nirmata · anushkamittal2001 · Jan 11, 2024
diff --git a/charts/nirmata/Chart.yaml b/charts/nirmata/Chart.yaml
@@ -1,23 +1,30 @@
 apiVersion: v2
 type: application
 name: kyverno
-version: 3.0.15
-appVersion: v1.10.6-n4k.nirmata.3
+version: 3.1.0
+appVersion: v1.11.0-n4k.nirmata.1
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Kubernetes Native Policy Management
 keywords:
   - kubernetes
   - nirmata
   - policy agent
+  - policy
   - validating webhook
-  - admissions controller
+  - admission controller
+  - mutation
+  - mutate
+  - validate
+  - generate
+  - supply chain
+  - security
 home: https://kyverno.io/
 sources:
   - https://github.com/nirmata/kyverno
 maintainers:
   - name: Nirmata
     url: https://nirmata.com/
-kubeVersion: ">=1.16.0-0"
+kubeVersion: ">=1.25.0-0"
 annotations:
   artifacthub.io/operator: "false"
   artifacthub.io/prerelease: "false"
@@ -26,10 +33,28 @@ annotations:
       url: https://kyverno.io/docs
   # valid kinds are: added, changed, deprecated, removed, fixed and security
   artifacthub.io/changes: |
+    - kind: added
+      description: support for GrafanaDashboard custom resource
     - kind: changed
       description: only create ServiceMonitor if cluster supports it
     - kind: fixed
       description: rbac templating issues
+    - kind: added
+      description: make sigstore volume configurable
+    - kind: changed
+      description: no deployments can run with 0 replicas
+    - kind: changed
+      description: change dashboard title of kyverno grafana dashboard
+    - kind: added
+      description: view aggregated cluster role support
+    - kind: added
+      description: support for webhook annotations in config map
+    - kind: added
+      description: allow overriding PDB api version
+    - kind: fixed
+      description: missing image pull secrets in helm hooks
+    - kind: added
+      description: support `excludeRoles` and `excludeClusterRoles` in config
     - kind: added
       description: define resources for cleanupJobs
     - kind: changed
@@ -44,3 +69,11 @@ annotations:
       description: allow affinity settings for cleanup jobs
     - kind: added
       description: Add helper to handle the labels for cleanup jobs, add component label
+    - kind: added
+      description: allow podSecurityContext and securityContext for webhooksCleanup
+    - kind: added
+      description: match conditions support in webhooks
+    - kind: fixed
+      description: missing image pull policy missing in a couple of deployments
+    - kind: added
+      description: added TUF flags for custom sigstore deployments
diff --git a/charts/nirmata/README.md b/charts/nirmata/README.md
@@ -2,7 +2,7 @@
 
 Kubernetes Native Policy Management
 
-![Version: 3.0.5-rc2](https://img.shields.io/badge/Version-3.0.5--rc2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.10.4-n4k.nirmata.1](https://img.shields.io/badge/AppVersion-v1.10.4--n4k.nirmata.1-informational?style=flat-square)
+![Version: 3.1.0](https://img.shields.io/badge/Version-3.0.5--rc2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.11.0-n4k.nirmata.1](https://img.shields.io/badge/AppVersion-v1.10.4--n4k.nirmata.1-informational?style=flat-square)
 
 ## About
 
@@ -837,7 +837,7 @@ Please see https://kyverno.io/docs/installation/#security-vs-operability for mor
 
 ## Requirements
 
-Kubernetes: `>=1.16.0-0`
+Kubernetes: `>=1.25.0-0`
 
 ## Maintainers
 

diff --git a/charts/nirmata/templates/admission-controller/clusterrole.yaml b/charts/nirmata/templates/admission-controller/clusterrole.yaml
@@ -22,6 +22,10 @@ rules:
     resources:
       - mutatingwebhookconfigurations
       - validatingwebhookconfigurations
+      {{- if .Values.features.generateValidatingAdmissionPolicy.enabled }}
+      - validatingadmissionpolicies
+      - validatingadmissionpolicybindings
+      {{- end }}
     verbs:
       - create
       - delete
@@ -39,8 +43,8 @@ rules:
       - rolebindings
       - clusterrolebindings
     verbs:
-      - watch
       - list
+      - watch
   - apiGroups:
       - kyverno.io
     resources:

diff --git a/charts/nirmata/templates/admission-controller/deployment.yaml b/charts/nirmata/templates/admission-controller/deployment.yaml
@@ -98,6 +98,8 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           env:
+          - name: KYVERNO_SERVICEACCOUNT_NAME
+            value: {{ template "kyverno.admission-controller.serviceAccountName" . }}
           - name: INIT_CONFIG
             value: {{ template "kyverno.config.configMapName" . }}
           - name: METRICS_CONFIG
@@ -202,11 +204,13 @@ spec:
               "deferredLoading"
               "dumpPayload"
               "forceFailurePolicyIgnore"
+              "generateValidatingAdmissionPolicy"
               "logging"
               "omitEvents"
               "policyExceptions"
               "protectManagedResources"
               "registryClient"
+              "tuf"
             ) | nindent 12 }}
             {{- range $key, $value := .Values.admissionController.container.extraArgs }}
             {{- if $value }}

diff --git a/charts/nirmata/templates/admission-controller/flowschema.yaml b/charts/nirmata/templates/admission-controller/flowschema.yaml
@@ -0,0 +1,195 @@
+{{- if .Values.admissionController.apiPriorityAndFairness }}
+apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }}
+kind: FlowSchema
+metadata:
+  name: {{ template "kyverno.admission-controller.name" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+spec:
+  priorityLevelConfiguration:
+    name: {{ template "kyverno.admission-controller.name" . }}
+  rules:
+  - resourceRules:
+    - apiGroups:
+        - admissionregistration.k8s.io
+      clusterScope: true
+      resources:
+        - mutatingwebhookconfigurations
+        - validatingwebhookconfigurations
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - rbac.authorization.k8s.io
+      clusterScope: true
+      resources:
+        - clusterroles
+        - clusterrolebindings
+      verbs:
+        - watch
+        - list
+    - apiGroups:
+        - rbac.authorization.k8s.io
+      namespaces:
+        - '*'
+      resources:
+        - roles
+        - rolebindings
+      verbs:
+        - watch
+        - list
+    - apiGroups:
+        - kyverno.io
+      clusterScope: true
+      resources:
+        - clusterpolicies
+        - clusterpolicies/status
+        - clusteradmissionreports
+        - clusterbackgroundscanreports
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - kyverno.io
+      namespaces:
+        - '*'
+      resources:
+        - policies
+        - policies/status
+        - updaterequests
+        - updaterequests/status
+        - admissionreports
+        - backgroundscanreports
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - wgpolicyk8s.io
+      clusterScope: true
+      resources:
+        - clusterpolicyreports
+        - clusterpolicyreports/status
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - wgpolicyk8s.io
+      namespaces:
+        - '*'
+      resources:
+        - policyreports
+        - policyreports/status
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - ""
+        - events.k8s.io
+      namespaces:
+        - '*'
+      resources:
+        - events
+      verbs:
+        - create
+        - update
+        - patch
+    - apiGroups:
+        - authorization.k8s.io
+      clusterScope: true
+      resources:
+        - subjectaccessreviews
+      verbs:
+        - create
+    - apiGroups:
+        - '*'
+      namespaces:
+        - '*'
+      resources:
+        - '*'
+      verbs:
+        - get
+        - list
+        - watch
+    - apiGroups:
+        - ''
+      namespaces:
+        - {{ template "kyverno.namespace" . }}
+      resources:
+        - secrets
+      verbs:
+        - get
+        - list
+        - watch
+        - create
+        - update
+    - apiGroups:
+        - ''
+      namespaces:
+        - {{ template "kyverno.namespace" . }}
+      resources:
+        - configmaps
+      verbs:
+        - get
+        - list
+        - watch
+    - apiGroups:
+        - coordination.k8s.io
+      namespaces:
+          - {{ template "kyverno.namespace" . }}
+      resources:
+        - leases
+      verbs:
+        - create
+        - delete
+        - get
+        - patch
+        - update
+    - apiGroups:
+        - apps
+      namespaces:
+          - {{ template "kyverno.namespace" . }}
+      resources:
+        - deployments
+        - deployments/scale
+      verbs:
+        - get
+        - list
+        - watch
+        - patch
+        - update
+    subjects:
+    - kind: ServiceAccount
+      serviceAccount:
+        name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+        namespace: {{ template "kyverno.namespace" . }}
+{{- end }}
diff --git a/charts/nirmata/templates/admission-controller/poddisruptionbudget.yaml b/charts/nirmata/templates/admission-controller/poddisruptionbudget.yaml
@@ -1,4 +1,4 @@
-{{- if (gt (int .Values.admissionController.replicas) 1) -}}
+{{- if or .Values.admissionController.podDisruptionBudget.enabled (gt (int .Values.admissionController.replicas) 1) -}}
 apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
 kind: PodDisruptionBudget
 metadata:

diff --git a/charts/nirmata/templates/background-controller/_helpers.tpl b/charts/nirmata/templates/background-controller/_helpers.tpl
@@ -19,6 +19,7 @@
 {{- end -}}
 
 {{- define "kyverno.background-controller.image" -}}
+{{- $imageRegistry := default .image.registry .globalRegistry -}}
 {{- if .image.registry -}}
   {{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
 {{- else -}}

diff --git a/charts/nirmata/templates/background-controller/clusterrole.yaml b/charts/nirmata/templates/background-controller/clusterrole.yaml
@@ -29,6 +29,9 @@ rules:
   - apiGroups:
       - kyverno.io
     resources:
+      - policies
+      - clusterpolicies
+      - policyexceptions
       - updaterequests
       - updaterequests/status
     verbs:
@@ -40,15 +43,31 @@ rules:
       - update
       - watch
       - deletecollection
+  - apiGroups:
+      - ''
+    resources:
+      - namespaces
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - ''
       - events.k8s.io
     resources:
       - events
     verbs:
       - create
-      - update
+      - get
+      - list
       - patch
+      - update
+      - watch
+{{- with .Values.backgroundController.rbac.coreClusterRole.extraResources }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with .Values.backgroundController.rbac.clusterRole.extraResources }}
   - apiGroups:
       - networking.k8s.io
     resources: