---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/component: admission-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
    app.kubernetes.io/version: 3.4.1
  name: kyverno-admission-controller
  namespace: kyverno
spec:
  replicas: 2
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/component: admission-controller
      app.kubernetes.io/instance: kyverno
      app.kubernetes.io/part-of: kyverno
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 40%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app.kubernetes.io/component: admission-controller
        app.kubernetes.io/instance: kyverno
        app.kubernetes.io/part-of: kyverno
        app.kubernetes.io/version: 3.4.1
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - podAffinityTerm:
                labelSelector:
                  matchExpressions:
                    - key: app.kubernetes.io/component
                      operator: In
                      values:
                        - admission-controller
                topologyKey: kubernetes.io/hostname
              weight: 1
      containers:
        - args:
            - --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca
            - --tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair
            - --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
            - --reportsServiceAccountName=system:serviceaccount:kyverno:kyverno-reports-controller
            - --servicePort=443
            - --webhookServerPort=9443
            - --resyncPeriod=15m
            - --disableMetrics=false
            - --otelConfig=prometheus
            - --metricsPort=8000
            - --admissionReports=true
            - --maxAdmissionReports=1000
            - --autoUpdateWebhooks=true
            - --enableConfigMapCaching=true
            - --enableDeferredLoading=true
            - --dumpPayload=false
            - --forceFailurePolicyIgnore=false
            - --generateValidatingAdmissionPolicy=false
            - --dumpPatches=false
            - --maxAPICallResponseLength=2000000
            - --loggingFormat=text
            - --v=2
            - --omitEvents=PolicyApplied,PolicySkipped
            - --enablePolicyException=false
            - --protectManagedResources=false
            - --allowInsecureRegistry=false
            - --registryCredentialHelpers=default,google,amazon,azure,github
            - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
          env:
            - name: INIT_CONFIG
              value: kyverno
            - name: METRICS_CONFIG
              value: kyverno-metrics
            - name: KYVERNO_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: KYVERNO_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: KYVERNO_SERVICEACCOUNT_NAME
              value: kyverno-admission-controller
            - name: KYVERNO_ROLE_NAME
              value: kyverno:admission-controller
            - name: KYVERNO_SVC
              value: kyverno-svc
            - name: TUF_ROOT
              value: /.sigstore
            - name: KYVERNO_DEPLOYMENT
              value: kyverno-admission-controller
          image: ghcr.io/kyverno/kyverno:v1.14.1
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 2
            httpGet:
              path: /health/liveness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 15
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 5
          name: kyverno
          ports:
            - containerPort: 9443
              name: https
              protocol: TCP
            - containerPort: 8000
              name: metrics-port
              protocol: TCP
          readinessProbe:
            failureThreshold: 6
            httpGet:
              path: /health/readiness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          resources:
            limits:
              memory: 384Mi
            requests:
              cpu: 100m
              memory: 128Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
          startupProbe:
            failureThreshold: 20
            httpGet:
              path: /health/liveness
              port: 9443
              scheme: HTTPS
            initialDelaySeconds: 2
            periodSeconds: 6
          volumeMounts:
            - mountPath: /.sigstore
              name: sigstore
      dnsPolicy: ClusterFirst
      initContainers:
        - args:
            - --loggingFormat=text
            - --v=2
          env:
            - name: KYVERNO_SERVICEACCOUNT_NAME
              value: kyverno-admission-controller
            - name: KYVERNO_ROLE_NAME
              value: kyverno:admission-controller
            - name: INIT_CONFIG
              value: kyverno
            - name: METRICS_CONFIG
              value: kyverno-metrics
            - name: KYVERNO_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: KYVERNO_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: KYVERNO_DEPLOYMENT
              value: kyverno-admission-controller
            - name: KYVERNO_SVC
              value: kyverno-svc
          image: ghcr.io/kyverno/kyvernopre:v1.14.1
          imagePullPolicy: IfNotPresent
          name: kyverno-pre
          resources:
            limits:
              cpu: 100m
              memory: 256Mi
            requests:
              cpu: 10m
              memory: 64Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
      serviceAccountName: kyverno-admission-controller
      volumes:
        - emptyDir: {}
          name: sigstore