Skip to content

Update Helm release kyverno to v3.8.0 #552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
devex-sa wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update Helm release kyverno to v3.8.0 #552

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e5dd5b4
Update Helm release kyverno to v3.8.0
devex-sa May 13, 2026
173b166
Update CRDs and render helm templates
devex-sa May 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
200 changes: 126 additions & 74 deletions apps/kyverno/crds.yaml
View file
Open in desktop

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRole-kyverno:admission-controller.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-admission-controller
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRole-kyverno:admission-controller:core.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-admission-controller
app.kubernetes.io/part-of: kyverno
rules:
- apiGroups:
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRole-kyverno:background-controller.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-background-controller
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRole-kyverno:background-controller:core.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-background-controller
app.kubernetes.io/part-of: kyverno
rules:
- apiGroups:
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRole-kyverno:cleanup-controller.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-cleanup-controller
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRole-kyverno:cleanup-controller:core.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-cleanup-controller
app.kubernetes.io/part-of: kyverno
rules:
- apiGroups:
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRole-kyverno:migrate-resources.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-hooks
app.kubernetes.io/part-of: kyverno
annotations:
helm.sh/hook: post-upgrade
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRole-kyverno:reports-controller.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-reports-controller
app.kubernetes.io/part-of: kyverno
aggregationRule:
clusterRoleSelectors:
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRole-kyverno:reports-controller:core.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-reports-controller
app.kubernetes.io/part-of: kyverno
rules:
- apiGroups:
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRoleBinding-kyverno:admission-controller.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-admission-controller
app.kubernetes.io/part-of: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRoleBinding-kyverno:admission-controller:view.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-admission-controller
app.kubernetes.io/part-of: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRoleBinding-kyverno:background-controller.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-background-controller
app.kubernetes.io/part-of: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRoleBinding-kyverno:background-controller:view.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-background-controller
app.kubernetes.io/part-of: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRoleBinding-kyverno:cleanup-controller.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-cleanup-controller
app.kubernetes.io/part-of: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRoleBinding-kyverno:migrate-resources.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: hooks
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-hooks
app.kubernetes.io/part-of: kyverno
annotations:
helm.sh/hook: post-upgrade
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRoleBinding-kyverno:reports-controller.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-reports-controller
app.kubernetes.io/part-of: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
Expand Down
1 change: 1 addition & 0 deletions apps/kyverno/manifests/ClusterRoleBinding-kyverno:reports-controller:view.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-reports-controller
app.kubernetes.io/part-of: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
Expand Down
22 changes: 20 additions & 2 deletions apps/kyverno/manifests/Deployment-kyverno-admission-controller.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ metadata:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-admission-controller
app.kubernetes.io/part-of: kyverno
spec:
replicas: 3
Expand All @@ -29,6 +30,7 @@ spec:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-admission-controller
app.kubernetes.io/part-of: kyverno
spec:
nodeSelector:
Expand All @@ -51,7 +53,7 @@ spec:
automountServiceAccountToken: true
initContainers:
- name: kyverno-pre
image: "reg.kyverno.io/kyverno/kyvernopre:v1.17.1"
image: "reg.kyverno.io/kyverno/kyvernopre:v1.18.0"
imagePullPolicy: IfNotPresent
args:
- --loggingFormat=text
Expand All @@ -71,7 +73,9 @@ spec:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
env:
Expand All @@ -97,7 +101,7 @@ spec:
value: kyverno-svc
containers:
- name: kyverno
image: "reg.kyverno.io/kyverno/kyverno:v1.17.1"
image: "reg.kyverno.io/kyverno/kyverno:v1.18.0"
imagePullPolicy: IfNotPresent
args:
- --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca
Expand All @@ -124,6 +128,7 @@ spec:
- --generateMutatingAdmissionPolicy=false
- --dumpPatches=false
- --maxAPICallResponseLength=2000000
- --apiCallTimeout=30s
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyViolation,PolicyApplied,PolicySkipped
Expand All @@ -145,7 +150,9 @@ spec:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
ports:
Expand Down Expand Up @@ -209,6 +216,17 @@ spec:
volumeMounts:
- mountPath: /.sigstore
name: sigstore
- name: apicall-token
mountPath: /var/run/secrets/kyverno/apicall
readOnly: true
volumes:
- name: sigstore
emptyDir: {}
- name: apicall-token
projected:
defaultMode: 0444
sources:
- serviceAccountToken:
path: token
expirationSeconds: 3600
audience: kyverno-svc.kyverno.io
21 changes: 20 additions & 1 deletion apps/kyverno/manifests/Deployment-kyverno-background-controller.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ metadata:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-background-controller
app.kubernetes.io/part-of: kyverno
spec:
replicas:
Expand All @@ -29,6 +30,7 @@ spec:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-background-controller
app.kubernetes.io/part-of: kyverno
spec:
nodeSelector:
Expand All @@ -51,7 +53,7 @@ spec:
automountServiceAccountToken: true
containers:
- name: controller
image: "reg.kyverno.io/kyverno/background-controller:v1.17.1"
image: "reg.kyverno.io/kyverno/background-controller:v1.18.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
Expand All @@ -66,8 +68,10 @@ spec:
- --metricsPort=8000
- --resyncPeriod=15m
- --enableConfigMapCaching=true
- --controllerRuntimeMetricsAddress=:8080
- --enableDeferredLoading=true
- --maxAPICallResponseLength=2000000
- --apiCallTimeout=30s
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyViolation,PolicyApplied,PolicySkipped
Expand Down Expand Up @@ -103,6 +107,21 @@ spec:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
volumeMounts:
- name: apicall-token
mountPath: /var/run/secrets/kyverno/apicall
readOnly: true
volumes:
- name: apicall-token
projected:
defaultMode: 0444
sources:
- serviceAccountToken:
path: token
expirationSeconds: 3600
audience: kyverno-svc.kyverno.io
20 changes: 19 additions & 1 deletion apps/kyverno/manifests/Deployment-kyverno-cleanup-controller.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ metadata:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-cleanup-controller
app.kubernetes.io/part-of: kyverno
spec:
replicas:
Expand All @@ -29,6 +30,7 @@ spec:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-cleanup-controller
app.kubernetes.io/part-of: kyverno
spec:
nodeSelector:
Expand All @@ -51,7 +53,7 @@ spec:
automountServiceAccountToken: true
containers:
- name: controller
image: "reg.kyverno.io/kyverno/cleanup-controller:v1.17.1"
image: "reg.kyverno.io/kyverno/cleanup-controller:v1.18.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
Expand All @@ -73,6 +75,7 @@ spec:
- --enableDeferredLoading=true
- --dumpPayload=false
- --maxAPICallResponseLength=2000000
- --apiCallTimeout=30s
- --loggingFormat=text
- --v=2
- --protectManagedResources=false
Expand Down Expand Up @@ -111,7 +114,9 @@ spec:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
startupProbe:
Expand Down Expand Up @@ -142,3 +147,16 @@ spec:
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
volumeMounts:
- name: apicall-token
mountPath: /var/run/secrets/kyverno/apicall
readOnly: true
volumes:
- name: apicall-token
projected:
defaultMode: 0444
sources:
- serviceAccountToken:
path: token
expirationSeconds: 3600
audience: kyverno-svc.kyverno.io
18 changes: 17 additions & 1 deletion apps/kyverno/manifests/Deployment-kyverno-reports-controller.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ metadata:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-reports-controller
app.kubernetes.io/part-of: kyverno
spec:
replicas:
Expand All @@ -29,6 +30,7 @@ spec:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kyverno-reports-controller
app.kubernetes.io/part-of: kyverno
spec:
nodeSelector:
Expand All @@ -51,7 +53,7 @@ spec:
automountServiceAccountToken: true
containers:
- name: controller
image: "reg.kyverno.io/kyverno/reports-controller:v1.17.1"
image: "reg.kyverno.io/kyverno/reports-controller:v1.18.0"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
Expand All @@ -78,6 +80,7 @@ spec:
- --enableConfigMapCaching=true
- --enableDeferredLoading=true
- --maxAPICallResponseLength=2000000
- --apiCallTimeout=30s
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyViolation,PolicyApplied,PolicySkipped
Expand Down Expand Up @@ -117,12 +120,25 @@ spec:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /.sigstore
name: sigstore
- name: apicall-token
mountPath: /var/run/secrets/kyverno/apicall
readOnly: true
volumes:
- name: sigstore
emptyDir: {}
- name: apicall-token
projected:
defaultMode: 0444
sources:
- serviceAccountToken:
path: token
expirationSeconds: 3600
audience: kyverno-svc.kyverno.io
Loading