Merge pull request #231 from nirmata/policy-report-cleanup

Policy report cleanup

charts/nirmata/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 type: application
 name: kyverno
-version: 3.1.0-rc5
+version: 3.1.0-rc6
 appVersion: v1.11.4-n4k.nirmata.2
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Kubernetes Native Policy Management

charts/nirmata/templates/hooks/post-upgrade.yaml

@@ -0,0 +1,58 @@
+{{- if .Values.policyReportsCleanup.enabled -}}
+  {{- if not .Values.templating.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "kyverno.fullname" . }}-hook-post-upgrade
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.hooks.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+spec:
+  backoffLimit: 2
+  template:
+    spec:
+      serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+      {{- with .Values.policyReportsCleanup.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      containers:
+        - name: kubectl
+          image: {{ (include "kyverno.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.policyReportsCleanup.image "defaultTag" (default .Chart.AppVersion .Values.policyReportsCleanup.image.tag))) | quote }}
+          imagePullPolicy: {{ .Values.policyReportsCleanup.image.pullPolicy }}
+          command:
+            - /bin/bash
+            - -c
+            - |
+              NAMESPACES=$(kubectl get namespaces --no-headers=true | awk '{print $1}')
+
+              for ns in ${NAMESPACES[@]};
+              do
+                COUNT=$(kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | wc -l)
+
+                if [ $COUNT -gt 0 ]; then
+                  echo "deleting $COUNT policyreports in namespace $ns"
+                  kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete -n $ns policyreports.wgpolicyk8s.io
+                else
+                  echo "no policyreports in namespace $ns"
+                fi
+              done
+
+              COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | wc -l)
+                
+              if [ $COUNT -gt 0 ]; then
+                echo "deleting $COUNT clusterpolicyreports"
+                kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io
+              else
+                echo "no clusterpolicyreports"
+              fi
+          {{- with .Values.policyReportsCleanup.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+  {{- end -}}
+{{- end -}}

charts/nirmata/values.yaml

@@ -399,6 +399,41 @@ webhooksCleanup:
     seccompProfile:
       type: RuntimeDefault
 
+
+policyReportsCleanup:
+  # -- Create a helm post-upgrade hook to cleanup the old policy reports.
+  enabled: true
+
+  image:
+    # -- (string) Image registry
+    registry: ~
+    # -- Image repository
+    repository: bitnami/kubectl
+    # -- Image tag
+    # Defaults to `latest` if omitted
+    tag: '1.28.4'
+    # -- (string) Image pull policy
+    # Defaults to image.pullPolicy if omitted
+    pullPolicy: ~
+
+  # -- Security context for the pod
+  podSecurityContext: {}
+
+  # -- Security context for the hook containers
+  securityContext:
+    runAsUser: 65534
+    runAsGroup: 65534
+    runAsNonRoot: true
+    privileged: false
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+
+
 grafana:
   # -- Enable grafana dashboard creation.
   enabled: false