feat(container): update image kyverno to v3.7.0#390
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
--- kubernetes/apps/kyverno/kyverno/app Kustomization: flux-system/kyverno HelmRelease: kyverno/kyverno
+++ kubernetes/apps/kyverno/kyverno/app Kustomization: flux-system/kyverno HelmRelease: kyverno/kyverno
@@ -13,13 +13,13 @@
spec:
chart: kyverno
sourceRef:
kind: HelmRepository
name: kyverno
namespace: flux-system
- version: 3.3.7
+ version: 3.7.0
install:
remediation:
retries: 3
interval: 30m
upgrade:
cleanupOnFail: true |
--- HelmRelease: kyverno/kyverno PodDisruptionBudget: kyverno/kyverno-admission-controller
+++ HelmRelease: kyverno/kyverno PodDisruptionBudget: kyverno/kyverno-admission-controller
@@ -1,8 +1,8 @@
---
-apiVersion: policy/v1beta1
+apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: kyverno-admission-controller
namespace: kyverno
labels:
app.kubernetes.io/component: admission-controller
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-admission-controller
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-admission-controller
@@ -6,7 +6,8 @@
namespace: kyverno
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
+automountServiceAccountToken: false
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-background-controller
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-background-controller
@@ -6,7 +6,8 @@
namespace: kyverno
labels:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
+automountServiceAccountToken: false
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-cleanup-controller
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-cleanup-controller
@@ -6,7 +6,8 @@
namespace: kyverno
labels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
+automountServiceAccountToken: false
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-reports-controller
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-reports-controller
@@ -6,7 +6,8 @@
namespace: kyverno
labels:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
+automountServiceAccountToken: false
--- HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-metrics
+++ HelmRelease: kyverno/kyverno ConfigMap: kyverno/kyverno-metrics
@@ -8,10 +8,10 @@
app.kubernetes.io/component: config
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
data:
namespaces: '{"exclude":[],"include":[]}'
- metricsExposure: '{"kyverno_admission_requests_total":{"disabledLabelDimensions":["resource_namespace"]},"kyverno_admission_review_duration_seconds":{"disabledLabelDimensions":["resource_namespace"]},"kyverno_cleanup_controller_deletedobjects_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]},"kyverno_policy_execution_duration_seconds":{"disabledLabelDimensions":["resource_namespace","resource_request_operation"]},"kyverno_policy_results_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]},"kyverno_policy_rule_info_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]}}'
+ metricsExposure: '{"kyverno_admission_requests_total":{"disabledLabelDimensions":["resource_namespace"]},"kyverno_admission_review_duration_seconds":{"disabledLabelDimensions":["resource_namespace"]},"kyverno_cleanup_controller_deletedobjects_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]},"kyverno_generating_policy_execution_duration_seconds":{"disabledLabelDimensions":["resource_namespace","resource_request_operation"]},"kyverno_image_validating_policy_execution_duration_seconds":{"disabledLabelDimensions":["resource_namespace","resource_request_operation"]},"kyverno_mutating_policy_execution_duration_seconds":{"disabledLabelDimensions":["resource_namespace","resource_request_operation"]},"kyverno_policy_execution_duration_seconds":{"disabledLabelDimensions":["resource_namespace","resource_request_operation"]},"kyverno_policy_results_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]},"kyverno_policy_rule_info_total":{"disabledLabelDimensions":["resource_namespace","policy_namespace"]},"kyverno_validating_policy_execution_duration_seconds":{"disabledLabelDimensions":["resource_namespace","resource_request_operation"]}}'
bucketBoundaries: 0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20,
25, 30
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:admission-controller:core
@@ -17,12 +17,14 @@
- get
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
+ - validatingadmissionpolicies
+ - validatingadmissionpolicybindings
verbs:
- create
- delete
- get
- list
- patch
@@ -34,12 +36,13 @@
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
verbs:
+ - get
- list
- watch
- apiGroups:
- kyverno.io
resources:
- policies
@@ -47,22 +50,71 @@
- clusterpolicies
- clusterpolicies/status
- updaterequests
- updaterequests/status
- globalcontextentries
- globalcontextentries/status
- - policyexceptions
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
+- apiGroups:
+ - kyverno.io
+ resources:
+ - policyexceptions
+ verbs:
+ - create
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - policies.kyverno.io
+ resources:
+ - validatingpolicies
+ - validatingpolicies/status
+ - namespacedvalidatingpolicies
+ - namespacedvalidatingpolicies/status
+ - imagevalidatingpolicies
+ - imagevalidatingpolicies/status
+ - namespacedimagevalidatingpolicies
+ - namespacedimagevalidatingpolicies/status
+ - generatingpolicies
+ - generatingpolicies/status
+ - namespacedgeneratingpolicies
+ - namespacedgeneratingpolicies/status
+ - mutatingpolicies
+ - mutatingpolicies/status
+ - namespacedmutatingpolicies
+ - namespacedmutatingpolicies/status
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+- apiGroups:
+ - policies.kyverno.io
+ resources:
+ - policyexceptions
+ verbs:
+ - create
+ - get
+ - list
+ - patch
+ - update
+ - watch
- apiGroups:
- reports.kyverno.io
resources:
- ephemeralreports
- clusterephemeralreports
verbs:
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:background-controller:core
@@ -33,12 +33,40 @@
- get
- list
- patch
- update
- watch
- deletecollection
+- apiGroups:
+ - policies.kyverno.io
+ resources:
+ - generatingpolicies
+ - namespacedgeneratingpolicies
+ - mutatingpolicies
+ - namespacedmutatingpolicies
+ - policyexceptions
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+- apiGroups:
+ - policies.kyverno.io
+ resources:
+ - policyexceptions
+ verbs:
+ - create
+ - get
+ - list
+ - patch
+ - update
+ - watch
- apiGroups:
- ''
resources:
- namespaces
- configmaps
verbs:
@@ -100,7 +128,18 @@
- limitranges
verbs:
- create
- update
- patch
- delete
+- apiGroups:
+ - resource.k8s.io
+ resources:
+ - resourceclaims
+ - resourceclaimtemplates
+ verbs:
+ - create
+ - delete
+ - update
+ - patch
+ - deletecollection
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:cleanup-controller:core
@@ -38,12 +38,38 @@
- kyverno.io
resources:
- clustercleanuppolicies
- cleanuppolicies
verbs:
- list
+ - watch
+- apiGroups:
+ - policies.kyverno.io
+ resources:
+ - deletingpolicies
+ - namespaceddeletingpolicies
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - policies.kyverno.io
+ resources:
+ - deletingpolicies/status
+ - namespaceddeletingpolicies/status
+ verbs:
+ - update
+- apiGroups:
+ - policies.kyverno.io
+ resources:
+ - policyexceptions
+ verbs:
+ - get
+ - list
+ - patch
+ - update
- watch
- apiGroups:
- kyverno.io
resources:
- globalcontextentries
- globalcontextentries/status
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller:core
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:reports-controller:core
@@ -39,12 +39,54 @@
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
+ - policies.kyverno.io
+ resources:
+ - validatingpolicies
+ - validatingpolicies/status
+ - namespacedvalidatingpolicies
+ - namespacedvalidatingpolicies/status
+ - imagevalidatingpolicies
+ - imagevalidatingpolicies/status
+ - namespacedimagevalidatingpolicies
+ - namespacedimagevalidatingpolicies/status
+ - generatingpolicies
+ - namespacedgeneratingpolicies
+ - mutatingpolicies
+ - namespacedmutatingpolicies
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+- apiGroups:
+ - policies.kyverno.io
+ resources:
+ - policyexceptions
+ - policyexceptions/status
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - validatingadmissionpolicies
+ - validatingadmissionpolicybindings
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
- reports.kyverno.io
resources:
- ephemeralreports
- clusterephemeralreports
verbs:
- create
@@ -69,12 +111,28 @@
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
+ - openreports.io
+ resources:
+ - reports
+ - reports/status
+ - clusterreports
+ - clusterreports/status
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+- apiGroups:
- ''
- events.k8s.io
resources:
- events
verbs:
- create
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-admission-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-admission-controller
@@ -27,12 +27,14 @@
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
spec:
+ nodeSelector:
+ kubernetes.io/os: linux
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
maxSkew: 1
@@ -49,19 +51,21 @@
operator: In
values:
- admission-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-admission-controller
+ automountServiceAccountToken: true
initContainers:
- name: kyverno-pre
- image: ghcr.io/kyverno/kyvernopre:v1.13.4
+ image: reg.kyverno.io/kyverno/kyvernopre:v1.17.0
imagePullPolicy: IfNotPresent
args:
- --loggingFormat=text
- --v=2
+ - --openreportsEnabled=false
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 10m
@@ -96,33 +100,37 @@
- name: KYVERNO_DEPLOYMENT
value: kyverno-admission-controller
- name: KYVERNO_SVC
value: kyverno-svc
containers:
- name: kyverno
- image: ghcr.io/kyverno/kyverno:v1.13.4
+ image: reg.kyverno.io/kyverno/kyverno:v1.17.0
imagePullPolicy: IfNotPresent
args:
- --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca
- --tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair
+ - --tlsKeyAlgorithm=RSA
- --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
- --reportsServiceAccountName=system:serviceaccount:kyverno:kyverno-reports-controller
- --servicePort=443
- --webhookServerPort=9443
- --resyncPeriod=15m
+ - --crdWatcher=false
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --admissionReports=true
- --maxAdmissionReports=1000
- --autoUpdateWebhooks=true
- --enableConfigMapCaching=true
+ - --controllerRuntimeMetricsAddress=:8080
- --enableDeferredLoading=true
- --dumpPayload=false
- --forceFailurePolicyIgnore=false
- - --generateValidatingAdmissionPolicy=false
+ - --generateValidatingAdmissionPolicy=true
+ - --generateMutatingAdmissionPolicy=false
- --dumpPatches=false
- --maxAPICallResponseLength=2000000
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- --enablePolicyException=false
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-background-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-background-controller
@@ -27,12 +27,14 @@
labels:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
spec:
+ nodeSelector:
+ kubernetes.io/os: linux
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
@@ -41,15 +43,16 @@
operator: In
values:
- background-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-background-controller
+ automountServiceAccountToken: true
containers:
- name: controller
- image: ghcr.io/kyverno/background-controller:v1.13.4
+ image: reg.kyverno.io/kyverno/background-controller:v1.17.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-cleanup-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-cleanup-controller
@@ -27,12 +27,14 @@
labels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
spec:
+ nodeSelector:
+ kubernetes.io/os: linux
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
@@ -41,30 +43,31 @@
operator: In
values:
- cleanup-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-cleanup-controller
+ automountServiceAccountToken: true
containers:
- name: controller
- image: ghcr.io/kyverno/cleanup-controller:v1.13.4
+ image: reg.kyverno.io/kyverno/cleanup-controller:v1.17.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics
protocol: TCP
args:
- --caSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca
- --tlsSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair
+ - --tlsKeyAlgorithm=RSA
- --servicePort=443
+ - --resyncPeriod=15m
- --cleanupServerPort=9443
- - --webhookServerPort=9443
- - --resyncPeriod=15m
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
- --enableDeferredLoading=true
- --dumpPayload=false
- --maxAPICallResponseLength=2000000
--- HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-reports-controller
+++ HelmRelease: kyverno/kyverno Deployment: kyverno/kyverno-reports-controller
@@ -27,12 +27,14 @@
labels:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
spec:
+ nodeSelector:
+ kubernetes.io/os: linux
dnsPolicy: ClusterFirst
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
@@ -41,32 +43,35 @@
operator: In
values:
- reports-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-reports-controller
+ automountServiceAccountToken: true
containers:
- name: controller
- image: ghcr.io/kyverno/reports-controller:v1.13.4
+ image: reg.kyverno.io/kyverno/reports-controller:v1.17.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics
protocol: TCP
args:
- --disableMetrics=false
+ - --openreportsEnabled=false
- --otelConfig=prometheus
- --metricsPort=8000
- --resyncPeriod=15m
- --admissionReports=true
- --aggregateReports=true
- --policyReports=true
- - --validatingAdmissionPolicyReports=false
+ - --validatingAdmissionPolicyReports=true
+ - --mutatingAdmissionPolicyReports=false
- --backgroundScan=true
- --backgroundScanWorkers=2
- --backgroundScanInterval=1h
- --skipResourceFilters=true
- --enableConfigMapCaching=true
- --enableDeferredLoading=true
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-remove-configmap
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-remove-configmap
@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: kyverno-remove-configmap
- namespace: kyverno
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: post-delete
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
- helm.sh/hook-weight: '0'
-
--- HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-migrate-resources
+++ HelmRelease: kyverno/kyverno ServiceAccount: kyverno/kyverno-migrate-resources
@@ -10,7 +10,8 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
annotations:
helm.sh/hook: post-upgrade
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: '100'
+automountServiceAccountToken: false
--- HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:migrate-resources
+++ HelmRelease: kyverno/kyverno ClusterRole: kyverno/kyverno:migrate-resources
@@ -19,12 +19,20 @@
- '*'
verbs:
- get
- list
- update
- apiGroups:
+ - policies.kyverno.io
+ resources:
+ - '*'
+ verbs:
+ - get
+ - list
+ - update
+- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- apiGroups:
--- HelmRelease: kyverno/kyverno Role: kyverno/kyverno:remove-configmap
+++ HelmRelease: kyverno/kyverno Role: kyverno/kyverno:remove-configmap
@@ -1,25 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: kyverno:remove-configmap
- namespace: kyverno
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: post-delete
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
- helm.sh/hook-weight: '0'
-rules:
-- apiGroups:
- - ''
- resources:
- - configmaps
- verbs:
- - list
- - get
- - delete
-
--- HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:remove-configmap
+++ HelmRelease: kyverno/kyverno RoleBinding: kyverno/kyverno:remove-configmap
@@ -1,24 +0,0 @@
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kyverno:remove-configmap
- namespace: kyverno
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: post-delete
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
- helm.sh/hook-weight: '0'
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: kyverno:remove-configmap
-subjects:
-- kind: ServiceAccount
- name: kyverno-remove-configmap
- namespace: kyverno
-
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-remove-configmap
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-remove-configmap
@@ -1,45 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: kyverno-remove-configmap
- namespace: kyverno
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: post-delete
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
- helm.sh/hook-weight: '10'
-spec:
- backoffLimit: 2
- template:
- metadata: null
- spec:
- serviceAccount: kyverno-remove-configmap
- restartPolicy: Never
- containers:
- - name: kubectl
- image: bitnami/kubectl:1.30.2
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |-
- set -euo pipefail
- kubectl delete cm -n kyverno kyverno
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
-
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-clean-reports
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-clean-reports
@@ -1,65 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: kyverno-clean-reports
- namespace: kyverno
- labels:
- app.kubernetes.io/component: hooks
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno
- annotations:
- helm.sh/hook: post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
-spec:
- backoffLimit: 2
- template:
- metadata: null
- spec:
- serviceAccount: kyverno-admission-controller
- restartPolicy: Never
- containers:
- - name: kubectl
- image: bitnami/kubectl:1.30.2
- imagePullPolicy: null
- command:
- - /bin/bash
- - -c
- - |
- set -euo pipefail
- NAMESPACES=$(kubectl get namespaces --no-headers=true | awk '{print $1}')
-
- for ns in ${NAMESPACES[@]};
- do
- COUNT=$(kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | wc -l)
-
- if [ $COUNT -gt 0 ]; then
- echo "deleting $COUNT policyreports in namespace $ns"
- kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete -n $ns policyreports.wgpolicyk8s.io
- else
- echo "no policyreports in namespace $ns"
- fi
- done
-
- COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | wc -l)
-
- if [ $COUNT -gt 0 ]; then
- echo "deleting $COUNT clusterpolicyreports"
- kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io
- else
- echo "no clusterpolicyreports"
- fi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
-
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-migrate-resources
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-migrate-resources
@@ -8,24 +8,23 @@
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
annotations:
helm.sh/hook: post-upgrade
- helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
helm.sh/hook-weight: '200'
spec:
backoffLimit: 2
template:
- metadata: null
spec:
- serviceAccount: kyverno-migrate-resources
+ serviceAccountName: kyverno-migrate-resources
+ automountServiceAccountToken: true
restartPolicy: Never
containers:
- name: kubectl
- image: ghcr.io/kyverno/kyverno-cli:v1.13.4
+ image: reg.kyverno.io/kyverno/kyverno-cli:v1.17.0
imagePullPolicy: IfNotPresent
args:
- migrate
- --resource
- cleanuppolicies.kyverno.io
- --resource
@@ -37,12 +36,41 @@
- --resource
- policies.kyverno.io
- --resource
- policyexceptions.kyverno.io
- --resource
- updaterequests.kyverno.io
+ - --resource
+ - deletingpolicies.policies.kyverno.io
+ - --resource
+ - generatingpolicies.policies.kyverno.io
+ - --resource
+ - imagevalidatingpolicies.policies.kyverno.io
+ - --resource
+ - mutatingpolicies.policies.kyverno.io
+ - --resource
+ - namespaceddeletingpolicies.policies.kyverno.io
+ - --resource
