fix: update kyverno

chart/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: kyverno
   repository: https://kyverno.github.io/kyverno/
-  version: 2.7.5
+  version: 3.0.5
 - name: policy-reporter
   repository: https://kyverno.github.io/policy-reporter
-  version: 2.19.4
-digest: sha256:97240ab3c212b3f30e0ad7169c87ebc3a94ed98c72a02ee0d69de3ddbe119eb7
-generated: "2023-07-27T23:47:01.480181+08:00"
+  version: 2.20.1
+digest: sha256:7f45d9ea7f30b5489c9d9b6d1a418c7cc71735a3594fed585cb8f22a768fecfc
+generated: "2023-10-17T17:09:38.309096+08:00"

chart/README.md

@@ -15,7 +15,7 @@ Helm chart to deploy AtomiCloud's Cluster policy engine, Kyverno
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| kyverno | object | `{"config":{"webhooks":[{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system","kube-node-lease","kube-public","kyverno"]}]}}]},"customLabels":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"argon"},"atomi.cloud/module":"operator"},"podAnnotations":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"argon"},"atomi.cloud/module":"operator"},"replicaCount":3,"resources":{"limits":{"cpu":1,"memory":"1Gi"},"requests":{"cpu":"100m","memory":"128Mi"}},"templating":{"enabled":false},"topologySpreadConstraints":[{"labelSelector":{"matchLabels":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"argon"},"atomi.cloud/module":"operator"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"}]}` | Kyverno Configuration. See [Kyverno](https://github.com/kyverno/kyverno/tree/main/charts/kyverno) |
+| kyverno | object | `{"admissionController":{"createSelfSignedCert":true,"podAnnotations":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"argon"},"atomi.cloud/module":"operator"},"podLabels":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"argon"},"atomi.cloud/module":"operator"},"replicas":1,"resources":{"limits":{"cpu":1,"memory":"1Gi"},"requests":{"cpu":"100m","memory":"128Mi"}},"serviceMonitor":{"enabled":true,"interval":"60s"}},"config":{"webhooks":[{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system","kube-node-lease","kube-public","kyverno"]}]}}]},"customLabels":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"argon"},"atomi.cloud/module":"operator"},"metricsConfig":{"create":null},"podAnnotations":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"argon"},"atomi.cloud/module":"operator"},"templating":{"enabled":false}}` | Kyverno Configuration. See [Kyverno](https://github.com/kyverno/kyverno/tree/main/charts/kyverno) |
 | policy-reporter | object | `{"podAnnotations":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"argon"},"atomi.cloud/module":"reporter"},"podLabels":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"argon"},"atomi.cloud/module":"reporter"},"resources":{"limits":{"cpu":1,"memory":"1Gi"},"requests":{"cpu":"100m","memory":"128Mi"}},"topologySpreadConstraints":[{"labelSelector":{"matchLabels":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"argon"},"atomi.cloud/module":"reporter"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"}],"ui":{"enabled":true,"podAnnotations":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"argon"},"atomi.cloud/module":"ui"},"podLabels":{"<<":{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"argon"},"atomi.cloud/module":"ui"},"resources":{"limits":{"cpu":1,"memory":"1Gi"},"requests":{"cpu":"100m","memory":"128Mi"}}}}` | Kyverno Policy Reporter Configuration. See [Policy Reporter](https://github.com/kyverno/policy-reporter) |
 | serviceTree | object | `{"layer":"1","platform":"sulfoxide","service":"argon"}` | AtomiCloud Service Tree. See [ServiceTree](https://atomicloud.larksuite.com/wiki/OkfJwTXGFiMJkrk6W3RuwRrZs64?theme=DARK&contentTheme=DARK#MHw5d76uDo2tBLx86cduFQMRsBb) |
 | tags | object | `{"atomi.cloud/layer":"1","atomi.cloud/platform":"sulfoxide","atomi.cloud/service":"argon"}` | Kubernetes labels and annotations, following Service Tree |

chart/values.entei.opal.yaml

@@ -8,21 +8,13 @@ tags: &tags
 
 kyverno:
   replicaCount: 1
-  topologySpreadConstraints:
-    - maxSkew: 1
-      topologyKey: "topology.kubernetes.io/zone"
-      whenUnsatisfiable: ScheduleAnyway
-      labelSelector:
-        matchLabels:
-          <<: *tags
-          atomi.cloud/module: operator
   resources:
     limits:
-      cpu: 2
-      memory: 2Gi
+      cpu: 1
+      memory: 1Gi
     requests:
-      cpu: 500m
-      memory: 512Mi
+      cpu: 250m
+      memory: 256Mi
   podAnnotations:
     <<: *tags
   customLabels:

chart/values.pichu.opal.yaml

@@ -8,18 +8,10 @@ tags: &tags
 
 kyverno:
   replicaCount: 1
-  topologySpreadConstraints:
-    - maxSkew: 1
-      topologyKey: "topology.kubernetes.io/zone"
-      whenUnsatisfiable: ScheduleAnyway
-      labelSelector:
-        matchLabels:
-          <<: *tags
-          atomi.cloud/module: operator
   resources:
     limits:
-      cpu: 2
-      memory: 2Gi
+      cpu: 500m
+      memory: 512Mi
     requests:
       cpu: 125m
       memory: 128Mi

chart/values.pikachu.opal.yaml

@@ -8,18 +8,10 @@ tags: &tags
 
 kyverno:
   replicaCount: 1
-  topologySpreadConstraints:
-    - maxSkew: 1
-      topologyKey: "topology.kubernetes.io/zone"
-      whenUnsatisfiable: ScheduleAnyway
-      labelSelector:
-        matchLabels:
-          <<: *tags
-          atomi.cloud/module: operator
   resources:
     limits:
-      cpu: 2
-      memory: 2Gi
+      cpu: 500m
+      memory: 512Mi
     requests:
       cpu: 125m
       memory: 128Mi

chart/values.raichu.opal.yaml

@@ -8,18 +8,10 @@ tags: &tags
 
 kyverno:
   replicaCount: 1
-  topologySpreadConstraints:
-    - maxSkew: 1
-      topologyKey: "topology.kubernetes.io/zone"
-      whenUnsatisfiable: ScheduleAnyway
-      labelSelector:
-        matchLabels:
-          <<: *tags
-          atomi.cloud/module: operator
   resources:
     limits:
-      cpu: 2
-      memory: 2Gi
+      cpu: 1
+      memory: 1Gi
     requests:
       cpu: 500m
       memory: 512Mi

chart/values.yaml

@@ -12,24 +12,30 @@ tags: &tags
 
 # -- Kyverno Configuration. See [Kyverno](https://github.com/kyverno/kyverno/tree/main/charts/kyverno)
 kyverno:
-  replicaCount: 3
+  admissionController:
+    createSelfSignedCert: true
+    replicas: 1
+    podLabels:
+      <<: *tags
+      atomi.cloud/module: operator
+    podAnnotations:
+      <<: *tags
+      atomi.cloud/module: operator
+    serviceMonitor:
+      enabled: true
+      interval: 60s
+    resources:
+      limits:
+        cpu: 1
+        memory: 1Gi
+      requests:
+        cpu: 100m
+        memory: 128Mi
+  metricsConfig:
+    create:
   templating:
     enabled: false
-  topologySpreadConstraints:
-    - maxSkew: 1
-      topologyKey: "topology.kubernetes.io/zone"
-      whenUnsatisfiable: ScheduleAnyway
-      labelSelector:
-        matchLabels:
-          <<: *tags
-          atomi.cloud/module: operator
-  resources:
-    limits:
-      cpu: 1
-      memory: 1Gi
-    requests:
-      cpu: 100m
-      memory: 128Mi
+
   podAnnotations:
     <<: *tags
     atomi.cloud/module: operator