From 822f88f58fb09bb15945eac10a46a1e40a4e38a2 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 29 Oct 2024 09:35:32 -0500 Subject: [PATCH] fix kyverno --- .../apps/kyverno/kyverno/app/helmrelease.yaml | 60 ++++++++++--------- .../kyverno/policies/remove-cpu-limits.yaml | 1 - .../kyverno/policies/volsync-movers.yaml | 1 - 3 files changed, 33 insertions(+), 29 deletions(-) diff --git a/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml b/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml index e797a65a..6fa0139a 100644 --- a/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml +++ b/kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml @@ -39,20 +39,27 @@ spec: clusterRole: extraResources: - apiGroups: - - "" + - "*" resources: - - pods + - "*" verbs: - - create - - update - - patch - - delete - get - list + - watch cleanupController: serviceMonitor: enabled: true reportsController: + clusterRole: + extraResources: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch serviceMonitor: enabled: true admissionController: @@ -63,14 +70,13 @@ spec: clusterRole: extraResources: - apiGroups: - - "" + - "*" resources: - - pods - - nodes + - "*" verbs: - - create - - update - - delete + - get + - list + - watch topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname @@ -85,24 +91,24 @@ spec: # These are joined together without spaces, run through `tpl`, and the result is set in the config map. # @default -- See [values.yaml](https://github.com/kyverno/kyverno/blob/ed1906a0dc281c2aeb9b7046b843708825310330/charts/kyverno/values.yaml#L207C3-L316C1) resourceFilters: - - '[Event,*,*]' - - '[*/*,kube-system,*]' - - '[*/*,kube-public,*]' - - '[*/*,kube-node-lease,*]' - - '[Node,*,*]' - - '[Node/*,*,*]' - - '[APIService,*,*]' - - '[APIService/*,*,*]' - - '[TokenReview,*,*]' - - '[SubjectAccessReview,*,*]' - - '[SelfSubjectAccessReview,*,*]' + - "[Event,*,*]" + - "[*/*,kube-system,*]" + - "[*/*,kube-public,*]" + - "[*/*,kube-node-lease,*]" + - "[Node,*,*]" + - "[Node/*,*,*]" + - "[APIService,*,*]" + - "[APIService/*,*,*]" + - "[TokenReview,*,*]" + - "[SubjectAccessReview,*,*]" + - "[SelfSubjectAccessReview,*,*]" # remove the following to allow for schematic-to-pod.yaml to work # - '[Binding,*,*]' # - '[Pod/binding,*,*]' - - '[ReplicaSet,*,*]' - - '[ReplicaSet/*,*,*]' - - '[EphemeralReport,*,*]' - - '[ClusterEphemeralReport,*,*]' + - "[ReplicaSet,*,*]" + - "[ReplicaSet/*,*,*]" + - "[EphemeralReport,*,*]" + - "[ClusterEphemeralReport,*,*]" # exclude resources from the chart - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]' - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]' diff --git a/kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml b/kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml index 801c6614..de56e7e8 100644 --- a/kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml +++ b/kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml @@ -13,7 +13,6 @@ metadata: This policy removes CPU limits from all Pods. pod-policies.kyverno.io/autogen-controllers: none spec: - mutateExistingOnPolicyUpdate: true rules: - name: remove-containers-cpu-limits match: diff --git a/kubernetes/apps/kyverno/kyverno/policies/volsync-movers.yaml b/kubernetes/apps/kyverno/kyverno/policies/volsync-movers.yaml index ae2565de..7ad375d6 100644 --- a/kubernetes/apps/kyverno/kyverno/policies/volsync-movers.yaml +++ b/kubernetes/apps/kyverno/kyverno/policies/volsync-movers.yaml @@ -10,7 +10,6 @@ metadata: This policy sets custom configuration on the Volsync mover Jobs. policies.kyverno.io/subject: Pod spec: - mutateExistingOnPolicyUpdate: true rules: - name: set-volsync-movers-custom-config match: