diff --git a/charts/nirmata/Chart.yaml b/charts/nirmata/Chart.yaml index 3553ea75..e5f8f3c4 100644 --- a/charts/nirmata/Chart.yaml +++ b/charts/nirmata/Chart.yaml @@ -1,23 +1,30 @@ apiVersion: v2 type: application name: kyverno -version: 3.0.15 -appVersion: v1.10.6-n4k.nirmata.3 +version: 3.1.0 +appVersion: v1.11.0-n4k.nirmata.1 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Native Policy Management keywords: - kubernetes - nirmata - policy agent + - policy - validating webhook - - admissions controller + - admission controller + - mutation + - mutate + - validate + - generate + - supply chain + - security home: https://kyverno.io/ sources: - https://github.com/nirmata/kyverno maintainers: - name: Nirmata url: https://nirmata.com/ -kubeVersion: ">=1.16.0-0" +kubeVersion: ">=1.25.0-0" annotations: artifacthub.io/operator: "false" artifacthub.io/prerelease: "false" @@ -26,10 +33,28 @@ annotations: url: https://kyverno.io/docs # valid kinds are: added, changed, deprecated, removed, fixed and security artifacthub.io/changes: | + - kind: added + description: support for GrafanaDashboard custom resource - kind: changed description: only create ServiceMonitor if cluster supports it - kind: fixed description: rbac templating issues + - kind: added + description: make sigstore volume configurable + - kind: changed + description: no deployments can run with 0 replicas + - kind: changed + description: change dashboard title of kyverno grafana dashboard + - kind: added + description: view aggregated cluster role support + - kind: added + description: support for webhook annotations in config map + - kind: added + description: allow overriding PDB api version + - kind: fixed + description: missing image pull secrets in helm hooks + - kind: added + description: support `excludeRoles` and `excludeClusterRoles` in config - kind: added description: define resources for cleanupJobs - kind: changed @@ -44,3 +69,11 @@ annotations: description: allow affinity settings for cleanup jobs - kind: added description: Add helper to handle the labels for cleanup jobs, add component label + - kind: added + description: allow podSecurityContext and securityContext for webhooksCleanup + - kind: added + description: match conditions support in webhooks + - kind: fixed + description: missing image pull policy missing in a couple of deployments + - kind: added + description: added TUF flags for custom sigstore deployments diff --git a/charts/nirmata/README.md b/charts/nirmata/README.md index 8b2fe610..07a51ae0 100644 --- a/charts/nirmata/README.md +++ b/charts/nirmata/README.md @@ -2,7 +2,7 @@ Kubernetes Native Policy Management -![Version: 3.0.5-rc2](https://img.shields.io/badge/Version-3.0.5--rc2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.10.4-n4k.nirmata.1](https://img.shields.io/badge/AppVersion-v1.10.4--n4k.nirmata.1-informational?style=flat-square) +![Version: 3.1.0](https://img.shields.io/badge/Version-3.0.5--rc2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.11.0-n4k.nirmata.1](https://img.shields.io/badge/AppVersion-v1.10.4--n4k.nirmata.1-informational?style=flat-square) ## About @@ -837,7 +837,7 @@ Please see https://kyverno.io/docs/installation/#security-vs-operability for mor ## Requirements -Kubernetes: `>=1.16.0-0` +Kubernetes: `>=1.25.0-0` ## Maintainers diff --git a/charts/nirmata/templates/admission-controller/clusterrole.yaml b/charts/nirmata/templates/admission-controller/clusterrole.yaml index 937eb230..75e8862c 100644 --- a/charts/nirmata/templates/admission-controller/clusterrole.yaml +++ b/charts/nirmata/templates/admission-controller/clusterrole.yaml @@ -22,6 +22,10 @@ rules: resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations + {{- if .Values.features.generateValidatingAdmissionPolicy.enabled }} + - validatingadmissionpolicies + - validatingadmissionpolicybindings + {{- end }} verbs: - create - delete @@ -39,8 +43,8 @@ rules: - rolebindings - clusterrolebindings verbs: - - watch - list + - watch - apiGroups: - kyverno.io resources: diff --git a/charts/nirmata/templates/admission-controller/deployment.yaml b/charts/nirmata/templates/admission-controller/deployment.yaml index a14e37b8..2668819e 100644 --- a/charts/nirmata/templates/admission-controller/deployment.yaml +++ b/charts/nirmata/templates/admission-controller/deployment.yaml @@ -98,6 +98,8 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} env: + - name: KYVERNO_SERVICEACCOUNT_NAME + value: {{ template "kyverno.admission-controller.serviceAccountName" . }} - name: INIT_CONFIG value: {{ template "kyverno.config.configMapName" . }} - name: METRICS_CONFIG @@ -202,11 +204,13 @@ spec: "deferredLoading" "dumpPayload" "forceFailurePolicyIgnore" + "generateValidatingAdmissionPolicy" "logging" "omitEvents" "policyExceptions" "protectManagedResources" "registryClient" + "tuf" ) | nindent 12 }} {{- range $key, $value := .Values.admissionController.container.extraArgs }} {{- if $value }} diff --git a/charts/nirmata/templates/admission-controller/flowschema.yaml b/charts/nirmata/templates/admission-controller/flowschema.yaml new file mode 100644 index 00000000..e1a9e4e1 --- /dev/null +++ b/charts/nirmata/templates/admission-controller/flowschema.yaml @@ -0,0 +1,195 @@ +{{- if .Values.admissionController.apiPriorityAndFairness }} +apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }} +kind: FlowSchema +metadata: + name: {{ template "kyverno.admission-controller.name" . }} + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +spec: + priorityLevelConfiguration: + name: {{ template "kyverno.admission-controller.name" . }} + rules: + - resourceRules: + - apiGroups: + - admissionregistration.k8s.io + clusterScope: true + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - rbac.authorization.k8s.io + clusterScope: true + resources: + - clusterroles + - clusterrolebindings + verbs: + - watch + - list + - apiGroups: + - rbac.authorization.k8s.io + namespaces: + - '*' + resources: + - roles + - rolebindings + verbs: + - watch + - list + - apiGroups: + - kyverno.io + clusterScope: true + resources: + - clusterpolicies + - clusterpolicies/status + - clusteradmissionreports + - clusterbackgroundscanreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - kyverno.io + namespaces: + - '*' + resources: + - policies + - policies/status + - updaterequests + - updaterequests/status + - admissionreports + - backgroundscanreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - wgpolicyk8s.io + clusterScope: true + resources: + - clusterpolicyreports + - clusterpolicyreports/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - wgpolicyk8s.io + namespaces: + - '*' + resources: + - policyreports + - policyreports/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - "" + - events.k8s.io + namespaces: + - '*' + resources: + - events + verbs: + - create + - update + - patch + - apiGroups: + - authorization.k8s.io + clusterScope: true + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - '*' + namespaces: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - '' + namespaces: + - {{ template "kyverno.namespace" . }} + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - apiGroups: + - '' + namespaces: + - {{ template "kyverno.namespace" . }} + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + namespaces: + - {{ template "kyverno.namespace" . }} + resources: + - leases + verbs: + - create + - delete + - get + - patch + - update + - apiGroups: + - apps + namespaces: + - {{ template "kyverno.namespace" . }} + resources: + - deployments + - deployments/scale + verbs: + - get + - list + - watch + - patch + - update + subjects: + - kind: ServiceAccount + serviceAccount: + name: {{ template "kyverno.admission-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end }} diff --git a/charts/nirmata/templates/admission-controller/poddisruptionbudget.yaml b/charts/nirmata/templates/admission-controller/poddisruptionbudget.yaml index c9ef079d..d1bfbeba 100644 --- a/charts/nirmata/templates/admission-controller/poddisruptionbudget.yaml +++ b/charts/nirmata/templates/admission-controller/poddisruptionbudget.yaml @@ -1,4 +1,4 @@ -{{- if (gt (int .Values.admissionController.replicas) 1) -}} +{{- if or .Values.admissionController.podDisruptionBudget.enabled (gt (int .Values.admissionController.replicas) 1) -}} apiVersion: {{ template "kyverno.pdb.apiVersion" . }} kind: PodDisruptionBudget metadata: diff --git a/charts/nirmata/templates/background-controller/_helpers.tpl b/charts/nirmata/templates/background-controller/_helpers.tpl index fe34496c..fc914a26 100644 --- a/charts/nirmata/templates/background-controller/_helpers.tpl +++ b/charts/nirmata/templates/background-controller/_helpers.tpl @@ -19,6 +19,7 @@ {{- end -}} {{- define "kyverno.background-controller.image" -}} +{{- $imageRegistry := default .image.registry .globalRegistry -}} {{- if .image.registry -}} {{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} {{- else -}} diff --git a/charts/nirmata/templates/background-controller/clusterrole.yaml b/charts/nirmata/templates/background-controller/clusterrole.yaml index a8726536..63a71a23 100644 --- a/charts/nirmata/templates/background-controller/clusterrole.yaml +++ b/charts/nirmata/templates/background-controller/clusterrole.yaml @@ -29,6 +29,9 @@ rules: - apiGroups: - kyverno.io resources: + - policies + - clusterpolicies + - policyexceptions - updaterequests - updaterequests/status verbs: @@ -40,6 +43,15 @@ rules: - update - watch - deletecollection + - apiGroups: + - '' + resources: + - namespaces + - configmaps + verbs: + - get + - list + - watch - apiGroups: - '' - events.k8s.io @@ -47,8 +59,15 @@ rules: - events verbs: - create - - update + - get + - list - patch + - update + - watch +{{- with .Values.backgroundController.rbac.coreClusterRole.extraResources }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.backgroundController.rbac.clusterRole.extraResources }} - apiGroups: - networking.k8s.io resources: diff --git a/charts/nirmata/templates/background-controller/deployment.yaml b/charts/nirmata/templates/background-controller/deployment.yaml index c8adfb5a..bb80f5f4 100644 --- a/charts/nirmata/templates/background-controller/deployment.yaml +++ b/charts/nirmata/templates/background-controller/deployment.yaml @@ -76,7 +76,8 @@ spec: serviceAccountName: {{ template "kyverno.background-controller.serviceAccountName" . }} containers: - name: controller - image: {{ include "kyverno.background-controller.image" (dict "image" .Values.backgroundController.image "defaultTag" .Chart.AppVersion) | quote }} + image: {{ include "kyverno.background-controller.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.backgroundController.image "defaultTag" .Chart.AppVersion) | quote }} + imagePullPolicy: {{ .Values.backgroundController.image.pullPolicy }} ports: - containerPort: 9443 name: https @@ -120,6 +121,10 @@ spec: {{- end }} {{- end }} env: + - name: KYVERNO_SERVICEACCOUNT_NAME + value: {{ template "kyverno.background-controller.serviceAccountName" . }} + - name: KYVERNO_DEPLOYMENT + value: {{ template "kyverno.background-controller.name" . }} - name: INIT_CONFIG value: {{ template "kyverno.config.configMapName" . }} - name: METRICS_CONFIG diff --git a/charts/nirmata/templates/background-controller/poddisruptionbudget.yaml b/charts/nirmata/templates/background-controller/poddisruptionbudget.yaml index 7808aed3..201f7cbb 100644 --- a/charts/nirmata/templates/background-controller/poddisruptionbudget.yaml +++ b/charts/nirmata/templates/background-controller/poddisruptionbudget.yaml @@ -1,5 +1,5 @@ {{- if .Values.backgroundController.enabled -}} -{{- if (gt (int .Values.backgroundController.replicas) 1) -}} +{{- if or .Values.backgroundController.podDisruptionBudget.enabled (gt (int .Values.backgroundController.replicas) 1) -}} apiVersion: {{ template "kyverno.pdb.apiVersion" . }} kind: PodDisruptionBudget metadata: diff --git a/charts/nirmata/templates/background-controller/role.yaml b/charts/nirmata/templates/background-controller/role.yaml index 9f8a8871..e4074c64 100644 --- a/charts/nirmata/templates/background-controller/role.yaml +++ b/charts/nirmata/templates/background-controller/role.yaml @@ -29,5 +29,15 @@ rules: - get - patch - update + resourceNames: + - kyverno-background-controller + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch {{- end -}} {{- end -}} diff --git a/charts/nirmata/templates/cleanup-controller/_helpers.tpl b/charts/nirmata/templates/cleanup-controller/_helpers.tpl index c97ccdd3..779300a0 100644 --- a/charts/nirmata/templates/cleanup-controller/_helpers.tpl +++ b/charts/nirmata/templates/cleanup-controller/_helpers.tpl @@ -19,6 +19,7 @@ {{- end -}} {{- define "kyverno.cleanup-controller.image" -}} +{{- $imageRegistry := default .image.registry .globalRegistry -}} {{- if .image.registry -}} {{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} {{- else -}} diff --git a/charts/nirmata/templates/cleanup-controller/deployment.yaml b/charts/nirmata/templates/cleanup-controller/deployment.yaml index 1f2594ce..8b99afbb 100644 --- a/charts/nirmata/templates/cleanup-controller/deployment.yaml +++ b/charts/nirmata/templates/cleanup-controller/deployment.yaml @@ -117,6 +117,8 @@ spec: {{- end }} {{- end }} env: + - name: KYVERNO_DEPLOYMENT + value: {{ template "kyverno.cleanup-controller.name" . }} - name: INIT_CONFIG value: {{ template "kyverno.config.configMapName" . }} - name: METRICS_CONFIG diff --git a/charts/nirmata/templates/cleanup-controller/poddisruptionbudget.yaml b/charts/nirmata/templates/cleanup-controller/poddisruptionbudget.yaml index 4cf02be1..b640ad30 100644 --- a/charts/nirmata/templates/cleanup-controller/poddisruptionbudget.yaml +++ b/charts/nirmata/templates/cleanup-controller/poddisruptionbudget.yaml @@ -1,5 +1,5 @@ {{- if .Values.cleanupController.enabled -}} -{{- if (gt (int .Values.cleanupController.replicas) 1) -}} +{{- if or .Values.cleanupController.podDisruptionBudget.enabled (gt (int .Values.cleanupController.replicas) 1) -}} apiVersion: {{ template "kyverno.pdb.apiVersion" . }} kind: PodDisruptionBudget metadata: diff --git a/charts/nirmata/templates/cleanup-controller/role.yaml b/charts/nirmata/templates/cleanup-controller/role.yaml index 15904287..70637aec 100644 --- a/charts/nirmata/templates/cleanup-controller/role.yaml +++ b/charts/nirmata/templates/cleanup-controller/role.yaml @@ -19,6 +19,9 @@ rules: - list - update - watch + resourceNames: + - {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca + - {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair - apiGroups: - '' resources: @@ -36,9 +39,16 @@ rules: - leases verbs: - create + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: - delete - get - patch - update + resourceNames: + - kyverno-cleanup-controller {{- end -}} {{- end -}} diff --git a/charts/nirmata/templates/config/configmap.yaml b/charts/nirmata/templates/config/configmap.yaml index 2304c126..7a037061 100644 --- a/charts/nirmata/templates/config/configmap.yaml +++ b/charts/nirmata/templates/config/configmap.yaml @@ -42,4 +42,7 @@ data: {{- with .Values.config.webhookAnnotations }} webhookAnnotations: {{ toJson . | quote }} {{- end }} + {{- with .Values.config.matchConditions }} + matchConditions: {{ toJson . | quote }} + {{- end }} {{- end -}} diff --git a/charts/nirmata/templates/config/metricsconfigmap.yaml b/charts/nirmata/templates/config/metricsconfigmap.yaml index dc514890..e5f32f6c 100644 --- a/charts/nirmata/templates/config/metricsconfigmap.yaml +++ b/charts/nirmata/templates/config/metricsconfigmap.yaml @@ -17,4 +17,10 @@ data: {{- with .Values.metricsConfig.metricsRefreshInterval }} metricsRefreshInterval: {{ . }} {{- end }} + {{- with .Values.metricsConfig.metricsExposure }} + metricsExposure: {{ toJson . | quote }} + {{- end }} + {{- with .Values.metricsConfig.bucketBoundaries }} + bucketBoundaries: {{ join ", " . | quote }} + {{- end }} {{- end -}} diff --git a/charts/nirmata/templates/reports-controller/_helpers.tpl b/charts/nirmata/templates/reports-controller/_helpers.tpl index b09f5610..c343f51a 100644 --- a/charts/nirmata/templates/reports-controller/_helpers.tpl +++ b/charts/nirmata/templates/reports-controller/_helpers.tpl @@ -19,6 +19,7 @@ {{- end -}} {{- define "kyverno.reports-controller.image" -}} +{{- $imageRegistry := default .image.registry .globalRegistry -}} {{- if .image.registry -}} {{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }} {{- else -}} diff --git a/charts/nirmata/templates/reports-controller/deployment.yaml b/charts/nirmata/templates/reports-controller/deployment.yaml index 012e3fa7..cdaa8c0d 100644 --- a/charts/nirmata/templates/reports-controller/deployment.yaml +++ b/charts/nirmata/templates/reports-controller/deployment.yaml @@ -76,7 +76,8 @@ spec: serviceAccountName: {{ template "kyverno.reports-controller.serviceAccountName" . }} containers: - name: controller - image: {{ include "kyverno.reports-controller.image" (dict "image" .Values.reportsController.image "defaultTag" .Chart.AppVersion) | quote }} + image: {{ include "kyverno.reports-controller.image" (dict "globalRegistry" ((.Values.global).image).registry "image" .Values.reportsController.image "defaultTag" .Chart.AppVersion) | quote }} + imagePullPolicy: {{ .Values.reportsController.image.pullPolicy }} ports: - containerPort: 9443 name: https @@ -109,7 +110,9 @@ spec: {{- end }} {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.reportsController.featuresOverride) "admissionReports" + "aggregateReports" "policyReports" + "validatingAdmissionPolicyReports" "backgroundScan" "configMapCaching" "deferredLoading" @@ -118,6 +121,7 @@ spec: "policyExceptions" "reports" "registryClient" + "tuf" ) | nindent 12 }} {{- range $key, $value := .Values.reportsController.extraArgs }} {{- if $value }} @@ -125,6 +129,10 @@ spec: {{- end }} {{- end }} env: + - name: KYVERNO_SERVICEACCOUNT_NAME + value: {{ template "kyverno.reports-controller.serviceAccountName" . }} + - name: KYVERNO_DEPLOYMENT + value: {{ template "kyverno.reports-controller.name" . }} - name: INIT_CONFIG value: {{ template "kyverno.config.configMapName" . }} - name: METRICS_CONFIG diff --git a/charts/nirmata/templates/reports-controller/flowschema.yaml b/charts/nirmata/templates/reports-controller/flowschema.yaml new file mode 100644 index 00000000..fa2e9d19 --- /dev/null +++ b/charts/nirmata/templates/reports-controller/flowschema.yaml @@ -0,0 +1,122 @@ +{{- if .Values.reportsController.apiPriorityAndFairness }} +apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }} +kind: FlowSchema +metadata: + name: {{ template "kyverno.reports-controller.name" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} +spec: + priorityLevelConfiguration: + name: {{ template "kyverno.reports-controller.name" . }} + rules: + - resourceRules: + - apiGroups: + - '*' + namespaces: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - kyverno.io + clusterScope: true + resources: + - clusteradmissionreports + - clusterbackgroundscanreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - kyverno.io + namespaces: + - '*' + resources: + - admissionreports + - backgroundscanreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - wgpolicyk8s.io + clusterScope: true + resources: + - clusterpolicyreports + - clusterpolicyreports/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - wgpolicyk8s.io + namespaces: + - '*' + resources: + - policyreports + - policyreports/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - '' + - events.k8s.io + namespaces: + - '*' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - '' + namespaces: + - {{ template "kyverno.namespace" . }} + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + namespaces: + - {{ template "kyverno.namespace" . }} + resources: + - leases + verbs: + - create + - delete + - get + - patch + - update + subjects: + - kind: ServiceAccount + serviceAccount: + name: {{ template "kyverno.reports-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end }} diff --git a/charts/nirmata/templates/reports-controller/poddisruptionbudget.yaml b/charts/nirmata/templates/reports-controller/poddisruptionbudget.yaml index b1fdc7a5..de6b6248 100644 --- a/charts/nirmata/templates/reports-controller/poddisruptionbudget.yaml +++ b/charts/nirmata/templates/reports-controller/poddisruptionbudget.yaml @@ -1,5 +1,5 @@ {{- if .Values.reportsController.enabled -}} -{{- if (gt (int .Values.reportsController.replicas) 1) -}} +{{- if or .Values.reportsController.podDisruptionBudget.enabled (gt (int .Values.reportsController.replicas) 1) -}} apiVersion: {{ template "kyverno.pdb.apiVersion" . }} kind: PodDisruptionBudget metadata: diff --git a/charts/nirmata/templates/reports-controller/prioritylevelconfiguration.yaml b/charts/nirmata/templates/reports-controller/prioritylevelconfiguration.yaml new file mode 100644 index 00000000..a5a475e4 --- /dev/null +++ b/charts/nirmata/templates/reports-controller/prioritylevelconfiguration.yaml @@ -0,0 +1,12 @@ +{{- if .Values.reportsController.apiPriorityAndFairness }} +apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }} +kind: PriorityLevelConfiguration +metadata: + name: {{ template "kyverno.reports-controller.name" . }} + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} +{{- with .Values.reportsController.priorityLevelConfigurationSpec }} +spec: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} +{{- end }} diff --git a/charts/nirmata/templates/reports-controller/role.yaml b/charts/nirmata/templates/reports-controller/role.yaml index 266e5adb..5c1b5c07 100644 --- a/charts/nirmata/templates/reports-controller/role.yaml +++ b/charts/nirmata/templates/reports-controller/role.yaml @@ -25,9 +25,16 @@ rules: - leases verbs: - create + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: - delete - get - patch - update + resourceNames: + - kyverno-reports-controller {{- end -}} {{- end -}}