fix kyverno

This commit is contained in:
Joseph Hanson 2024-10-29 09:35:32 -05:00
parent 44e8200961
commit 822f88f58f
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
3 changed files with 33 additions and 29 deletions

View file

@ -39,20 +39,27 @@ spec:
clusterRole: clusterRole:
extraResources: extraResources:
- apiGroups: - apiGroups:
- "" - "*"
resources: resources:
- pods - "*"
verbs: verbs:
- create
- update
- patch
- delete
- get - get
- list - list
- watch
cleanupController: cleanupController:
serviceMonitor: serviceMonitor:
enabled: true enabled: true
reportsController: reportsController:
clusterRole:
extraResources:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
serviceMonitor: serviceMonitor:
enabled: true enabled: true
admissionController: admissionController:
@ -63,14 +70,13 @@ spec:
clusterRole: clusterRole:
extraResources: extraResources:
- apiGroups: - apiGroups:
- "" - "*"
resources: resources:
- pods - "*"
- nodes
verbs: verbs:
- create - get
- update - list
- delete - watch
topologySpreadConstraints: topologySpreadConstraints:
- maxSkew: 1 - maxSkew: 1
topologyKey: kubernetes.io/hostname topologyKey: kubernetes.io/hostname
@ -85,24 +91,24 @@ spec:
# These are joined together without spaces, run through `tpl`, and the result is set in the config map. # These are joined together without spaces, run through `tpl`, and the result is set in the config map.
# @default -- See [values.yaml](https://github.com/kyverno/kyverno/blob/ed1906a0dc281c2aeb9b7046b843708825310330/charts/kyverno/values.yaml#L207C3-L316C1) # @default -- See [values.yaml](https://github.com/kyverno/kyverno/blob/ed1906a0dc281c2aeb9b7046b843708825310330/charts/kyverno/values.yaml#L207C3-L316C1)
resourceFilters: resourceFilters:
- '[Event,*,*]' - "[Event,*,*]"
- '[*/*,kube-system,*]' - "[*/*,kube-system,*]"
- '[*/*,kube-public,*]' - "[*/*,kube-public,*]"
- '[*/*,kube-node-lease,*]' - "[*/*,kube-node-lease,*]"
- '[Node,*,*]' - "[Node,*,*]"
- '[Node/*,*,*]' - "[Node/*,*,*]"
- '[APIService,*,*]' - "[APIService,*,*]"
- '[APIService/*,*,*]' - "[APIService/*,*,*]"
- '[TokenReview,*,*]' - "[TokenReview,*,*]"
- '[SubjectAccessReview,*,*]' - "[SubjectAccessReview,*,*]"
- '[SelfSubjectAccessReview,*,*]' - "[SelfSubjectAccessReview,*,*]"
# remove the following to allow for schematic-to-pod.yaml to work # remove the following to allow for schematic-to-pod.yaml to work
# - '[Binding,*,*]' # - '[Binding,*,*]'
# - '[Pod/binding,*,*]' # - '[Pod/binding,*,*]'
- '[ReplicaSet,*,*]' - "[ReplicaSet,*,*]"
- '[ReplicaSet/*,*,*]' - "[ReplicaSet/*,*,*]"
- '[EphemeralReport,*,*]' - "[EphemeralReport,*,*]"
- '[ClusterEphemeralReport,*,*]' - "[ClusterEphemeralReport,*,*]"
# exclude resources from the chart # exclude resources from the chart
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]' - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'
- '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]' - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'

View file

@ -13,7 +13,6 @@ metadata:
This policy removes CPU limits from all Pods. This policy removes CPU limits from all Pods.
pod-policies.kyverno.io/autogen-controllers: none pod-policies.kyverno.io/autogen-controllers: none
spec: spec:
mutateExistingOnPolicyUpdate: true
rules: rules:
- name: remove-containers-cpu-limits - name: remove-containers-cpu-limits
match: match:

View file

@ -10,7 +10,6 @@ metadata:
This policy sets custom configuration on the Volsync mover Jobs. This policy sets custom configuration on the Volsync mover Jobs.
policies.kyverno.io/subject: Pod policies.kyverno.io/subject: Pod
spec: spec:
mutateExistingOnPolicyUpdate: true
rules: rules:
- name: set-volsync-movers-custom-config - name: set-volsync-movers-custom-config
match: match: