.projectedServiceAccountToken.expirationSeconds | default 3600 }} path: token + {{- with .Values.cleanupController.rbac.serviceAccount.projectedServiceAccountToken.audience }} + audience: {{ . }} + {{- end }} - configMap: name: kube-root-ca.crt items: @@ -241,6 +245,9 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - {{- end }} + {{- end }} + {{- with .Values.cleanupController.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/cleanup-controller/role.yaml b/charts/kyverno/templates/cleanup-controller/role.yaml index 3e05dd9114..d7ce2c3e78 100644 --- a/charts/kyverno/templates/cleanup-controller/role.yaml +++ b/charts/kyverno/templates/cleanup-controller/role.yaml @@ -4,13 +4,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "kyverno.cleanup-controller.roleName" . }} - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - finalizers: - - kyverno.io/policywebhooks - - kyverno.io/ttlwebhooks - {{- end }} - {{- end }} labels: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} namespace: {{ template "kyverno.namespace" . }} @@ -34,22 +27,8 @@ rules: resourceNames: - {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca - {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - - apiGroups: - - '' - resources: - - serviceaccounts - verbs: - - delete - - get - - list - - update - - watch - resourceNames: - - {{ template "kyverno.cleanup-controller.serviceAccountName" . }} - {{- end }} - {{- end }} + - {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.metering.kyverno-tls-ca + - {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.metering.kyverno-tls-pair - apiGroups: - '' resources: @@ -78,29 +57,6 @@ rules: - update resourceNames: - kyverno-cleanup-controller - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - resourceNames: - - {{ template "kyverno.cleanup-controller.roleName" . }} - - {{ template "kyverno.cleanup-controller.roleName" . }}:temporary - verbs: - - get - - patch - - update - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - {{- end }} - {{- end }} - apiGroups: - discovery.k8s.io resources: @@ -115,11 +71,5 @@ rules: - get - list - watch - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - - patch - - update - {{- end }} - {{- end }} {{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/cleanup-controller/rolebinding.yaml b/charts/kyverno/templates/cleanup-controller/rolebinding.yaml index 8b28726c5b..2096f16238 100644 --- a/charts/kyverno/templates/cleanup-controller/rolebinding.yaml +++ b/charts/kyverno/templates/cleanup-controller/rolebinding.yaml @@ -4,13 +4,6 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ template "kyverno.cleanup-controller.roleName" . }} - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - finalizers: - - kyverno.io/policywebhooks - - kyverno.io/ttlwebhooks - {{- end }} - {{- end }} labels: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} namespace: {{ template "kyverno.namespace" . }} diff --git a/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml b/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml index 30ed483213..090d64782c 100644 --- a/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml +++ b/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml @@ -5,13 +5,6 @@ kind: ServiceAccount metadata: name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }} namespace: {{ template "kyverno.namespace" . }} - {{- if .Values.webhooksCleanup.autoDeleteWebhooks.enabled }} - {{- if not .Values.global.templating.enabled }} - finalizers: - - kyverno.io/policywebhooks - - kyverno.io/ttlwebhooks - {{- end }} - {{- end }} labels: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} {{- with .Values.cleanupController.rbac.serviceAccount.annotations }} diff --git a/charts/kyverno/templates/config/_helpers.tpl b/charts/kyverno/templates/config/_helpers.tpl index 68dd8019e9..a3f8772d9c 100644 --- a/charts/kyverno/templates/config/_helpers.tpl +++ b/charts/kyverno/templates/config/_helpers.tpl @@ -57,7 +57,7 @@ {{- define "kyverno.config.webhooks" -}} {{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }} {{- $webhooks := .Values.config.webhooks -}} -{{- if $webhooks | typeIs "slice" -}} +{{- if $webhooks | kindIs "slice" -}} {{- $newWebhooks := dict -}} {{- range $index, $webhook := $webhooks -}} {{- if $webhook.namespaceSelector -}} diff --git a/charts/kyverno/templates/config/configmap.yaml b/charts/kyverno/templates/config/configmap.yaml index cd23b4d25d..74f5728d20 100644 --- a/charts/kyverno/templates/config/configmap.yaml +++ b/charts/kyverno/templates/config/configmap.yaml @@ -19,6 +19,9 @@ data: defaultRegistry: {{ . | quote }} {{- end }} generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }} + {{- with .Values.config.successEventActions }} + successEventActions: {{ . | quote }} + {{- end }} {{- with .Values.config.excludeGroups }} excludeGroups: {{ join "," . | quote }} {{- end -}} diff --git a/charts/kyverno/templates/hooks/_helpers.tpl b/charts/kyverno/templates/hooks/_helpers.tpl index edc290b663..5808e2d9e2 100644 --- a/charts/kyverno/templates/hooks/_helpers.tpl +++ b/charts/kyverno/templates/hooks/_helpers.tpl @@ -1,7 +1,12 @@ {{/* vim: set filetype=mustache: */}} +{{- define "kyverno.hooks.name" -}} +{{ template "kyverno.name" . }}-hooks +{{- end -}} + {{- define "kyverno.hooks.labels" -}} {{- template "kyverno.labels.merge" (list + (include "kyverno.labels.name" (include "kyverno.hooks.name" .)) (include "kyverno.labels.common" .) (include "kyverno.hooks.matchLabels" .) ) -}} diff --git a/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml b/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml index 9ae1968cc7..8c0a3b4a02 100644 --- a/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml +++ b/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml @@ -107,7 +107,7 @@ spec: {{- end }} restartPolicy: Never containers: - - name: kubectl + - name: kyverno-cli image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.crds.migration.image "defaultTag" (default .Chart.AppVersion .Values.crds.migration.image.tag))) | quote }} imagePullPolicy: {{ .Values.crds.migration.image.pullPolicy }} args: @@ -164,8 +164,11 @@ spec: defaultMode: 0444 sources: - serviceAccountToken: - expirationSeconds: 3607 + expirationSeconds: {{ .Values.crds.migration.serviceAccount.projectedServiceAccountToken.expirationSeconds | default 3600 }} path: token + {{- with .Values.crds.migration.serviceAccount.projectedServiceAccountToken.audience }} + audience: {{ . }} + {{- end }} - configMap: name: kube-root-ca.crt items: diff --git a/charts/kyverno/templates/hooks/pre-delete-remove-validatingwebhookconfiguration.yaml b/charts/kyverno/templates/hooks/pre-delete-remove-validatingwebhookconfiguration.yaml deleted file mode 100644 index 62e03e5ab9..0000000000 --- a/charts/kyverno/templates/hooks/pre-delete-remove-validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,110 +0,0 @@ -{{- if .Values.webhooksCleanup.enabled -}} -{{- if not .Values.global.templating.enabled -}} -{{- $automountSAToken := .Values.admissionController.rbac.serviceAccount.automountServiceAccountToken }} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "kyverno.fullname" . }}-rm-validatingwhconfig - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.hooks.labels" . | nindent 4 }} - annotations: - helm.sh/hook: pre-delete - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed - helm.sh/hook-weight: "100" -spec: - backoffLimit: 2 - template: - {{- if or .Values.webhooksCleanup.podAnnotations .Values.webhooksCleanup.podLabels }} - metadata: - {{- with .Values.webhooksCleanup.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.webhooksCleanup.podLabels }} - labels: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - spec: - serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }} - automountServiceAccountToken: {{ $automountSAToken }} - {{- with .Values.webhooksCleanup.podSecurityContext }} - securityContext: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - restartPolicy: Never - {{- with .Values.webhooksCleanup.imagePullSecrets | default .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- tpl (include "kyverno.sortedImagePullSecrets" .) $ | nindent 8 }} - {{- end }} - containers: - - name: kubectl - image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.webhooksCleanup.image "defaultTag" (default .Chart.AppVersion .Values.webhooksCleanup.image.tag))) | quote }} - imagePullPolicy: {{ .Values.webhooksCleanup.image.pullPolicy }} - command: - - kubectl - - delete - - validatingwebhookconfiguration - - -l - - webhook.kyverno.io/managed-by=kyverno - {{- with .Values.webhooksCleanup.resources }} - resources: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.webhooksCleanup.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- if not $automountSAToken }} - volumeMounts: - - name: serviceaccount-token - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - readOnly: true - {{- end }} - {{- with .Values.webhooksCleanup.tolerations | default .Values.global.tolerations}} - tolerations: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - {{- with .Values.webhooksCleanup.nodeSelector | default .Values.global.nodeSelector }} - nodeSelector: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - {{- if or .Values.webhooksCleanup.podAntiAffinity .Values.webhooksCleanup.podAffinity .Values.webhooksCleanup.nodeAffinity }} - affinity: - {{- with .Values.webhooksCleanup.podAntiAffinity }} - podAntiAffinity: - {{- tpl (toYaml .) $ | nindent 10 }} - {{- end }} - {{- with .Values.webhooksCleanup.podAffinity }} - podAffinity: - {{- tpl (toYaml .) $ | nindent 10 }} - {{- end }} - {{- with .Values.webhooksCleanup.nodeAffinity }} - nodeAffinity: - {{- tpl (toYaml .) $ | nindent 10 }} - {{- end }} - {{- end }} - {{- if not $automountSAToken }} - volumes: - - name: serviceaccount-token - projected: - defaultMode: 0444 - sources: - - serviceAccountToken: - expirationSeconds: 3607 - path: token - - configMap: - name: kube-root-ca.crt - items: - - key: ca.crt - path: ca.crt - - downwardAPI: - items: - - path: namespace - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{- end }} -{{- end -}} -{{- end -}} diff --git a/charts/kyverno/templates/hooks/pre-delete-remove-mutatingwebhookconfiguration.yaml b/charts/kyverno/templates/hooks/pre-delete-remove-webhooks.yaml similarity index 88% rename from charts/kyverno/templates/hooks/pre-delete-remove-mutatingwebhookconfiguration.yaml rename to charts/kyverno/templates/hooks/pre-delete-remove-webhooks.yaml index d5341bcb2c..a310a6b73e 100644 --- a/charts/kyverno/templates/hooks/pre-delete-remove-mutatingwebhookconfiguration.yaml +++ b/charts/kyverno/templates/hooks/pre-delete-remove-webhooks.yaml @@ -1,10 +1,10 @@ {{- if .Values.webhooksCleanup.enabled -}} {{- if not .Values.global.templating.enabled -}} -{{- $automountSAToken := .Values.admissionController.rbac.serviceAccount.automountServiceAccountToken }} +{{- $automountSAToken := .Values.webhooksCleanup.serviceAccount.automountServiceAccountToken }} apiVersion: batch/v1 kind: Job metadata: - name: {{ template "kyverno.fullname" . }}-rm-mutatingwhconfig + name: {{ template "kyverno.fullname" . }}-rm-webhooks namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.hooks.labels" . | nindent 4 }} @@ -42,12 +42,8 @@ spec: - name: kubectl image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.webhooksCleanup.image "defaultTag" (default .Chart.AppVersion .Values.webhooksCleanup.image.tag))) | quote }} imagePullPolicy: {{ .Values.webhooksCleanup.image.pullPolicy }} - command: - - kubectl - - delete - - mutatingwebhookconfiguration - - -l - - webhook.kyverno.io/managed-by=kyverno + args: + - delete-webhooks {{- with .Values.webhooksCleanup.resources }} resources: {{- tpl (toYaml .) $ | nindent 12 }} @@ -92,8 +88,11 @@ spec: defaultMode: 0444 sources: - serviceAccountToken: - expirationSeconds: 3607 + expirationSeconds: {{ .Values.webhooksCleanup.serviceAccount.projectedServiceAccountToken.expirationSeconds | default 3600 }} path: token + {{- with .Values.webhooksCleanup.serviceAccount.projectedServiceAccountToken.audience }} + audience: {{ . }} + {{- end }} - configMap: name: kube-root-ca.crt items: diff --git a/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml b/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml index c2ca7ba5d2..c988934da5 100644 --- a/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml +++ b/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml @@ -1,6 +1,6 @@ {{- if .Values.webhooksCleanup.enabled -}} {{- if not .Values.global.templating.enabled -}} -{{- $automountSAToken := .Values.admissionController.rbac.serviceAccount.automountServiceAccountToken }} +{{- $automountSAToken := .Values.webhooksCleanup.serviceAccount.automountServiceAccountToken }} apiVersion: batch/v1 kind: Job metadata: @@ -43,15 +43,8 @@ spec: - name: kubectl image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.webhooksCleanup.image "defaultTag" (default .Chart.AppVersion .Values.webhooksCleanup.image.tag))) | quote }} imagePullPolicy: {{ .Values.webhooksCleanup.image.pullPolicy }} - command: - - kubectl - - scale - - -n - - {{ template "kyverno.namespace" . }} - - deployment - - -l - - app.kubernetes.io/part-of={{ template "kyverno.fullname" . }} - - --replicas=0 + args: + - scale-deploy {{- with .Values.webhooksCleanup.resources }} resources: {{- tpl (toYaml .) $ | nindent 12 }} @@ -96,8 +89,11 @@ spec: defaultMode: 0444 sources: - serviceAccountToken: - expirationSeconds: 3607 + expirationSeconds: {{ .Values.webhooksCleanup.serviceAccount.projectedServiceAccountToken.expirationSeconds | default 3600 }} path: token + {{- with .Values.webhooksCleanup.serviceAccount.projectedServiceAccountToken.audience }} + audience: {{ . }} + {{- end }} - configMap: name: kube-root-ca.crt items: diff --git a/charts/kyverno/templates/reports-controller/_helpers.tpl b/charts/kyverno/templates/reports-controller/_helpers.tpl index fe8e41e8ad..663c05df35 100644 --- a/charts/kyverno/templates/reports-controller/_helpers.tpl +++ b/charts/kyverno/templates/reports-controller/_helpers.tpl @@ -6,6 +6,7 @@ {{- define "kyverno.reports-controller.labels" -}} {{- template "kyverno.labels.merge" (list + (include "kyverno.labels.name" (include "kyverno.reports-controller.name" .)) (include "kyverno.labels.common" .) (include "kyverno.reports-controller.matchLabels" .) ) -}} diff --git a/charts/kyverno/templates/reports-controller/deployment.yaml b/charts/kyverno/templates/reports-controller/deployment.yaml index 18c85ea5ad..6f82e80ed0 100644 --- a/charts/kyverno/templates/reports-controller/deployment.yaml +++ b/charts/kyverno/templates/reports-controller/deployment.yaml @@ -9,6 +9,9 @@ metadata: namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.reports-controller.labels" . | nindent 4 }} + {{- with .Values.reportsController.labels }} + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} {{- with .Values.reportsController.annotations }} annotations: {{- tpl (toYaml .) $ | nindent 4 }} @@ -54,7 +57,7 @@ spec: topologySpreadConstraints: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} - {{- with .Values.reportsController.priorityClassName }} + {{- with .Values.reportsController.priorityClassName | default .Values.global.priorityClassName }} priorityClassName: {{ . | quote }} {{- end }} {{- with .Values.reportsController.hostNetwork }} @@ -120,6 +123,11 @@ spec: {{- if not .Values.reportsController.metering.disabled }} - --otelConfig={{ .Values.reportsController.metering.config }} - --metricsPort={{ .Values.reportsController.metering.port }} + {{- if .Values.reportsController.metering.secure }} + - --metricsCASecretName={{ template "kyverno.reports-controller.name" . }}.{{ template "kyverno.namespace" . }}.metering.kyverno-tls-ca + - --metricsTLSSecretName={{ template "kyverno.reports-controller.name" . }}.{{ template "kyverno.namespace" . }}.metering.kyverno-tls-pair + - --metricsKeyAlgorithm={{ .Values.reportsController.metering.tlsKeyAlgorithm | default "RSA" }} + {{- end }} {{- with .Values.reportsController.metering.collector }} - --otelCollector={{ . }} {{- end }} @@ -209,6 +217,9 @@ spec: mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true {{- end }} + {{- with .Values.reportsController.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} volumes: - name: sigstore {{- toYaml (required "A valid .Values.reportsController.sigstoreVolume entry is required" .Values.reportsController.sigstoreVolume) | nindent 8 }} @@ -233,7 +244,7 @@ spec: path: token expirationSeconds: {{ .Values.apiCallToken.expirationSeconds | default 3600 }} {{- with .Values.apiCallToken.audience }} - audience: {{ . | quote }} + audience: {{ . }} {{- end }} {{- if not $automountSAToken }} - name: serviceaccount-token @@ -241,8 +252,11 @@ spec: defaultMode: 0444 sources: - serviceAccountToken: - expirationSeconds: 3607 + expirationSeconds: {{ .Values.reportsController.rbac.serviceAccount.projectedServiceAccountToken.expirationSeconds | default 3600 }} path: token + {{- with .Values.reportsController.rbac.serviceAccount.projectedServiceAccountToken.audience }} + audience: {{ . }} + {{- end }} - configMap: name: kube-root-ca.crt items: @@ -255,5 +269,8 @@ spec: apiVersion: v1 fieldPath: metadata.namespace {{- end }} + {{- with .Values.reportsController.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/reports-controller/role.yaml b/charts/kyverno/templates/reports-controller/role.yaml index 6b163b7561..b488d033a6 100644 --- a/charts/kyverno/templates/reports-controller/role.yaml +++ b/charts/kyverno/templates/reports-controller/role.yaml @@ -19,6 +19,24 @@ rules: resourceNames: - {{ include "kyverno.config.configMapName" . }} - {{ include "kyverno.config.metricsConfigMapName" . }} +{{- if .Values.reportsController.metering.secure }} + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - apiGroups: + - '' + resources: + - secrets + verbs: + - delete + - update + resourceNames: + - {{ template "kyverno.reports-controller.name" . }}.{{ template "kyverno.namespace" . }}.metering.kyverno-tls-ca + - {{ template "kyverno.reports-controller.name" . }}.{{ template "kyverno.namespace" . }}.metering.kyverno-tls-pair +{{- end }} - apiGroups: - '' resources: diff --git a/charts/kyverno/templates/tests/admission-controller-liveness.yaml b/charts/kyverno/templates/tests/admission-controller-liveness.yaml index beb38bf9c2..2d8b6bf30b 100644 --- a/charts/kyverno/templates/tests/admission-controller-liveness.yaml +++ b/charts/kyverno/templates/tests/admission-controller-liveness.yaml @@ -42,4 +42,28 @@ spec: tolerations: {{- tpl (toYaml .) $ | nindent 4 }} {{- end }} + {{- if not .Values.test.automountServiceAccountToken }} + volumes: + - name: serviceaccount-token + projected: + defaultMode: 0444 + sources: + - serviceAccountToken: + expirationSeconds: {{ .Values.test.projectedServiceAccountToken.expirationSeconds | default 3600 }} + path: token + {{- with .Values.test.projectedServiceAccountToken.audience }} + audience: {{ . }} + {{- end }} + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - path: namespace + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + {{- end }} {{- end -}} diff --git a/charts/kyverno/templates/tests/admission-controller-readiness.yaml b/charts/kyverno/templates/tests/admission-controller-readiness.yaml index b860ed89c7..3d81384a1f 100644 --- a/charts/kyverno/templates/tests/admission-controller-readiness.yaml +++ b/charts/kyverno/templates/tests/admission-controller-readiness.yaml @@ -42,4 +42,28 @@ spec: tolerations: {{- tpl (toYaml .) $ | nindent 4 }} {{- end }} + {{- if not .Values.test.automountServiceAccountToken }} + volumes: + - name: serviceaccount-token + projected: + defaultMode: 0444 + sources: + - serviceAccountToken: + expirationSeconds: {{ .Values.test.projectedServiceAccountToken.expirationSeconds | default 3600 }} + path: token + {{- with .Values.test.projectedServiceAccountToken.audience }} + audience: {{ . }} + {{- end }} + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - path: namespace + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + {{- end }} {{- end -}} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 42a4b936f5..ed657c25a0 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -36,6 +36,9 @@ global: # path: /etc/pki/tls/ca-certificates.crt # type: File + # -- Global priority class name for pod priority. Non-global values will override the global value. + priorityClassName: '' + # -- Additional container environment variables to apply to all containers and init containers extraEnvVars: [] # Example setting proxy @@ -238,10 +241,21 @@ crds: memory: 64Mi serviceAccount: - # -- Toggle automounting of the ServiceAccount + # -- Toggle automounting of the ServiceAccount. + # When set to false, a projected service account token is used instead + # which provides time-limited and audience-bound tokens for improved security. automountServiceAccountToken: true -# -- Scoped token injected into outbound APICall and CEL HTTP requests. + # -- Projected service account token configuration (only used when automountServiceAccountToken is false) + projectedServiceAccountToken: + # -- Token expiration time in seconds. + # The kubelet will request a new token before the token expires. + expirationSeconds: 3600 + # -- Audience for the projected service account token. + # If not set, the token will have no audience restriction. + audience: "" + +# -- Scoped token injected into outbound APICall and CEL http requests. # This token carries a custom audience so that if leaked to an external service # it cannot be replayed against the Kubernetes API server. apiCallToken: @@ -294,6 +308,14 @@ config: # -- Generate success events. generateSuccessEvents: false + # -- Comma-separated list of event actions for which success events should be generated. + # When set, only success events matching the specified actions are emitted. + # Requires `generateSuccessEvents` to be `true`. + # Valid values: "Resource Mutated", "Resource Passed", "Resource Generated", "Resource Cleaned Up". + # Example: "Resource Mutated" or "Resource Mutated,Resource Generated". + # @default -- "" (empty, all success events are emitted when generateSuccessEvents is true) + successEventActions: "" + # -- Maximum cumulative size of context data during policy evaluation. # Supports Kubernetes quantity format (e.g., 100Mi, 2Gi) or plain bytes (e.g., 2097152). # Limits memory used by context variables to prevent unbounded growth. @@ -548,7 +570,7 @@ test: repository: kyverno/readiness-checker # -- Image tag # Defaults to `latest` if omitted - tag: 'v0.1.0' + tag: ~ # -- (string) Image pull policy # Defaults to image.pullPolicy if omitted pullPolicy: ~ @@ -581,9 +603,20 @@ test: seccompProfile: type: RuntimeDefault - # -- Toggle automounting of the ServiceAccount + # -- Toggle automounting of the ServiceAccount. + # When set to false, a projected service account token is used instead + # which provides time-limited and audience-bound tokens for improved security. automountServiceAccountToken: true + # -- Projected service account token configuration (only used when automountServiceAccountToken is false) + projectedServiceAccountToken: + # -- Token expiration time in seconds. + # The kubelet will request a new token before the token expires. + expirationSeconds: 3600 + # -- Audience for the projected service account token. + # If not set, the token will have no audience restriction. + audience: "" + # -- Node labels for pod assignment nodeSelector: {} @@ -601,18 +634,14 @@ webhooksCleanup: # -- Create a helm pre-delete hook to cleanup webhooks. enabled: true - autoDeleteWebhooks: - # -- Allow webhooks controller to delete webhooks using finalizers - enabled: false - image: # -- (string) Image registry - registry: registry.k8s.io + registry: ghcr.io # -- Image repository - repository: kubectl + repository: kyverno/readiness-checker # -- Image tag # Defaults to `latest` if omitted - tag: 'v1.34.3' + tag: ~ # -- (string) Image pull policy # Defaults to image.pullPolicy if omitted pullPolicy: ~ @@ -669,9 +698,20 @@ webhooksCleanup: memory: 64Mi serviceAccount: - # -- Toggle automounting of the ServiceAccount + # -- Toggle automounting of the ServiceAccount. + # When set to false, a projected service account token is used instead + # which provides time-limited and audience-bound tokens for improved security. automountServiceAccountToken: true + # -- Projected service account token configuration (only used when automountServiceAccountToken is false) + projectedServiceAccountToken: + # -- Token expiration time in seconds. + # The kubelet will request a new token before the token expires. + expirationSeconds: 3600 + # -- Audience for the projected service account token. + # If not set, the token will have no audience restriction. + audience: "" + grafana: # -- Enable grafana dashboard creation. enabled: false @@ -766,6 +806,8 @@ features: globalContext: # -- Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended) maxApiCallResponseLength: 2000000 + # -- Timeout for HTTP API calls made by policies. A value of 0s means no timeout. + apiCallTimeout: 30s logging: # -- Logging format format: text @@ -825,6 +867,9 @@ admissionController: # -- Target CPU utilization percentage targetCPUUtilizationPercentage: 80 + # -- (int) Target memory utilization percentage + targetMemoryUtilizationPercentage: ~ + # -- Configurable scaling behavior behavior: {} @@ -852,9 +897,20 @@ admissionController: annotations: {} # example.com/annotation: value - # -- Toggle automounting of the ServiceAccount + # -- Toggle automounting of the ServiceAccount. + # When set to false, a projected service account token is used instead + # which provides time-limited and audience-bound tokens for improved security. automountServiceAccountToken: true + # -- Projected service account token configuration (only used when automountServiceAccountToken is false) + projectedServiceAccountToken: + # -- Token expiration time in seconds. + # The kubelet will request a new token before the token expires. + expirationSeconds: 3600 + # -- Audience for the projected service account token. + # If not set, the token will have no audience restriction. + audience: "" + coreClusterRole: # -- Extra resource permissions to add in the core cluster role. # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. @@ -940,6 +996,9 @@ admissionController: podAnnotations: {} # example.com/annotation: foo + # -- Deployment labels. + labels: {} + # -- Deployment annotations. annotations: {} @@ -1140,6 +1199,8 @@ admissionController: # -- Container security context securityContext: + runAsUser: 65534 + runAsGroup: 65534 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false @@ -1185,6 +1246,8 @@ admissionController: # -- Container security context securityContext: + runAsUser: 65534 + runAsGroup: 65534 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false @@ -1217,6 +1280,16 @@ admissionController: # image: busybox # command: ['sh', '-c', 'echo Hello && sleep 3600'] + # -- Additional volumes to be mounted in the pod + extraVolumes: [] + # - name: my-volume + # emptyDir: {} + + # -- Additional volumeMounts to be mounted to the main container + extraVolumeMounts: [] + # - name: my-volume + # mountPath: /path/to/mount + service: # -- Service port. port: 443 @@ -1294,6 +1367,11 @@ admissionController: config: prometheus # -- Prometheus endpoint port port: 8000 + # -- Is TLS required for endpoint + secure: false + # -- Key algorithm for self-signed TLS certificates. + # Supported values: RSA, ECDSA, Ed25519 + tlsKeyAlgorithm: RSA # -- Otel collector endpoint collector: '' # -- Otel collector credentials @@ -1337,9 +1415,20 @@ backgroundController: annotations: {} # example.com/annotation: value - # -- Toggle automounting of the ServiceAccount + # -- Toggle automounting of the ServiceAccount. + # When set to false, a projected service account token is used instead + # which provides time-limited and audience-bound tokens for improved security. automountServiceAccountToken: true + # -- Projected service account token configuration (only used when automountServiceAccountToken is false) + projectedServiceAccountToken: + # -- Token expiration time in seconds. + # The kubelet will request a new token before the token expires. + expirationSeconds: 3600 + # -- Audience for the projected service account token. + # If not set, the token will have no audience restriction. + audience: "" + coreClusterRole: # -- Extra resource permissions to add in the core cluster role. # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. @@ -1434,6 +1523,9 @@ backgroundController: podAnnotations: {} # example.com/annotation: foo + # -- Deployment labels. + labels: {} + # -- Deployment annotations. annotations: {} @@ -1525,6 +1617,8 @@ backgroundController: # -- Security context for the containers securityContext: + runAsUser: 65534 + runAsGroup: 65534 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false @@ -1561,6 +1655,16 @@ backgroundController: # path: /etc/pki/tls/ca-certificates.crt # type: File + # -- Additional volumes to be mounted in the pod + extraVolumes: [] + # - name: my-volume + # emptyDir: {} + + # -- Additional volumeMounts to be mounted to the main container + extraVolumeMounts: [] + # - name: my-volume + # mountPath: /path/to/mount + metricsService: # -- Create service. create: true @@ -1626,6 +1730,11 @@ backgroundController: config: prometheus # -- Prometheus endpoint port port: 8000 + # -- Is TLS required for endpoint + secure: false + # -- Key algorithm for self-signed TLS certificates. + # Supported values: RSA, ECDSA, Ed25519 + tlsKeyAlgorithm: RSA # -- Otel collector endpoint collector: '' # -- Otel collector credentials @@ -1668,9 +1777,20 @@ cleanupController: annotations: {} # example.com/annotation: value - # -- Toggle automounting of the ServiceAccount + # -- Toggle automounting of the ServiceAccount. + # When set to false, a projected service account token is used instead + # which provides time-limited and audience-bound tokens for improved security. automountServiceAccountToken: true + # -- Projected service account token configuration (only used when automountServiceAccountToken is false) + projectedServiceAccountToken: + # -- Token expiration time in seconds. + # The kubelet will request a new token before the token expires. + expirationSeconds: 3600 + # -- Audience for the projected service account token. + # If not set, the token will have no audience restriction. + audience: "" + clusterRole: # -- Extra resource permissions to add in the cluster role extraResources: [] @@ -1763,6 +1883,9 @@ cleanupController: podAnnotations: {} # example.com/annotation: foo + # -- Deployment labels. + labels: {} + # -- Deployment annotations. annotations: {} @@ -1902,6 +2025,8 @@ cleanupController: # -- Security context for the containers securityContext: + runAsUser: 65534 + runAsGroup: 65534 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false @@ -1926,6 +2051,16 @@ cleanupController: # Possible values are `IfHealthyBudget` or `AlwaysAllow`. unhealthyPodEvictionPolicy: + # -- Additional volumes to be mounted in the pod + extraVolumes: [] + # - name: my-volume + # emptyDir: {} + + # -- Additional volumeMounts to be mounted to the main container + extraVolumeMounts: [] + # - name: my-volume + # mountPath: /path/to/mount + service: # -- Service port. port: 443 @@ -2005,6 +2140,11 @@ cleanupController: config: prometheus # -- Prometheus endpoint port port: 8000 + # -- Is TLS required for endpoint + secure: false + # -- Key algorithm for self-signed TLS certificates. + # Supported values: RSA, ECDSA, Ed25519 + tlsKeyAlgorithm: RSA # -- Otel collector endpoint collector: '' # -- Otel collector credentials @@ -2048,9 +2188,20 @@ reportsController: annotations: {} # example.com/annotation: value - # -- Toggle automounting of the ServiceAccount + # -- Toggle automounting of the ServiceAccount. + # When set to false, a projected service account token is used instead + # which provides time-limited and audience-bound tokens for improved security. automountServiceAccountToken: true + # -- Projected service account token configuration (only used when automountServiceAccountToken is false) + projectedServiceAccountToken: + # -- Token expiration time in seconds. + # The kubelet will request a new token before the token expires. + expirationSeconds: 3600 + # -- Audience for the projected service account token. + # If not set, the token will have no audience restriction. + audience: "" + coreClusterRole: # -- Extra resource permissions to add in the core cluster role. # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. @@ -2098,6 +2249,9 @@ reportsController: podAnnotations: {} # example.com/annotation: foo + # -- Deployment labels. + labels: {} + # -- Deployment annotations. annotations: {} @@ -2207,6 +2361,8 @@ reportsController: # -- Security context for the containers securityContext: + runAsUser: 65534 + runAsGroup: 65534 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false @@ -2250,6 +2406,15 @@ reportsController: # path: /etc/pki/tls/ca-certificates.crt # type: File + # -- Additional volumes to be mounted in the pod + extraVolumes: [] + # - name: my-volume + # emptyDir: {} + + # -- Additional volumeMounts to be mounted to the main container + extraVolumeMounts: [] + # - name: my-volume + # mountPath: /path/to/mount metricsService: # -- Create service. @@ -2316,6 +2481,11 @@ reportsController: config: prometheus # -- Prometheus endpoint port port: 8000 + # -- Is TLS required for endpoint + secure: false + # -- Key algorithm for self-signed TLS certificates. + # Supported values: RSA, ECDSA, Ed25519 + tlsKeyAlgorithm: RSA # -- (string) Otel collector endpoint collector: ~ # -- (string) Otel collector credentials