fix kyverno

kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml

@@ -39,20 +39,27 @@ spec:
         clusterRole:
           extraResources:
             - apiGroups:
-                - ""
+                - "*"
               resources:
-                - pods
+                - "*"
               verbs:
-                - create
-                - update
-                - patch
-                - delete
                 - get
                 - list
+                - watch
     cleanupController:
       serviceMonitor:
         enabled: true
     reportsController:
+      clusterRole:
+        extraResources:
+          - apiGroups:
+              - '*'
+            resources:
+              - '*'
+            verbs:
+              - get
+              - list
+              - watch
       serviceMonitor:
         enabled: true
     admissionController:
@@ -63,14 +70,13 @@ spec:
         clusterRole:
           extraResources:
             - apiGroups:
-                - ""
+                - "*"
               resources:
-                - pods
+                - "*"
-                - nodes
               verbs:
-                - create
+                - get
-                - update
+                - list
-                - delete
+                - watch
       topologySpreadConstraints:
         - maxSkew: 1
           topologyKey: kubernetes.io/hostname
@@ -85,24 +91,24 @@ spec:
       # These are joined together without spaces, run through `tpl`, and the result is set in the config map.
       # @default -- See [values.yaml](https://github.com/kyverno/kyverno/blob/ed1906a0dc281c2aeb9b7046b843708825310330/charts/kyverno/values.yaml#L207C3-L316C1)
       resourceFilters:
-        - '[Event,*,*]'
+        - "[Event,*,*]"
-        - '[*/*,kube-system,*]'
+        - "[*/*,kube-system,*]"
-        - '[*/*,kube-public,*]'
+        - "[*/*,kube-public,*]"
-        - '[*/*,kube-node-lease,*]'
+        - "[*/*,kube-node-lease,*]"
-        - '[Node,*,*]'
+        - "[Node,*,*]"
-        - '[Node/*,*,*]'
+        - "[Node/*,*,*]"
-        - '[APIService,*,*]'
+        - "[APIService,*,*]"
-        - '[APIService/*,*,*]'
+        - "[APIService/*,*,*]"
-        - '[TokenReview,*,*]'
+        - "[TokenReview,*,*]"
-        - '[SubjectAccessReview,*,*]'
+        - "[SubjectAccessReview,*,*]"
-        - '[SelfSubjectAccessReview,*,*]'
+        - "[SelfSubjectAccessReview,*,*]"
         # remove the following to allow for schematic-to-pod.yaml to work
         # - '[Binding,*,*]'
         # - '[Pod/binding,*,*]'
-        - '[ReplicaSet,*,*]'
+        - "[ReplicaSet,*,*]"
-        - '[ReplicaSet/*,*,*]'
+        - "[ReplicaSet/*,*,*]"
-        - '[EphemeralReport,*,*]'
+        - "[EphemeralReport,*,*]"
-        - '[ClusterEphemeralReport,*,*]'
+        - "[ClusterEphemeralReport,*,*]"
         # exclude resources from the chart
         - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'
         - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'

kubernetes/apps/kyverno/kyverno/policies/remove-cpu-limits.yaml

@@ -13,7 +13,6 @@ metadata:
       This policy removes CPU limits from all Pods.
     pod-policies.kyverno.io/autogen-controllers: none
 spec:
-  mutateExistingOnPolicyUpdate: true
   rules:
     - name: remove-containers-cpu-limits
       match:

kubernetes/apps/kyverno/kyverno/policies/volsync-movers.yaml

@@ -10,7 +10,6 @@ metadata:
       This policy sets custom configuration on the Volsync mover Jobs.
     policies.kyverno.io/subject: Pod
 spec:
-  mutateExistingOnPolicyUpdate: true
   rules:
     - name: set-volsync-movers-custom-config
       match: