fix(kyverno): 3.0.6, admissionController stability

- hostNetwork - dnsPolicy - schedule on all tainted nodes - priorityClassName - apiPriorityAndFairness - exclude node objects
2026-01-27 18:18:26 +00:00 · 2023-11-07 18:37:20 +08:00
parent 0785f5afc3
commit 1b3b75b8fc
2 changed files with 41 additions and 14 deletions
--- a/kube/deploy/core/kyverno/app/hr.yaml
+++ b/kube/deploy/core/kyverno/app/hr.yaml
@@ -8,7 +8,7 @@ spec:
  chart:
    spec:
      chart: *app
-      version: "3.0.5"
+      version: "3.0.6"
      sourceRef:
        name: *app
        kind: HelmRepository
@@ -21,18 +21,18 @@ spec:
      ingress.home.arpa/host: "allow"
      ingress.home.arpa/apiserver: "allow"
      egress.home.arpa/apiserver: "allow"
-    backgroundController:
-      rbac:
-        clusterRole:
-          extraResources:
-            - apiGroups: [""]
-              resources: ["pods"]
-              verbs: ["create", "update", "patch", "delete", "get", "list"]
-            - apiGroups: ["*"]
-              resources: ["*"]
-              verbs: ["*"]
    admissionController:
      replicas: 3
+      priorityClassName: "system-node-critical"
+      apiPriorityAndFairness: true
+      hostNetwork: true
+      dnsPolicy: "ClusterFirstWithHostNet"
+      tolerations: [operator: Exists]
+      webhooks:
+        - objectSelector:
+            matchExpressions:
+              - key: "kubernetes.io/hostname"
+                operator: "DoesNotExist"
      rbac:
        clusterRole:
          extraResources:
@@ -45,8 +45,25 @@ spec:
      topologySpreadConstraints:
        - maxSkew: 1
          topologyKey: "kubernetes.io/hostname"
-          whenUnsatisfiable: "ScheduleAnyway"
+          whenUnsatisfiable: "DoNotSchedule"
          labelSelector:
            matchLabels:
              app.kubernetes.io/instance: "kyverno"
-              app.kubernetes.io/component: "kyverno"
+              app.kubernetes.io/component: "kyverno"
+    backgroundController:
+      replicas: 2
+      rbac:
+        clusterRole:
+          extraResources:
+            - apiGroups: [""]
+              resources: ["pods"]
+              verbs: ["create", "update", "patch", "delete", "get", "list"]
+            - apiGroups: ["*"]
+              resources: ["*"]
+              verbs: ["*"]
+      cleanupController:
+        replicas: 2
+      reportsController:
+        replicas: 2
+    grafana:
+      enabled: false
--- a/kube/deploy/core/kyverno/repo.yaml
+++ b/kube/deploy/core/kyverno/repo.yaml
@@ -6,4 +6,14 @@ metadata:
  namespace: flux-system
 spec:
  interval: 1h
-  url: https://kyverno.github.io/kyverno/
+  type: oci
+  url: oci://ghcr.io/kyverno/charts/kyverno
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: kyverno-policy-reporter
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://kyverno.github.io/policy-reporter/