205 lines
6.6 KiB
YAML
205 lines
6.6 KiB
YAML
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: 3.4.1
|
|
name: kyverno-admission-controller
|
|
namespace: kyverno
|
|
spec:
|
|
replicas: 2
|
|
revisionHistoryLimit: 10
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
strategy:
|
|
rollingUpdate:
|
|
maxSurge: 1
|
|
maxUnavailable: 40%
|
|
type: RollingUpdate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: admission-controller
|
|
app.kubernetes.io/instance: kyverno
|
|
app.kubernetes.io/part-of: kyverno
|
|
app.kubernetes.io/version: 3.4.1
|
|
spec:
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- podAffinityTerm:
|
|
labelSelector:
|
|
matchExpressions:
|
|
- key: app.kubernetes.io/component
|
|
operator: In
|
|
values:
|
|
- admission-controller
|
|
topologyKey: kubernetes.io/hostname
|
|
weight: 1
|
|
containers:
|
|
- args:
|
|
- --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca
|
|
- --tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair
|
|
- --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
|
|
- --reportsServiceAccountName=system:serviceaccount:kyverno:kyverno-reports-controller
|
|
- --servicePort=443
|
|
- --webhookServerPort=9443
|
|
- --resyncPeriod=15m
|
|
- --disableMetrics=false
|
|
- --otelConfig=prometheus
|
|
- --metricsPort=8000
|
|
- --admissionReports=true
|
|
- --maxAdmissionReports=1000
|
|
- --autoUpdateWebhooks=true
|
|
- --enableConfigMapCaching=true
|
|
- --enableDeferredLoading=true
|
|
- --dumpPayload=false
|
|
- --forceFailurePolicyIgnore=false
|
|
- --generateValidatingAdmissionPolicy=false
|
|
- --dumpPatches=false
|
|
- --maxAPICallResponseLength=2000000
|
|
- --loggingFormat=text
|
|
- --v=2
|
|
- --omitEvents=PolicyApplied,PolicySkipped
|
|
- --enablePolicyException=false
|
|
- --protectManagedResources=false
|
|
- --allowInsecureRegistry=false
|
|
- --registryCredentialHelpers=default,google,amazon,azure,github
|
|
- --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
|
|
env:
|
|
- name: INIT_CONFIG
|
|
value: kyverno
|
|
- name: METRICS_CONFIG
|
|
value: kyverno-metrics
|
|
- name: KYVERNO_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: KYVERNO_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: KYVERNO_SERVICEACCOUNT_NAME
|
|
value: kyverno-admission-controller
|
|
- name: KYVERNO_ROLE_NAME
|
|
value: kyverno:admission-controller
|
|
- name: KYVERNO_SVC
|
|
value: kyverno-svc
|
|
- name: TUF_ROOT
|
|
value: /.sigstore
|
|
- name: KYVERNO_DEPLOYMENT
|
|
value: kyverno-admission-controller
|
|
image: ghcr.io/kyverno/kyverno:v1.14.1
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
failureThreshold: 2
|
|
httpGet:
|
|
path: /health/liveness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 30
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
name: kyverno
|
|
ports:
|
|
- containerPort: 9443
|
|
name: https
|
|
protocol: TCP
|
|
- containerPort: 8000
|
|
name: metrics-port
|
|
protocol: TCP
|
|
readinessProbe:
|
|
failureThreshold: 6
|
|
httpGet:
|
|
path: /health/readiness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
resources:
|
|
limits:
|
|
memory: 384Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
startupProbe:
|
|
failureThreshold: 20
|
|
httpGet:
|
|
path: /health/liveness
|
|
port: 9443
|
|
scheme: HTTPS
|
|
initialDelaySeconds: 2
|
|
periodSeconds: 6
|
|
volumeMounts:
|
|
- mountPath: /.sigstore
|
|
name: sigstore
|
|
dnsPolicy: ClusterFirst
|
|
initContainers:
|
|
- args:
|
|
- --loggingFormat=text
|
|
- --v=2
|
|
env:
|
|
- name: KYVERNO_SERVICEACCOUNT_NAME
|
|
value: kyverno-admission-controller
|
|
- name: KYVERNO_ROLE_NAME
|
|
value: kyverno:admission-controller
|
|
- name: INIT_CONFIG
|
|
value: kyverno
|
|
- name: METRICS_CONFIG
|
|
value: kyverno-metrics
|
|
- name: KYVERNO_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: KYVERNO_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: KYVERNO_DEPLOYMENT
|
|
value: kyverno-admission-controller
|
|
- name: KYVERNO_SVC
|
|
value: kyverno-svc
|
|
image: ghcr.io/kyverno/kyvernopre:v1.14.1
|
|
imagePullPolicy: IfNotPresent
|
|
name: kyverno-pre
|
|
resources:
|
|
limits:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
requests:
|
|
cpu: 10m
|
|
memory: 64Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
privileged: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
serviceAccountName: kyverno-admission-controller
|
|
volumes:
|
|
- emptyDir: {}
|
|
name: sigstore
|