From a950b62e9c4ff0ea24114d48ddd50c475ea91218 Mon Sep 17 00:00:00 2001 From: Kapil Kalra Date: Fri, 24 Apr 2026 16:18:12 -0700 Subject: [PATCH] feat(chart): hardcode enableServiceLinks: false in all pod specs Prevents CrashLoopBackOff in namespaces with many services (100+) where Kubernetes injects thousands of service environment variables, exceeding the Linux execve() argument size limit. PLAT-147172 Made-with: Cursor --- charts/kyverno/templates/admission-controller/deployment.yaml | 1 + charts/kyverno/templates/background-controller/deployment.yaml | 1 + charts/kyverno/templates/cleanup-controller/deployment.yaml | 1 + .../kyverno/templates/hooks/post-upgrade-migrate-resources.yaml | 1 + .../hooks/pre-delete-remove-mutatingwebhookconfiguration.yaml | 1 + .../hooks/pre-delete-remove-validatingwebhookconfiguration.yaml | 1 + charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml | 1 + charts/kyverno/templates/reports-controller/deployment.yaml | 1 + 8 files changed, 8 insertions(+) diff --git a/charts/kyverno/templates/admission-controller/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml index 5f065113c738..4be736b079e1 100644 --- a/charts/kyverno/templates/admission-controller/deployment.yaml +++ b/charts/kyverno/templates/admission-controller/deployment.yaml @@ -42,6 +42,7 @@ spec: annotations: {{ tpl (toYaml .) $ | nindent 8 }} {{- end }} spec: + enableServiceLinks: false {{- with .Values.admissionController.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- tpl (include "kyverno.sortedImagePullSecrets" .) $ | nindent 8 }} diff --git a/charts/kyverno/templates/background-controller/deployment.yaml b/charts/kyverno/templates/background-controller/deployment.yaml index 10d7042217b4..0f1659a66533 100644 --- a/charts/kyverno/templates/background-controller/deployment.yaml +++ b/charts/kyverno/templates/background-controller/deployment.yaml @@ -33,6 +33,7 @@ spec: annotations: {{ tpl (toYaml .) $ | nindent 8 }} {{- end }} spec: + enableServiceLinks: false {{- with .Values.backgroundController.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- tpl (include "kyverno.sortedImagePullSecrets" .) $ | nindent 8 }} diff --git a/charts/kyverno/templates/cleanup-controller/deployment.yaml b/charts/kyverno/templates/cleanup-controller/deployment.yaml index c2c390ccd440..7471bb5b89ce 100644 --- a/charts/kyverno/templates/cleanup-controller/deployment.yaml +++ b/charts/kyverno/templates/cleanup-controller/deployment.yaml @@ -40,6 +40,7 @@ spec: annotations: {{ tpl (toYaml .) $ | nindent 8 }} {{- end }} spec: + enableServiceLinks: false {{- with .Values.cleanupController.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- tpl (include "kyverno.sortedImagePullSecrets" .) $ | nindent 8 }} diff --git a/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml b/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml index 9ae1968cc714..f868156ba3f6 100644 --- a/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml +++ b/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml @@ -99,6 +99,7 @@ spec: {{- end }} {{- end }} spec: + enableServiceLinks: false serviceAccountName: {{ template "kyverno.fullname" . }}-migrate-resources automountServiceAccountToken: {{ $automountSAToken }} {{- with .Values.crds.migration.podSecurityContext }} diff --git a/charts/kyverno/templates/hooks/pre-delete-remove-mutatingwebhookconfiguration.yaml b/charts/kyverno/templates/hooks/pre-delete-remove-mutatingwebhookconfiguration.yaml index d5341bcb2cc5..5593773d348d 100644 --- a/charts/kyverno/templates/hooks/pre-delete-remove-mutatingwebhookconfiguration.yaml +++ b/charts/kyverno/templates/hooks/pre-delete-remove-mutatingwebhookconfiguration.yaml @@ -27,6 +27,7 @@ spec: {{- end }} {{- end }} spec: + enableServiceLinks: false serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }} automountServiceAccountToken: {{ $automountSAToken }} {{- with .Values.webhooksCleanup.podSecurityContext }} diff --git a/charts/kyverno/templates/hooks/pre-delete-remove-validatingwebhookconfiguration.yaml b/charts/kyverno/templates/hooks/pre-delete-remove-validatingwebhookconfiguration.yaml index 62e03e5ab9bc..1c7291d4a51b 100644 --- a/charts/kyverno/templates/hooks/pre-delete-remove-validatingwebhookconfiguration.yaml +++ b/charts/kyverno/templates/hooks/pre-delete-remove-validatingwebhookconfiguration.yaml @@ -27,6 +27,7 @@ spec: {{- end }} {{- end }} spec: + enableServiceLinks: false serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }} automountServiceAccountToken: {{ $automountSAToken }} {{- with .Values.webhooksCleanup.podSecurityContext }} diff --git a/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml b/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml index c2ca7ba5d275..c55851a6ad82 100644 --- a/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml +++ b/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml @@ -28,6 +28,7 @@ spec: {{- end }} {{- end }} spec: + enableServiceLinks: false serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }} automountServiceAccountToken: {{ $automountSAToken }} {{- with .Values.webhooksCleanup.podSecurityContext }} diff --git a/charts/kyverno/templates/reports-controller/deployment.yaml b/charts/kyverno/templates/reports-controller/deployment.yaml index 9ad41d8924d3..398b6b13c139 100644 --- a/charts/kyverno/templates/reports-controller/deployment.yaml +++ b/charts/kyverno/templates/reports-controller/deployment.yaml @@ -34,6 +34,7 @@ spec: annotations: {{ tpl (toYaml .) $ | nindent 8 }} {{- end }} spec: + enableServiceLinks: false {{- with .Values.reportsController.imagePullSecrets | default .Values.global.imagePullSecrets }} imagePullSecrets: {{- tpl (include "kyverno.sortedImagePullSecrets" .) $ | nindent 8 }}