kyverno: bump to v1.15.2 on staging

Upgrade kyverno from v1.13.4 to v1.15.2 on the staging clusters.

Part-of: KFLUXINFRA-1963
Signed-off-by: Andy Sadler <ansadler@redhat.com>

Author: sadlerap

components/kyverno/staging/stone-stage-p01/kustomization.yaml

@@ -4,36 +4,22 @@ kind: Kustomization
 namespace: konflux-kyverno
 
 generators:
-  - kyverno-helm-generator.yaml
-
-replacements:
-  # enforce serviceAccountName is used instead of serviceAccount in Jobs
-  # TODO: these replacements can be removed when bumping to kyverno:1.14
-  # https://github.com/kyverno/kyverno/pull/12158
-  - source:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-migrate-resources
-      namespace: konflux-kyverno
-      fieldPath: spec.template.spec.serviceAccount
-    targets:
-      - select:
-          group: batch
-          version: v1
-          kind: Job
-          namespace: konflux-kyverno
-          name: konflux-kyverno-migrate-resources
-        fieldPaths:
-          - spec.template.spec.serviceAccountName
-        options:
-          create: true
+- kyverno-helm-generator.yaml
 
 # set resources to jobs
 patches:
-  - path: job_resources.yaml
-    target:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-migrate-resources
+- path: job_resources.yaml
+  target:
+    group: batch
+    kind: Job
+    name: konflux-kyverno-migrate-resources
+    version: v1
+- patch: |
+    - op: add
+      path: /spec/unhealthyPodEvictionPolicy
+      value: AlwaysAllow
+  target:
+    group: policy
+    version: v1
+    kind: PodDisruptionBudget
+    labelSelector: app.kubernetes.io/part-of=konflux-kyverno

components/kyverno/staging/stone-stage-p01/kyverno-helm-generator.yaml

@@ -4,10 +4,7 @@ metadata:
   name: kyverno
 name: kyverno
 repo: https://kyverno.github.io/kyverno/
-# TODO: when bumping to kyverno:1.14 we can remove ServiceAccountName 
-# replacements from the kustomization.yaml file
-# https://github.com/kyverno/kyverno/pull/12158
-version: 3.3.7
+version: 3.5.2
 namespace: konflux-kyverno
 valuesFile: kyverno-helm-values.yaml
 releaseName: kyverno

components/kyverno/staging/stone-stg-rh01/kustomization.yaml

@@ -6,29 +6,6 @@ namespace: konflux-kyverno
 generators:
   - kyverno-helm-generator.yaml
 
-replacements:
-  # enforce serviceAccountName is used instead of serviceAccount in Jobs
-  # TODO: these replacements can be removed when bumping to kyverno:1.14
-  # https://github.com/kyverno/kyverno/pull/12158
-  - source:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-migrate-resources
-      namespace: konflux-kyverno
-      fieldPath: spec.template.spec.serviceAccount
-    targets:
-      - select:
-          group: batch
-          version: v1
-          kind: Job
-          namespace: konflux-kyverno
-          name: konflux-kyverno-migrate-resources
-        fieldPaths:
-          - spec.template.spec.serviceAccountName
-        options:
-          create: true
-
 # set resources to jobs
 patches:
   - path: job_resources.yaml
@@ -37,3 +14,12 @@ patches:
       version: v1
       kind: Job
       name: konflux-kyverno-migrate-resources
+  - patch: |
+      - op: add
+        path: /spec/unhealthyPodEvictionPolicy
+        value: AlwaysAllow
+    target:
+      group: policy
+      version: v1
+      kind: PodDisruptionBudget
+      labelSelector: app.kubernetes.io/part-of=konflux-kyverno

components/kyverno/staging/stone-stg-rh01/kyverno-helm-generator.yaml

@@ -4,10 +4,7 @@ metadata:
   name: kyverno
 name: kyverno
 repo: https://kyverno.github.io/kyverno/
-# TODO: when bumping to kyverno:1.14 we can remove ServiceAccountName 
-# replacements from the kustomization.yaml file
-# https://github.com/kyverno/kyverno/pull/12158
-version: 3.3.7
+version: 3.5.2
 namespace: konflux-kyverno
 valuesFile: kyverno-helm-values.yaml
 releaseName: kyverno