Skip to content

Commit

Permalink
Cherry Pick #913 (#920)
Browse files Browse the repository at this point in the history 
* add enableDeferredLoading flag

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* fix link

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* change community meeting to NOK

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* expand mutate existing

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add enableDeferredLoading flag (#913)

---------

Signed-off-by: Chip Zoller <chipzoller@gmail.com>
  • Loading branch information
@chipzoller
chipzoller committed Jul 17, 2023
1 parent 698270e commit 6c9edd3
Show file tree
Hide file tree
Showing 4 changed files with 52 additions and 49 deletions.
8 changes: 4 additions & 4 deletions content/en/Community/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@ If you already have access to the Kubernetes Slack workspace simply select "sign

To attend our community meetings, join the [Kyverno group](https://groups.google.com/g/kyverno). You will then be sent a meeting invite and will have access to the agenda and meeting notes. Any member may suggest topics for discussion.

### Community Meeting
### Nirmata Office Hours

This is a monthly meeting for the broader community in which upcoming features and road map discussions take place:
This is a monthly meeting for the broader community where the Kyverno maintainers from [Nirmata](https://nirmata.com/) cover one or more topics with preference given to open community discussion, question and answer, etc. Meeting is live streamed on YouTube with recordings available after. Either join in person or attend in view-only mode:

- Monthly on the second Thursday at 9:00 AM PST
- [Agenda and meeting notes](https://docs.google.com/document/d/10Hu1qTip1KShi8Lf_v9C5UVQtp7vz_WL3WVxltTvdAc/edit#)
- Monthly on the second Thursday at 7:00 AM PST
- [Repo](https://github.com/nirmata/office-hours-for-kyverno)

### Contributors Meeting

Expand Down
83 changes: 42 additions & 41 deletions content/en/docs/Installation/customization.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -271,47 +271,48 @@ The following flags can be used to control the advanced behavior of the various
12. `disableMetrics` (ABCR): specifies whether to enable exposing the metrics. Default is `false`.
13. `dumpPayload` (AC): toggles debug mode. When debug mode is enabled, the full AdmissionReview payload is logged. Additionally, resources of kind Secret are redacted. Default is `false`. Should only be used in policy development or troubleshooting scenarios, not left perpetually enabled.
14. `enableConfigMapCaching` (ABR): enables the ConfigMap caching feature. Defaults to `true`.
15. `enablePolicyException` (ABR): set to `true` to enable the [PolicyException capability](/docs/writing-policies/exceptions/). Default is `false`.
16. `enableTracing` (ABCR): set to enable exposing traces. Default is `false`.
17. `exceptionNamespace` (ABR): set to the name of a Namespace where [PolicyExceptions](/docs/writing-policies/exceptions/) will only be permitted. PolicyExceptions created in any other Namespace will throw a warning. If not set, PolicyExceptions from all Namespaces will be considered. Implies the `enablePolicyException` flag is set to `true`. Neither wildcards nor multiple Namespaces are currently accepted.
18. `forceFailurePolicyIgnore` (A): set to force Failure Policy to `Ignore`. Default is `false`.
19. `genWorkers` (B): the number of workers for processing generate policies concurrently. Default is `10`.
20. `imagePullSecrets` (ABR): specifies secret resource names for image registry access credentials. Only a single value accepted currently.
21. `imageSignatureRepository` (AR): specifies alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.
22. `kubeconfig` (ABCR): specifies the Kubeconfig file to be used when overriding the API server to which Kyverno should communicate. Only used when Kyverno is running outside of the cluster in which it services admission requests.
23. `leaderElectionRetryPeriod` (ABCR): controls the leader election renewal frequency. Default is `2s`.
24. `log_backtrace_at` (ABCR): when logging hits line file:N, emit a stack trace.
25. `log_dir` (ABCR): if non-empty, write log files in this directory (no effect when -logtostderr=true).
26. `log_file` (ABCR): if non-empty, use this log file (no effect when -logtostderr=true).
27. `log_file_max_size` (ABCR): defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. Default is `1800`.
28. `loggingFormat` (ABCR): determines the output format of logs. Logs can be outputted in JSON or text format by setting the flag to `json` or `text` respectively. Default is `text`.
29. `logtostderr` (ABCR): log to standard error instead of files. Default is `true`.
30. `maxQueuedEvents` (ABR): defines the upper limit of events that are queued internally. Default is `1000`.
31. `metricsPort` (ABCR): specifies the port to expose prometheus metrics. Default is `8000`.
32. `omit-events` (ABR): specifies the type of Kyverno events which should not be emitted. Accepts a comma-separated string with possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`. Default is undefined (all events will be emitted).
33. `one_output` (ABCR): If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true).
34. `otelCollector` (ABCR): sets the OpenTelemetry collector service address. Kyverno will try to connect to this on the metrics port. Default is `opentelemetrycollector.kyverno.svc.cluster.local`.
35. `otelConfig` (ABCR): sets the preference for Prometheus or OpenTelemetry. Set to `grpc` to enable OpenTelemetry. Default is `prometheus`.
36. `profile` (ABCR): setting this flag to `true` will enable profiling. Default is `false`.
37. `profileAddress` (ABCR): Configures the address of the profiling server. Default is `""`.
38. `profilePort` (ABCR): specifies port to enable profiling. Default is `6060`.
39. `protectManagedResources` (A): protects the Kyverno resources from being altered by anyone other than the Kyverno Service Account. Defaults to `false`. Set to `true` to enable.
40. `registryCredentialHelpers` (ABR): enables cloud-registry-specific authentication helpers. Defaults to `"default,google,amazon,azure,github"`.
41. `reportsChunkSize` (R): maximum number of results in generated reports before splitting occurs if there are more results to be stored. Default is `1000`.
42. `serverIP` (AC): like the `kubeconfig` flag, used when running Kyverno outside of the cluster which it serves.
43. `servicePort` (AC): port used by the Kyverno Service resource and for webhook configurations. Default is `443`.
44. `skipResourceFilters` (R): defines whether to obey the ConfigMap's resourceFilters when performing background report scans. Default is `true`. When set to `true`, anything defined in the resourceFilters will not be excluded in background reports. Ex., when set to `true` if the resourceFilters contain the `[*/*,kube-system,*]` entry then background scan reports will be produced for anything in the `kube-system` Namespace. Set this value to `false` to obey resourceFilters in background scan reports. Ex., when set to `false` if the resourceFilters contain the `[*/*,kube-system,*]` entry then background scan reports will NOT be produced for anything in the `kube-system` Namespace.
45. `skip_headers` (ABCR): if true, avoid header prefixes in the log messages.
46. `skip_log_headers` (ABCR): if true, avoid headers when opening log files (no effect when -logtostderr=true).
47. `stderrthreshold` (ABCR): logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false). Default is `2`.
48. `tracingAddress` (ABCR): tracing receiver address, defaults to `''`.
49. `tracingCreds` (ABCR): set to the CA secret containing the certificate which is used by the Opentelemetry Tracing Client. If empty string is set, an insecure connection will be used.
50. `tracingPort` (ABCR): tracing receiver port. Default is `"4317"`.
51. `transportCreds` (ABCR): set to the CA secret containing the certificate used by the OpenTelemetry metrics client. Empty string means an insecure connection will be used. Default is `""`.
52. `v` (ABCR): sets the verbosity level of Kyverno log output. Takes an integer from 1 to 6 with 6 being the most verbose. Level 4 shows variable substitution messages. Default is `2`.
53. `vmodule` (ABCR): comma-separated list of pattern=N settings for file-filtered logging.
54. `webhookRegistrationTimeout` (A): specifies the length of time Kyverno will try to register webhooks with the API server. Defaults to `120s`.
55. `webhookTimeout` (A): specifies the timeout for webhooks. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Defaults is `10s`.
15. `enableDeferredLoading` (A): enables deferred (lazy) loading of variables (1.10.1+). Defaults to `true`. Set to `false` to disable deferred loading of variables which was the default behavior in versions < 1.10.0.
16. `enablePolicyException` (ABR): set to `true` to enable the [PolicyException capability](/docs/writing-policies/exceptions/). Default is `false`.
17. `enableTracing` (ABCR): set to enable exposing traces. Default is `false`.
18. `exceptionNamespace` (ABR): set to the name of a Namespace where [PolicyExceptions](/docs/writing-policies/exceptions/) will only be permitted. PolicyExceptions created in any other Namespace will throw a warning. If not set, PolicyExceptions from all Namespaces will be considered. Implies the `enablePolicyException` flag is set to `true`. Neither wildcards nor multiple Namespaces are currently accepted.
19. `forceFailurePolicyIgnore` (A): set to force Failure Policy to `Ignore`. Default is `false`.
20. `genWorkers` (B): the number of workers for processing generate policies concurrently. Default is `10`.
21. `imagePullSecrets` (ABR): specifies secret resource names for image registry access credentials. Only a single value accepted currently.
22. `imageSignatureRepository` (AR): specifies alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.
23. `kubeconfig` (ABCR): specifies the Kubeconfig file to be used when overriding the API server to which Kyverno should communicate. Only used when Kyverno is running outside of the cluster in which it services admission requests.
24. `leaderElectionRetryPeriod` (ABCR): controls the leader election renewal frequency. Default is `2s`.
25. `log_backtrace_at` (ABCR): when logging hits line file:N, emit a stack trace.
26. `log_dir` (ABCR): if non-empty, write log files in this directory (no effect when -logtostderr=true).
27. `log_file` (ABCR): if non-empty, use this log file (no effect when -logtostderr=true).
28. `log_file_max_size` (ABCR): defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. Default is `1800`.
29. `loggingFormat` (ABCR): determines the output format of logs. Logs can be outputted in JSON or text format by setting the flag to `json` or `text` respectively. Default is `text`.
30. `logtostderr` (ABCR): log to standard error instead of files. Default is `true`.
31. `maxQueuedEvents` (ABR): defines the upper limit of events that are queued internally. Default is `1000`.
32. `metricsPort` (ABCR): specifies the port to expose prometheus metrics. Default is `8000`.
33. `omit-events` (ABR): specifies the type of Kyverno events which should not be emitted. Accepts a comma-separated string with possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`. Default is undefined (all events will be emitted).
34. `one_output` (ABCR): If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true).
35. `otelCollector` (ABCR): sets the OpenTelemetry collector service address. Kyverno will try to connect to this on the metrics port. Default is `opentelemetrycollector.kyverno.svc.cluster.local`.
36. `otelConfig` (ABCR): sets the preference for Prometheus or OpenTelemetry. Set to `grpc` to enable OpenTelemetry. Default is `prometheus`.
37. `profile` (ABCR): setting this flag to `true` will enable profiling. Default is `false`.
38. `profileAddress` (ABCR): Configures the address of the profiling server. Default is `""`.
39. `profilePort` (ABCR): specifies port to enable profiling. Default is `6060`.
40. `protectManagedResources` (A): protects the Kyverno resources from being altered by anyone other than the Kyverno Service Account. Defaults to `false`. Set to `true` to enable.
41. `registryCredentialHelpers` (ABR): enables cloud-registry-specific authentication helpers. Defaults to `"default,google,amazon,azure,github"`.
42. `reportsChunkSize` (R): maximum number of results in generated reports before splitting occurs if there are more results to be stored. Default is `1000`.
43. `serverIP` (AC): like the `kubeconfig` flag, used when running Kyverno outside of the cluster which it serves.
44. `servicePort` (AC): port used by the Kyverno Service resource and for webhook configurations. Default is `443`.
45. `skipResourceFilters` (R): defines whether to obey the ConfigMap's resourceFilters when performing background report scans. Default is `true`. When set to `true`, anything defined in the resourceFilters will not be excluded in background reports. Ex., when set to `true` if the resourceFilters contain the `[*/*,kube-system,*]` entry then background scan reports will be produced for anything in the `kube-system` Namespace. Set this value to `false` to obey resourceFilters in background scan reports. Ex., when set to `false` if the resourceFilters contain the `[*/*,kube-system,*]` entry then background scan reports will NOT be produced for anything in the `kube-system` Namespace.
46. `skip_headers` (ABCR): if true, avoid header prefixes in the log messages.
47. `skip_log_headers` (ABCR): if true, avoid headers when opening log files (no effect when -logtostderr=true).
48. `stderrthreshold` (ABCR): logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false). Default is `2`.
49. `tracingAddress` (ABCR): tracing receiver address, defaults to `''`.
50. `tracingCreds` (ABCR): set to the CA secret containing the certificate which is used by the Opentelemetry Tracing Client. If empty string is set, an insecure connection will be used.
51. `tracingPort` (ABCR): tracing receiver port. Default is `"4317"`.
52. `transportCreds` (ABCR): set to the CA secret containing the certificate used by the OpenTelemetry metrics client. Empty string means an insecure connection will be used. Default is `""`.
53. `v` (ABCR): sets the verbosity level of Kyverno log output. Takes an integer from 1 to 6 with 6 being the most verbose. Level 4 shows variable substitution messages. Default is `2`.
54. `vmodule` (ABCR): comma-separated list of pattern=N settings for file-filtered logging.
55. `webhookRegistrationTimeout` (A): specifies the length of time Kyverno will try to register webhooks with the API server. Defaults to `120s`.
56. `webhookTimeout` (A): specifies the timeout for webhooks. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Defaults is `10s`.

### Policy Report access

Expand Down
2 changes: 1 addition & 1 deletion content/en/docs/Writing policies/cleanup.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ spec:

Values from resources to be evaluated during a policy may be referenced with `target.*` similar to [mutate existing rules](/docs/writing-policies/mutate/#mutate-existing-resources).

Because Kyverno follows the principal of least privilege, depending on the resources you wish to remove it may be necessary to grant additional permissions to the cleanup controller. Kyverno will assist in informing you if additional permissions are required by validating them at the time a new cleanup policy is installed. See the [Customizing Permissions](http://localhost:1313/docs/installation/customization/#customizing-permissions) section for more details.
Because Kyverno follows the principal of least privilege, depending on the resources you wish to remove it may be necessary to grant additional permissions to the cleanup controller. Kyverno will assist in informing you if additional permissions are required by validating them at the time a new cleanup policy is installed. See the [Customizing Permissions](/docs/installation/customization/#customizing-permissions) section for more details.

{{% alert title="Warning" color="warning" %}}
Be mindful of the validate policies in `Enforce` mode in your cluster as the CronJobs and their spawned Jobs/Pods may be subjected to and potentially blocked. You may wish to exclude based on the label `app.kubernetes.io/managed-by`.
Expand Down

0 comments on commit 6c9edd3

Please sign in to comment.