From 70cd8c78f4916d484a6d46ba91ef92bd0c54889d Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Tue, 7 Nov 2023 20:07:06 +0800 Subject: [PATCH] fix(kyerno): exclude nodes & cluster-admin --- kube/deploy/core/kyverno/app/hr.yaml | 20 ++++++++++++++------ kube/deploy/core/kyverno/repo.yaml | 3 +-- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/kube/deploy/core/kyverno/app/hr.yaml b/kube/deploy/core/kyverno/app/hr.yaml index 5f55dd80..92998575 100644 --- a/kube/deploy/core/kyverno/app/hr.yaml +++ b/kube/deploy/core/kyverno/app/hr.yaml @@ -22,18 +22,22 @@ spec: ingress.home.arpa/host: "allow" ingress.home.arpa/apiserver: "allow" egress.home.arpa/apiserver: "allow" + config: + excludeClusterRoles: ["cluster-admin"] # default kubeconfig cluster-admin role keeps getting locked out from `watch` operations like `k9s` + webhooks: + - objectSelector: + matchExpressions: + - key: "kubernetes.io/hostname" + operator: "DoesNotExist" admissionController: replicas: 3 priorityClassName: "system-node-critical" apiPriorityAndFairness: true hostNetwork: true dnsPolicy: "ClusterFirstWithHostNet" - tolerations: [operator: Exists] - webhooks: - - objectSelector: - matchExpressions: - - key: "kubernetes.io/hostname" - operator: "DoesNotExist" + tolerations: + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" rbac: clusterRole: extraResources: @@ -51,6 +55,10 @@ spec: matchLabels: app.kubernetes.io/instance: "kyverno" app.kubernetes.io/component: "kyverno" + container: + resources: + limits: + memory: 1Gi backgroundController: replicas: 2 rbac: diff --git a/kube/deploy/core/kyverno/repo.yaml b/kube/deploy/core/kyverno/repo.yaml index 63c0f482..04e5c766 100644 --- a/kube/deploy/core/kyverno/repo.yaml +++ b/kube/deploy/core/kyverno/repo.yaml @@ -6,8 +6,7 @@ metadata: namespace: flux-system spec: interval: 1h - type: oci - url: oci://ghcr.io/kyverno/charts/kyverno + url: https://kyverno.github.io/kyverno/ --- apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository