From 7c78c1fc86a8ea699f6857b8e6dae48c04b6aee2 Mon Sep 17 00:00:00 2001 From: svcAPLBot <174728082+svcAPLBot@users.noreply.github.com> Date: Thu, 28 Aug 2025 15:40:52 +0000 Subject: [PATCH] chore(chart-deps): update kyverno to version 3.5.1 --- apps.yaml | 2 +- chart/chart-index/Chart.yaml | 2 +- charts/kyverno/Chart.lock | 8 +- charts/kyverno/Chart.yaml | 8 +- charts/kyverno/README.md | 27 +--- charts/kyverno/charts/crds/Chart.yaml | 2 +- charts/kyverno/charts/crds/README.md | 2 +- charts/kyverno/charts/grafana/Chart.yaml | 2 +- charts/kyverno/charts/grafana/README.md | 2 +- .../kyverno.io_cleanuppolicies.yaml | 4 +- .../kyverno.io_clustercleanuppolicies.yaml | 4 +- .../kyverno.io_clusterpolicies.yaml | 4 +- .../kyverno.io_globalcontextentries.yaml | 4 +- .../crds/kyverno.io/kyverno.io_policies.yaml | 4 +- .../kyverno.io_policyexceptions.yaml | 4 +- .../kyverno.io/kyverno.io_updaterequests.yaml | 4 +- .../policies.kyverno.io_deletingpolicies.yaml | 4 +- ...olicies.kyverno.io_generatingpolicies.yaml | 4 +- ...es.kyverno.io_imagevalidatingpolicies.yaml | 4 +- .../policies.kyverno.io_mutatingpolicies.yaml | 4 +- .../policies.kyverno.io_policyexceptions.yaml | 4 +- ...olicies.kyverno.io_validatingpolicies.yaml | 4 +- ...ts.kyverno.io_clusterephemeralreports.yaml | 4 +- .../reports.kyverno.io_ephemeralreports.yaml | 4 +- .../wgpolicyk8s.io_clusterpolicyreports.yaml | 4 +- .../wgpolicyk8s.io_policyreports.yaml | 4 +- charts/kyverno/templates/_helpers.tpl | 2 +- .../hooks/post-upgrade-clean-reports.yaml | 130 ------------------ ...-remove-mutatingwebhookconfiguration.yaml} | 86 +++--------- ...remove-validatingwebhookconfiguration.yaml | 110 +++++++++++++++ .../hooks/pre-delete-scale-to-zero.yaml | 19 +-- charts/kyverno/templates/validate.yaml | 7 - charts/kyverno/values.yaml | 73 +--------- 33 files changed, 193 insertions(+), 357 deletions(-) delete mode 100644 charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml rename charts/kyverno/templates/hooks/{post-delete-configmap.yaml => pre-delete-remove-mutatingwebhookconfiguration.yaml} (62%) create mode 100644 charts/kyverno/templates/hooks/pre-delete-remove-validatingwebhookconfiguration.yaml diff --git a/apps.yaml b/apps.yaml index f67e77a4e5..9a18b6b55f 100644 --- a/apps.yaml +++ b/apps.yaml @@ -202,7 +202,7 @@ appsInfo: chartName: knative-operator kyverno: title: Kyverno - appVersion: 1.15.0 + appVersion: 1.15.1 repo: https://github.com/kyverno/kyverno maintainers: Nirmata relatedLinks: diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index 54b073efb4..f527748902 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -62,7 +62,7 @@ dependencies: version: 4.6.0 repository: https://kubereboot.github.io/charts - name: kyverno - version: 3.5.0 + version: 3.5.1 repository: https://kyverno.github.io/kyverno/ - name: loki-distributed alias: loki diff --git a/charts/kyverno/Chart.lock b/charts/kyverno/Chart.lock index 3d97cbb923..dbf4911718 100644 --- a/charts/kyverno/Chart.lock +++ b/charts/kyverno/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: grafana repository: "" - version: 3.5.0 + version: 3.5.1 - name: crds repository: "" - version: 3.5.0 + version: 3.5.1 - name: openreports repository: https://openreports.github.io/reports-api version: 0.1.0 -digest: sha256:317697b47d102f04b8f2832d93dba4a1bcb69d79990f3b225814e965f2822035 -generated: "2025-07-31T12:16:34.859164+08:00" +digest: sha256:eecf40518d51d61fed07b15ac41048751d4901be67eec05b1f25849c1b956c39 +generated: "2025-08-15T11:08:07.060929+08:00" diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 0fe8cae071..7932b9b68f 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -14,16 +14,16 @@ annotations: artifacthub.io/operator: "false" artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: v1.15.0 +appVersion: v1.15.1 dependencies: - condition: grafana.enabled name: grafana repository: "" - version: 3.5.0 + version: 3.5.1 - condition: crds.install name: crds repository: "" - version: 3.5.0 + version: 3.5.1 - condition: openreports.enabled name: openreports repository: https://openreports.github.io/reports-api @@ -52,4 +52,4 @@ name: kyverno sources: - https://github.com/kyverno/kyverno type: application -version: 3.5.0 +version: 3.5.1 diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 7afa9768d4..3d4cebf8ec 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -2,7 +2,7 @@ Kubernetes Native Policy Management -![Version: 3.5.0](https://img.shields.io/badge/Version-3.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.15.0](https://img.shields.io/badge/AppVersion-v1.15.0-informational?style=flat-square) +![Version: 3.5.1](https://img.shields.io/badge/Version-3.5.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.15.1](https://img.shields.io/badge/AppVersion-v1.15.1-informational?style=flat-square) ## About @@ -759,8 +759,8 @@ The chart values are organised per component. | webhooksCleanup.enabled | bool | `true` | Create a helm pre-delete hook to cleanup webhooks. | | webhooksCleanup.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | | webhooksCleanup.image.registry | string | `nil` | Image registry | -| webhooksCleanup.image.repository | string | `"bitnami/kubectl"` | Image repository | -| webhooksCleanup.image.tag | string | `"1.32.3"` | Image tag Defaults to `latest` if omitted | +| webhooksCleanup.image.repository | string | `"registry.k8s.io/kubectl"` | Image repository | +| webhooksCleanup.image.tag | string | `"v1.32.7"` | Image tag Defaults to `latest` if omitted | | webhooksCleanup.imagePullSecrets | list | `[]` | Image pull secrets | | webhooksCleanup.nodeAffinity | object | `{}` | Node affinity constraints. | | webhooksCleanup.nodeSelector | object | `{}` | Node labels for pod assignment | @@ -818,23 +818,6 @@ The chart values are organised per component. | nameOverride | string | `nil` | Override the name of the chart | | namespaceOverride | string | `nil` | Override the namespace the chart deploys to | | openreports.enabled | bool | `false` | | -| policyReportsCleanup.enabled | bool | `true` | Create a helm post-upgrade hook to cleanup the old policy reports. | -| policyReportsCleanup.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | -| policyReportsCleanup.image.registry | string | `nil` | Image registry | -| policyReportsCleanup.image.repository | string | `"bitnami/kubectl"` | Image repository | -| policyReportsCleanup.image.tag | string | `"1.32.3"` | Image tag Defaults to `latest` if omitted | -| policyReportsCleanup.imagePullSecrets | list | `[]` | Image pull secrets | -| policyReportsCleanup.nodeAffinity | object | `{}` | Node affinity constraints. | -| policyReportsCleanup.nodeSelector | object | `{}` | Node labels for pod assignment | -| policyReportsCleanup.podAffinity | object | `{}` | Pod affinity constraints. | -| policyReportsCleanup.podAnnotations | object | `{}` | Pod annotations. | -| policyReportsCleanup.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | -| policyReportsCleanup.podLabels | object | `{}` | Pod labels. | -| policyReportsCleanup.podSecurityContext | object | `{}` | Security context for the pod | -| policyReportsCleanup.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits | -| policyReportsCleanup.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests | -| policyReportsCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers | -| policyReportsCleanup.tolerations | list | `[]` | List of node taints to tolerate | | rbac.roles.aggregate | object | `{"admin":true,"view":true}` | Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) | | upgrade.fromV2 | bool | `false` | Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed. | @@ -897,8 +880,8 @@ Kubernetes: `>=1.25.0-0` | Repository | Name | Version | |------------|------|---------| -| | crds | 3.5.0 | -| | grafana | 3.5.0 | +| | crds | 3.5.1 | +| | grafana | 3.5.1 | | https://openreports.github.io/reports-api | openreports | 0.1.0 | ## Maintainers diff --git a/charts/kyverno/charts/crds/Chart.yaml b/charts/kyverno/charts/crds/Chart.yaml index dffe42c7b2..ef360e93c6 100644 --- a/charts/kyverno/charts/crds/Chart.yaml +++ b/charts/kyverno/charts/crds/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v2 description: Kyverno Custom Resource Definitions name: crds -version: 3.5.0 +version: 3.5.1 diff --git a/charts/kyverno/charts/crds/README.md b/charts/kyverno/charts/crds/README.md index ae568fa30e..3fce191bba 100644 --- a/charts/kyverno/charts/crds/README.md +++ b/charts/kyverno/charts/crds/README.md @@ -1,6 +1,6 @@ # crds -![Version: 3.5.0](https://img.shields.io/badge/Version-3.5.0-informational?style=flat-square) +![Version: 3.5.1](https://img.shields.io/badge/Version-3.5.1-informational?style=flat-square) Kyverno Custom Resource Definitions diff --git a/charts/kyverno/charts/grafana/Chart.yaml b/charts/kyverno/charts/grafana/Chart.yaml index 42b4800850..3ddd402d01 100644 --- a/charts/kyverno/charts/grafana/Chart.yaml +++ b/charts/kyverno/charts/grafana/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v2 description: Grafana dashboards for Kyverno name: grafana -version: 3.5.0 +version: 3.5.1 diff --git a/charts/kyverno/charts/grafana/README.md b/charts/kyverno/charts/grafana/README.md index dd33a7af7b..b21673fe2e 100644 --- a/charts/kyverno/charts/grafana/README.md +++ b/charts/kyverno/charts/grafana/README.md @@ -1,6 +1,6 @@ # grafana -![Version: 3.5.0](https://img.shields.io/badge/Version-3.5.0-informational?style=flat-square) +![Version: 3.5.1](https://img.shields.io/badge/Version-3.5.1-informational?style=flat-square) Grafana dashboards for Kyverno diff --git a/charts/kyverno/crds/kyverno.io/kyverno.io_cleanuppolicies.yaml b/charts/kyverno/crds/kyverno.io/kyverno.io_cleanuppolicies.yaml index 63dde085d4..8ee68bfe13 100644 --- a/charts/kyverno/crds/kyverno.io/kyverno.io_cleanuppolicies.yaml +++ b/charts/kyverno/crds/kyverno.io/kyverno.io_cleanuppolicies.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: cleanuppolicies.kyverno.io diff --git a/charts/kyverno/crds/kyverno.io/kyverno.io_clustercleanuppolicies.yaml b/charts/kyverno/crds/kyverno.io/kyverno.io_clustercleanuppolicies.yaml index 6c062c8b0f..46241e105b 100644 --- a/charts/kyverno/crds/kyverno.io/kyverno.io_clustercleanuppolicies.yaml +++ b/charts/kyverno/crds/kyverno.io/kyverno.io_clustercleanuppolicies.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: clustercleanuppolicies.kyverno.io diff --git a/charts/kyverno/crds/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/crds/kyverno.io/kyverno.io_clusterpolicies.yaml index d202fd1295..fa823cfd40 100644 --- a/charts/kyverno/crds/kyverno.io/kyverno.io_clusterpolicies.yaml +++ b/charts/kyverno/crds/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: clusterpolicies.kyverno.io diff --git a/charts/kyverno/crds/kyverno.io/kyverno.io_globalcontextentries.yaml b/charts/kyverno/crds/kyverno.io/kyverno.io_globalcontextentries.yaml index 93b8641f92..97dda1848a 100644 --- a/charts/kyverno/crds/kyverno.io/kyverno.io_globalcontextentries.yaml +++ b/charts/kyverno/crds/kyverno.io/kyverno.io_globalcontextentries.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: globalcontextentries.kyverno.io diff --git a/charts/kyverno/crds/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/crds/kyverno.io/kyverno.io_policies.yaml index 599296ac75..900798816d 100644 --- a/charts/kyverno/crds/kyverno.io/kyverno.io_policies.yaml +++ b/charts/kyverno/crds/kyverno.io/kyverno.io_policies.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: policies.kyverno.io diff --git a/charts/kyverno/crds/kyverno.io/kyverno.io_policyexceptions.yaml b/charts/kyverno/crds/kyverno.io/kyverno.io_policyexceptions.yaml index d176a9a39d..9f446d7f47 100644 --- a/charts/kyverno/crds/kyverno.io/kyverno.io_policyexceptions.yaml +++ b/charts/kyverno/crds/kyverno.io/kyverno.io_policyexceptions.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: policyexceptions.kyverno.io diff --git a/charts/kyverno/crds/kyverno.io/kyverno.io_updaterequests.yaml b/charts/kyverno/crds/kyverno.io/kyverno.io_updaterequests.yaml index 32ab0b233f..f8d06e0dd0 100644 --- a/charts/kyverno/crds/kyverno.io/kyverno.io_updaterequests.yaml +++ b/charts/kyverno/crds/kyverno.io/kyverno.io_updaterequests.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: updaterequests.kyverno.io diff --git a/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_deletingpolicies.yaml b/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_deletingpolicies.yaml index dff0d3e9fa..e87e8a9a86 100644 --- a/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_deletingpolicies.yaml +++ b/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_deletingpolicies.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: deletingpolicies.policies.kyverno.io diff --git a/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_generatingpolicies.yaml b/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_generatingpolicies.yaml index 7520428fc5..5c94c73a66 100644 --- a/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_generatingpolicies.yaml +++ b/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_generatingpolicies.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: generatingpolicies.policies.kyverno.io diff --git a/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_imagevalidatingpolicies.yaml b/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_imagevalidatingpolicies.yaml index 98960dc775..f9a0e4c603 100644 --- a/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_imagevalidatingpolicies.yaml +++ b/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_imagevalidatingpolicies.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: imagevalidatingpolicies.policies.kyverno.io diff --git a/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_mutatingpolicies.yaml b/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_mutatingpolicies.yaml index 9c906a3805..231244415f 100644 --- a/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_mutatingpolicies.yaml +++ b/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_mutatingpolicies.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: mutatingpolicies.policies.kyverno.io diff --git a/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_policyexceptions.yaml b/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_policyexceptions.yaml index ac3c172986..b1c06fea85 100644 --- a/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_policyexceptions.yaml +++ b/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_policyexceptions.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: policyexceptions.policies.kyverno.io diff --git a/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml index 70b9f86a64..901517329d 100644 --- a/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml +++ b/charts/kyverno/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: validatingpolicies.policies.kyverno.io diff --git a/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml b/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml index 9b5caf3ef6..3cc5e8e641 100644 --- a/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml +++ b/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: clusterephemeralreports.reports.kyverno.io diff --git a/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml b/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml index 80dfd99943..2c16cc5a87 100644 --- a/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml +++ b/charts/kyverno/crds/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: ephemeralreports.reports.kyverno.io diff --git a/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml b/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml index a45deb7a66..69766ee005 100644 --- a/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml +++ b/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: clusterpolicyreports.wgpolicyk8s.io diff --git a/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml b/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml index 1b66f05535..fe15038028 100644 --- a/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml +++ b/charts/kyverno/crds/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml @@ -8,8 +8,8 @@ metadata: app.kubernetes.io/instance: release-name app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: release-name-crds - app.kubernetes.io/version: 3.5.0 - helm.sh/chart: crds-3.5.0 + app.kubernetes.io/version: 3.5.1 + helm.sh/chart: crds-3.5.1 annotations: controller-gen.kubebuilder.io/version: v0.17.3 name: policyreports.wgpolicyk8s.io diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl index eae0be6177..64dda27fdb 100644 --- a/charts/kyverno/templates/_helpers.tpl +++ b/charts/kyverno/templates/_helpers.tpl @@ -66,7 +66,7 @@ {{- end -}} {{- with .logging -}} {{- $flags = append $flags (print "--loggingFormat=" .format) -}} - {{- $flags = append $flags (print "--v=" (join "," .verbosity)) -}} + {{- $flags = append $flags (print "--v=" .verbosity) -}} {{- end -}} {{- with .omitEvents -}} {{- with .eventTypes -}} diff --git a/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml b/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml deleted file mode 100644 index c20cb679d4..0000000000 --- a/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml +++ /dev/null @@ -1,130 +0,0 @@ -{{- if .Values.policyReportsCleanup.enabled -}} -{{- if not .Values.templating.enabled -}} -{{- $automountSAToken := .Values.admissionController.rbac.serviceAccount.automountServiceAccountToken }} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "kyverno.fullname" . }}-clean-reports - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.hooks.labels" . | nindent 4 }} - annotations: - helm.sh/hook: post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed -spec: - backoffLimit: 2 - template: - {{- if or .Values.policyReportsCleanup.podAnnotations .Values.policyReportsCleanup.podLabels }} - metadata: - {{- with .Values.policyReportsCleanup.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.policyReportsCleanup.podLabels }} - labels: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - spec: - serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }} - automountServiceAccountToken: true - {{- with .Values.policyReportsCleanup.podSecurityContext }} - securityContext: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - restartPolicy: Never - containers: - - name: kubectl - image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.policyReportsCleanup.image "defaultTag" (default .Chart.AppVersion .Values.policyReportsCleanup.image.tag))) | quote }} - imagePullPolicy: {{ .Values.policyReportsCleanup.image.pullPolicy }} - command: - - /bin/bash - - -c - - | - set -euo pipefail - NAMESPACES=$(kubectl get namespaces --no-headers=true | awk '{print $1}') - - for ns in ${NAMESPACES[@]}; - do - COUNT=$(kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | wc -l) - - if [ $COUNT -gt 0 ]; then - echo "deleting $COUNT policyreports in namespace $ns" - kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete -n $ns policyreports.wgpolicyk8s.io - else - echo "no policyreports in namespace $ns" - fi - done - - COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | wc -l) - - if [ $COUNT -gt 0 ]; then - echo "deleting $COUNT clusterpolicyreports" - kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io - else - echo "no clusterpolicyreports" - fi - {{- with .Values.policyReportsCleanup.resources }} - resources: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.policyReportsCleanup.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- if not $automountSAToken }} - volumeMounts: - - name: serviceaccount-token - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - readOnly: true - {{- end }} - {{- with .Values.policyReportsCleanup.imagePullSecrets | default .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- tpl (include "kyverno.sortedImagePullSecrets" .) $ | nindent 8 }} - {{- end }} - {{- with .Values.policyReportsCleanup.tolerations | default .Values.global.tolerations}} - tolerations: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - {{- with .Values.policyReportsCleanup.nodeSelector | default .Values.global.nodeSelector }} - nodeSelector: - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - {{- if or .Values.policyReportsCleanup.podAntiAffinity .Values.policyReportsCleanup.podAffinity .Values.policyReportsCleanup.nodeAffinity }} - affinity: - {{- with .Values.policyReportsCleanup.podAntiAffinity }} - podAntiAffinity: - {{- tpl (toYaml .) $ | nindent 10 }} - {{- end }} - {{- with .Values.policyReportsCleanup.podAffinity }} - podAffinity: - {{- tpl (toYaml .) $ | nindent 10 }} - {{- end }} - {{- with .Values.policyReportsCleanup.nodeAffinity }} - nodeAffinity: - {{- tpl (toYaml .) $ | nindent 10 }} - {{- end }} - {{- end }} - {{- if not $automountSAToken }} - volumes: - - name: serviceaccount-token - projected: - defaultMode: 0444 - sources: - - serviceAccountToken: - expirationSeconds: 3607 - path: token - - configMap: - name: kube-root-ca.crt - items: - - key: ca.crt - path: ca.crt - - downwardAPI: - items: - - path: namespace - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{- end }} -{{- end -}} -{{- end -}} diff --git a/charts/kyverno/templates/hooks/post-delete-configmap.yaml b/charts/kyverno/templates/hooks/pre-delete-remove-mutatingwebhookconfiguration.yaml similarity index 62% rename from charts/kyverno/templates/hooks/post-delete-configmap.yaml rename to charts/kyverno/templates/hooks/pre-delete-remove-mutatingwebhookconfiguration.yaml index 2abcf53f75..fe12a33d46 100644 --- a/charts/kyverno/templates/hooks/post-delete-configmap.yaml +++ b/charts/kyverno/templates/hooks/pre-delete-remove-mutatingwebhookconfiguration.yaml @@ -1,71 +1,17 @@ -{{- if .Values.config.preserve -}} +{{- if .Values.webhooksCleanup.enabled -}} {{- if not .Values.templating.enabled -}} -{{- $automountSAToken := .Values.webhooksCleanup.serviceAccount.automountServiceAccountToken }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "kyverno.fullname" . }}:remove-configmap - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.hooks.labels" . | nindent 4 }} - annotations: - helm.sh/hook: post-delete - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed - helm.sh/hook-weight: "0" -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - list - - get - - delete ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.fullname" . }}:remove-configmap - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.hooks.labels" . | nindent 4 }} - annotations: - helm.sh/hook: post-delete - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed - helm.sh/hook-weight: "0" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "kyverno.fullname" . }}:remove-configmap -subjects: - - kind: ServiceAccount - name: {{ template "kyverno.fullname" . }}-remove-configmap - namespace: {{ template "kyverno.namespace" . }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "kyverno.fullname" . }}-remove-configmap - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.hooks.labels" . | nindent 4 }} - annotations: - helm.sh/hook: post-delete - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - helm.sh/hook-weight: "0" -automountServiceAccountToken: false ---- +{{- $automountSAToken := .Values.admissionController.rbac.serviceAccount.automountServiceAccountToken }} apiVersion: batch/v1 kind: Job metadata: - name: {{ template "kyverno.fullname" . }}-remove-configmap + name: {{ template "kyverno.fullname" . }}-remove-mutatingwebhookconfiguration namespace: {{ template "kyverno.namespace" . }} labels: {{- include "kyverno.hooks.labels" . | nindent 4 }} annotations: - helm.sh/hook: post-delete + helm.sh/hook: pre-delete helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed - helm.sh/hook-weight: "10" + helm.sh/hook-weight: "100" spec: backoffLimit: 2 template: @@ -81,7 +27,7 @@ spec: {{- end }} {{- end }} spec: - serviceAccountName: {{ template "kyverno.fullname" . }}-remove-configmap + serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }} automountServiceAccountToken: {{ $automountSAToken }} {{- with .Values.webhooksCleanup.podSecurityContext }} securityContext: @@ -97,26 +43,26 @@ spec: image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.webhooksCleanup.image "defaultTag" (default .Chart.AppVersion .Values.webhooksCleanup.image.tag))) | quote }} imagePullPolicy: {{ .Values.webhooksCleanup.image.pullPolicy }} command: - - /bin/bash - - '-c' - - |- - set -euo pipefail - kubectl delete cm --ignore-not-found -n {{ template "kyverno.namespace" . }} {{ template "kyverno.config.configMapName" . }} + - kubectl + - delete + - mutatingwebhookconfiguration + - -l + - webhook.kyverno.io/managed-by=kyverno + {{- with .Values.webhooksCleanup.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} {{- with .Values.webhooksCleanup.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.webhooksCleanup.resources }} - resources: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} {{- if not $automountSAToken }} volumeMounts: - name: serviceaccount-token mountPath: /var/run/secrets/kubernetes.io/serviceaccount readOnly: true {{- end }} - {{- with .Values.webhooksCleanup.tolerations | default .Values.global.tolerations }} + {{- with .Values.webhooksCleanup.tolerations | default .Values.global.tolerations}} tolerations: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} diff --git a/charts/kyverno/templates/hooks/pre-delete-remove-validatingwebhookconfiguration.yaml b/charts/kyverno/templates/hooks/pre-delete-remove-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..d03ce7338a --- /dev/null +++ b/charts/kyverno/templates/hooks/pre-delete-remove-validatingwebhookconfiguration.yaml @@ -0,0 +1,110 @@ +{{- if .Values.webhooksCleanup.enabled -}} +{{- if not .Values.templating.enabled -}} +{{- $automountSAToken := .Values.admissionController.rbac.serviceAccount.automountServiceAccountToken }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kyverno.fullname" . }}-remove-validatingwebhookconfiguration + namespace: {{ template "kyverno.namespace" . }} + labels: + {{- include "kyverno.hooks.labels" . | nindent 4 }} + annotations: + helm.sh/hook: pre-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed + helm.sh/hook-weight: "100" +spec: + backoffLimit: 2 + template: + {{- if or .Values.webhooksCleanup.podAnnotations .Values.webhooksCleanup.podLabels }} + metadata: + {{- with .Values.webhooksCleanup.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.webhooksCleanup.podLabels }} + labels: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }} + automountServiceAccountToken: {{ $automountSAToken }} + {{- with .Values.webhooksCleanup.podSecurityContext }} + securityContext: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + restartPolicy: Never + {{- with .Values.webhooksCleanup.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- tpl (include "kyverno.sortedImagePullSecrets" .) $ | nindent 8 }} + {{- end }} + containers: + - name: kubectl + image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.webhooksCleanup.image "defaultTag" (default .Chart.AppVersion .Values.webhooksCleanup.image.tag))) | quote }} + imagePullPolicy: {{ .Values.webhooksCleanup.image.pullPolicy }} + command: + - kubectl + - delete + - validatingwebhookconfiguration + - -l + - webhook.kyverno.io/managed-by=kyverno + {{- with .Values.webhooksCleanup.resources }} + resources: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.webhooksCleanup.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if not $automountSAToken }} + volumeMounts: + - name: serviceaccount-token + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + {{- end }} + {{- with .Values.webhooksCleanup.tolerations | default .Values.global.tolerations}} + tolerations: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.webhooksCleanup.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if or .Values.webhooksCleanup.podAntiAffinity .Values.webhooksCleanup.podAffinity .Values.webhooksCleanup.nodeAffinity }} + affinity: + {{- with .Values.webhooksCleanup.podAntiAffinity }} + podAntiAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.webhooksCleanup.podAffinity }} + podAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- with .Values.webhooksCleanup.nodeAffinity }} + nodeAffinity: + {{- tpl (toYaml .) $ | nindent 10 }} + {{- end }} + {{- end }} + {{- if not $automountSAToken }} + volumes: + - name: serviceaccount-token + projected: + defaultMode: 0444 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - path: namespace + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + {{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml b/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml index 12c4e119c6..6ab327e15c 100644 --- a/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml +++ b/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml @@ -11,7 +11,8 @@ metadata: annotations: helm.sh/hook: pre-delete helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed - helm.sh/hook-weight: "100" + {{/* Make sure this runs before other pre-delete jobs that removes webhooksconfiguration*/}} + helm.sh/hook-weight: "90" spec: backoffLimit: 2 template: @@ -43,14 +44,14 @@ spec: image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.webhooksCleanup.image "defaultTag" (default .Chart.AppVersion .Values.webhooksCleanup.image.tag))) | quote }} imagePullPolicy: {{ .Values.webhooksCleanup.image.pullPolicy }} command: - - /bin/bash - - '-c' - - |- - set -euo pipefail - kubectl scale -n {{ template "kyverno.namespace" . }} deployment -l app.kubernetes.io/part-of={{ template "kyverno.fullname" . }} --replicas=0 - sleep 30 - kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno - kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno + - kubectl + - scale + - -n + - {{ template "kyverno.namespace" . }} + - deployment + - -l + - app.kubernetes.io/part-of={{ template "kyverno.fullname" . }} + - --replicas=0 {{- with .Values.webhooksCleanup.resources }} resources: {{- tpl (toYaml .) $ | nindent 12 }} diff --git a/charts/kyverno/templates/validate.yaml b/charts/kyverno/templates/validate.yaml index 0027c9b210..7565202f9b 100644 --- a/charts/kyverno/templates/validate.yaml +++ b/charts/kyverno/templates/validate.yaml @@ -24,13 +24,6 @@ {{- fail "CRD clusterephemeralreports disabled while reportsController enabled" }} {{- end }} -{{- if and (eq .Values.policyReportsCleanup.enabled true) (eq .Values.crds.groups.wgpolicyk8s.clusterpolicyreports false) (eq .Values.crds.reportsServer.enabled false) }} -{{- fail "CRD clusterpolicyreports disabled while policyReportsCleanup enabled" }} -{{- end }} -{{- if and (eq .Values.policyReportsCleanup.enabled true) (eq .Values.crds.groups.wgpolicyk8s.policyreports false) (eq .Values.crds.reportsServer.enabled false) }} -{{- fail "CRD policyreports disabled while policyReportsCleanup enabled" }} -{{- end }} - {{- if hasKey .Values "mode" -}} {{- fail "mode is not supported anymore, please remove it from your release and use admissionController.replicas instead." -}} {{- end -}} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index ca40bb8067..aaa058aea8 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -528,6 +528,7 @@ test: # -- Additional labels customLabels: {} + webhooksCleanup: # -- Create a helm pre-delete hook to cleanup webhooks. enabled: true @@ -540,10 +541,10 @@ webhooksCleanup: # -- (string) Image registry registry: ~ # -- Image repository - repository: bitnami/kubectl + repository: registry.k8s.io/kubectl # -- Image tag # Defaults to `latest` if omitted - tag: '1.32.3' + tag: 'v1.32.7' # -- (string) Image pull policy # Defaults to image.pullPolicy if omitted pullPolicy: ~ @@ -603,74 +604,6 @@ webhooksCleanup: # -- Toggle automounting of the ServiceAccount automountServiceAccountToken: true -policyReportsCleanup: - # -- Create a helm post-upgrade hook to cleanup the old policy reports. - enabled: true - - image: - # -- (string) Image registry - registry: ~ - # -- Image repository - repository: bitnami/kubectl - # -- Image tag - # Defaults to `latest` if omitted - tag: '1.32.3' - # -- (string) Image pull policy - # Defaults to image.pullPolicy if omitted - pullPolicy: ~ - - # -- Image pull secrets - imagePullSecrets: [] - # - name: secretName - - # -- Security context for the pod - podSecurityContext: {} - - # -- Node labels for pod assignment - nodeSelector: {} - - # -- List of node taints to tolerate - tolerations: [] - - # -- Pod anti affinity constraints. - podAntiAffinity: {} - - # -- Pod affinity constraints. - podAffinity: {} - - # -- Pod labels. - podLabels: {} - - # -- Pod annotations. - podAnnotations: {} - - # -- Node affinity constraints. - nodeAffinity: {} - - # -- Security context for the hook containers - securityContext: - runAsUser: 65534 - runAsGroup: 65534 - runAsNonRoot: true - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - - resources: - # -- Pod resource limits - limits: - cpu: 100m - memory: 256Mi - # -- Pod resource requests - requests: - cpu: 10m - memory: 64Mi - grafana: # -- Enable grafana dashboard creation. enabled: false