+ - namespacedgeneratingpolicies.policies.kyverno.io
+ - --resource
+ - namespacedimagevalidatingpolicies.policies.kyverno.io
+ - --resource
+ - namespacedmutatingpolicies.policies.kyverno.io
+ - --resource
+ - namespacedvalidatingpolicies.policies.kyverno.io
+ - --resource
+ - policyexceptions.policies.kyverno.io
+ - --resource
+ - validatingpolicies.policies.kyverno.io
+ resources:
+ limits:
+ cpu: 100m
+ memory: 256Mi
+ requests:
+ cpu: 10m
+ memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-scale-to-zero
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-scale-to-zero
@@ -9,33 +9,40 @@
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno
annotations:
helm.sh/hook: pre-delete
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
- helm.sh/hook-weight: '100'
+ helm.sh/hook-weight: '90'
spec:
backoffLimit: 2
template:
- metadata: null
spec:
- serviceAccount: kyverno-admission-controller
+ serviceAccountName: kyverno-admission-controller
+ automountServiceAccountToken: true
restartPolicy: Never
containers:
- name: kubectl
- image: bitnami/kubectl:1.30.2
+ image: registry.k8s.io/kubectl:v1.34.3
imagePullPolicy: null
command:
- - /bin/bash
- - -c
- - |-
- set -euo pipefail
- kubectl scale -n kyverno deployment -l app.kubernetes.io/part-of=kyverno --replicas=0
- sleep 30
- kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
- kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
+ - kubectl
+ - scale
+ - -n
+ - kyverno
+ - deployment
+ - -l
+ - app.kubernetes.io/part-of=kyverno
+ - --replicas=0
+ resources:
+ limits:
+ cpu: 100m
+ memory: 256Mi
+ requests:
+ cpu: 10m
+ memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-rm-mutatingwhconfig
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-rm-mutatingwhconfig
@@ -0,0 +1,52 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: kyverno-rm-mutatingwhconfig
+ namespace: kyverno
+ labels:
+ app.kubernetes.io/component: hooks
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ annotations:
+ helm.sh/hook: pre-delete
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+ helm.sh/hook-weight: '100'
+spec:
+ backoffLimit: 2
+ template:
+ spec:
+ serviceAccountName: kyverno-admission-controller
+ automountServiceAccountToken: true
+ restartPolicy: Never
+ containers:
+ - name: kubectl
+ image: registry.k8s.io/kubectl:v1.34.3
+ imagePullPolicy: null
+ command:
+ - kubectl
+ - delete
+ - mutatingwebhookconfiguration
+ - -l
+ - webhook.kyverno.io/managed-by=kyverno
+ resources:
+ limits:
+ cpu: 100m
+ memory: 256Mi
+ requests:
+ cpu: 10m
+ memory: 64Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+
--- HelmRelease: kyverno/kyverno Job: kyverno/kyverno-rm-validatingwhconfig
+++ HelmRelease: kyverno/kyverno Job: kyverno/kyverno-rm-validatingwhconfig
@@ -0,0 +1,52 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: kyverno-rm-validatingwhconfig
+ namespace: kyverno
+ labels:
+ app.kubernetes.io/component: hooks
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno
+ annotations:
+ helm.sh/hook: pre-delete
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+ helm.sh/hook-weight: '100'
+spec:
+ backoffLimit: 2
+ template:
+ spec:
+ serviceAccountName: kyverno-admission-controller
+ automountServiceAccountToken: true
+ restartPolicy: Never
+ containers:
+ - name: kubectl
+ image: registry.k8s.io/kubectl:v1.34.3
+ imagePullPolicy: null
+ command:
+ - kubectl
+ - delete
+ - validatingwebhookconfiguration
+ - -l
+ - webhook.kyverno.io/managed-by=kyverno
+ resources:
+ limits:
+ cpu: 100m
+ memory: 256Mi
+ requests:
+ cpu: 10m
+ memory: 64Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ |
renovate
Bot
force-pushed
the
renovate/kyverno-3.x
branch
2 times, most recently
from
968e382 to
d9b8dd2
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/kyverno-3.x
branch
from
d9b8dd2 to
0caad1d
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/kyverno-3.x
branch
from
0caad1d to
9da6b88
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/kyverno-3.x
branch
from
9da6b88 to
14e4c48
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/kyverno-3.x
branch
from
14e4c48 to
2c35796
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/kyverno-3.x
branch
from
2c35796 to
454b907
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/kyverno-3.x
branch
from
454b907 to
e6ae980
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/kyverno-3.x
branch
from
e6ae980 to
aaab4bf
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/kyverno-3.x
branch
from
aaab4bf to
9dc8818
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/kyverno-3.x
branch
from
9dc8818 to
c688b79
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/kyverno-3.x
branch
from
c688b79 to
8dcffc2
Compare
renovate
Bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.3.7→3.7.0Configuration
📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.