Skip to content

Commit

Permalink
Initial changes for 1.11 helm chart changes
Browse files Browse the repository at this point in the history 
Signed-off-by: anushkamittal2001 <[email protected]>
  • Loading branch information
@anushkamittal2001
anushkamittal2001 committed Jan 11, 2024
1 parent 5b8c630 commit 24147a9
Show file tree
Hide file tree
Showing 23 changed files with 457 additions and 14 deletions.
41 changes: 37 additions & 4 deletions charts/nirmata/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,30 @@
apiVersion: v2
type: application
name: kyverno
version: 3.0.15
appVersion: v1.10.6-n4k.nirmata.3
version: 3.1.0
appVersion: v1.11.0-n4k.nirmata.1
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
description: Kubernetes Native Policy Management
keywords:
- kubernetes
- nirmata
- policy agent
- policy
- validating webhook
- admissions controller
- admission controller
- mutation
- mutate
- validate
- generate
- supply chain
- security
home: https://kyverno.io/
sources:
- https://github.com/nirmata/kyverno
maintainers:
- name: Nirmata
url: https://nirmata.com/
kubeVersion: ">=1.16.0-0"
kubeVersion: ">=1.25.0-0"
annotations:
artifacthub.io/operator: "false"
artifacthub.io/prerelease: "false"
Expand All @@ -26,10 +33,28 @@ annotations:
url: https://kyverno.io/docs
# valid kinds are: added, changed, deprecated, removed, fixed and security
artifacthub.io/changes: |
- kind: added
description: support for GrafanaDashboard custom resource
- kind: changed
description: only create ServiceMonitor if cluster supports it
- kind: fixed
description: rbac templating issues
- kind: added
description: make sigstore volume configurable
- kind: changed
description: no deployments can run with 0 replicas
- kind: changed
description: change dashboard title of kyverno grafana dashboard
- kind: added
description: view aggregated cluster role support
- kind: added
description: support for webhook annotations in config map
- kind: added
description: allow overriding PDB api version
- kind: fixed
description: missing image pull secrets in helm hooks
- kind: added
description: support `excludeRoles` and `excludeClusterRoles` in config
- kind: added
description: define resources for cleanupJobs
- kind: changed
Expand All @@ -44,3 +69,11 @@ annotations:
description: allow affinity settings for cleanup jobs
- kind: added
description: Add helper to handle the labels for cleanup jobs, add component label
- kind: added
description: allow podSecurityContext and securityContext for webhooksCleanup
- kind: added
description: match conditions support in webhooks
- kind: fixed
description: missing image pull policy missing in a couple of deployments
- kind: added
description: added TUF flags for custom sigstore deployments
4 changes: 2 additions & 2 deletions charts/nirmata/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Kubernetes Native Policy Management

![Version: 3.0.5-rc2](https://img.shields.io/badge/Version-3.0.5--rc2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.10.4-n4k.nirmata.1](https://img.shields.io/badge/AppVersion-v1.10.4--n4k.nirmata.1-informational?style=flat-square)
![Version: 3.1.0](https://img.shields.io/badge/Version-3.0.5--rc2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.11.0-n4k.nirmata.1](https://img.shields.io/badge/AppVersion-v1.10.4--n4k.nirmata.1-informational?style=flat-square)

## About

Expand Down Expand Up @@ -837,7 +837,7 @@ Please see https://kyverno.io/docs/installation/#security-vs-operability for mor

## Requirements

Kubernetes: `>=1.16.0-0`
Kubernetes: `>=1.25.0-0`

## Maintainers

Expand Down
6 changes: 5 additions & 1 deletion charts/nirmata/templates/admission-controller/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ rules:
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
{{- if .Values.features.generateValidatingAdmissionPolicy.enabled }}
- validatingadmissionpolicies
- validatingadmissionpolicybindings
{{- end }}
verbs:
- create
- delete
Expand All @@ -39,8 +43,8 @@ rules:
- rolebindings
- clusterrolebindings
verbs:
- watch
- list
- watch
- apiGroups:
- kyverno.io
resources:
Expand Down
4 changes: 4 additions & 0 deletions charts/nirmata/templates/admission-controller/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,8 @@ spec:
{{- toYaml . | nindent 12 }}
{{- end }}
env:
- name: KYVERNO_SERVICEACCOUNT_NAME
value: {{ template "kyverno.admission-controller.serviceAccountName" . }}
- name: INIT_CONFIG
value: {{ template "kyverno.config.configMapName" . }}
- name: METRICS_CONFIG
Expand Down Expand Up @@ -202,11 +204,13 @@ spec:
"deferredLoading"
"dumpPayload"
"forceFailurePolicyIgnore"
"generateValidatingAdmissionPolicy"
"logging"
"omitEvents"
"policyExceptions"
"protectManagedResources"
"registryClient"
"tuf"
) | nindent 12 }}
{{- range $key, $value := .Values.admissionController.container.extraArgs }}
{{- if $value }}
Expand Down
195 changes: 195 additions & 0 deletions charts/nirmata/templates/admission-controller/flowschema.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,195 @@
{{- if .Values.admissionController.apiPriorityAndFairness }}
apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }}
kind: FlowSchema
metadata:
name: {{ template "kyverno.admission-controller.name" . }}
labels:
{{- include "kyverno.admission-controller.labels" . | nindent 4 }}
spec:
priorityLevelConfiguration:
name: {{ template "kyverno.admission-controller.name" . }}
rules:
- resourceRules:
- apiGroups:
- admissionregistration.k8s.io
clusterScope: true
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- rbac.authorization.k8s.io
clusterScope: true
resources:
- clusterroles
- clusterrolebindings
verbs:
- watch
- list
- apiGroups:
- rbac.authorization.k8s.io
namespaces:
- '*'
resources:
- roles
- rolebindings
verbs:
- watch
- list
- apiGroups:
- kyverno.io
clusterScope: true
resources:
- clusterpolicies
- clusterpolicies/status
- clusteradmissionreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- kyverno.io
namespaces:
- '*'
resources:
- policies
- policies/status
- updaterequests
- updaterequests/status
- admissionreports
- backgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- wgpolicyk8s.io
clusterScope: true
resources:
- clusterpolicyreports
- clusterpolicyreports/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- wgpolicyk8s.io
namespaces:
- '*'
resources:
- policyreports
- policyreports/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- ""
- events.k8s.io
namespaces:
- '*'
resources:
- events
verbs:
- create
- update
- patch
- apiGroups:
- authorization.k8s.io
clusterScope: true
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- '*'
namespaces:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- ''
namespaces:
- {{ template "kyverno.namespace" . }}
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- ''
namespaces:
- {{ template "kyverno.namespace" . }}
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
namespaces:
- {{ template "kyverno.namespace" . }}
resources:
- leases
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- apps
namespaces:
- {{ template "kyverno.namespace" . }}
resources:
- deployments
- deployments/scale
verbs:
- get
- list
- watch
- patch
- update
subjects:
- kind: ServiceAccount
serviceAccount:
name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}
2 changes: 1 addition & 1 deletion charts/nirmata/templates/admission-controller/poddisruptionbudget.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if (gt (int .Values.admissionController.replicas) 1) -}}
{{- if or .Values.admissionController.podDisruptionBudget.enabled (gt (int .Values.admissionController.replicas) 1) -}}
apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
Expand Down
1 change: 1 addition & 0 deletions charts/nirmata/templates/background-controller/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
{{- end -}}

{{- define "kyverno.background-controller.image" -}}
{{- $imageRegistry := default .image.registry .globalRegistry -}}
{{- if .image.registry -}}
{{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
{{- else -}}
Expand Down
21 changes: 20 additions & 1 deletion charts/nirmata/templates/background-controller/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ rules:
- apiGroups:
- kyverno.io
resources:
- policies
- clusterpolicies
- policyexceptions
- updaterequests
- updaterequests/status
verbs:
Expand All @@ -40,15 +43,31 @@ rules:
- update
- watch
- deletecollection
- apiGroups:
- ''
resources:
- namespaces
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ''
- events.k8s.io
resources:
- events
verbs:
- create
- update
- get
- list
- patch
- update
- watch
{{- with .Values.backgroundController.rbac.coreClusterRole.extraResources }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.backgroundController.rbac.clusterRole.extraResources }}
- apiGroups:
- networking.k8s.io
resources:
Expand Down
Loading

0 comments on commit 24147a9

Please sign in to comment.