diff --git a/components/kyverno/development/kustomization.yaml b/components/kyverno/development/kustomization.yaml index 31467805a37..e165f0a2757 100644 --- a/components/kyverno/development/kustomization.yaml +++ b/components/kyverno/development/kustomization.yaml @@ -6,30 +6,6 @@ namespace: konflux-kyverno generators: - kyverno-helm-generator.yaml -replacements: - # enforce serviceAccountName is used instead of serviceAccount in Jobs - # TODO: these replacements can be removed when bumping to kyverno:1.14 - # https://github.com/kyverno/kyverno/pull/12158 - - source: - group: batch - version: v1 - kind: Job - name: konflux-kyverno-migrate-resources - namespace: konflux-kyverno - fieldPath: spec.template.spec.serviceAccount - targets: - - select: - group: batch - version: v1 - kind: Job - namespace: konflux-kyverno - name: konflux-kyverno-migrate-resources - fieldPaths: - - spec.template.spec.serviceAccountName - options: - create: true - -# set resources to jobs patches: - path: job_resources.yaml target: diff --git a/components/kyverno/development/kyverno-helm-generator.yaml b/components/kyverno/development/kyverno-helm-generator.yaml index 19f3e2577bd..14cac5a982c 100644 --- a/components/kyverno/development/kyverno-helm-generator.yaml +++ b/components/kyverno/development/kyverno-helm-generator.yaml @@ -4,10 +4,7 @@ metadata: name: kyverno name: kyverno repo: https://kyverno.github.io/kyverno/ -# TODO: when bumping to kyverno:1.14 we can remove ServiceAccountName -# replacements from the kustomization.yaml file -# https://github.com/kyverno/kyverno/pull/12158 -version: 3.3.7 +version: 3.5.2 namespace: konflux-kyverno valuesFile: kyverno-helm-values.yaml releaseName: kyverno diff --git a/components/kyverno/development/kyverno-helm-values.yaml b/components/kyverno/development/kyverno-helm-values.yaml index f97a50bc315..d61c99bfa20 100644 --- a/components/kyverno/development/kyverno-helm-values.yaml +++ b/components/kyverno/development/kyverno-helm-values.yaml @@ -26,6 +26,11 @@ admissionController: - "ALL" metering: disabled: false + podDisruptionBudget: + enabled: true + maxUnavailable: 2 + minAvailable: null + unhealthyPodEvictionPolicy: AlwaysAllow serviceMonitor: enabled: true # kyverno doesn't seem to support HTTPS on metrics diff --git a/components/policies/development/integration/bootstrap-namespace/bootstrap-namespace.yaml b/components/policies/development/integration/bootstrap-namespace/bootstrap-namespace.yaml index 2132d5a7eaa..a7d5cfc84b7 100644 --- a/components/policies/development/integration/bootstrap-namespace/bootstrap-namespace.yaml +++ b/components/policies/development/integration/bootstrap-namespace/bootstrap-namespace.yaml @@ -19,9 +19,14 @@ spec: selector: matchLabels: konflux-ci.dev/type: tenant - celPreconditions: - - name: "on update, oldObject had no konflux-ci.dev/type=tenant label" - expression: "request.operation != UPDATE || ! (has(oldObject.metadata.labels) && 'konflux-ci.dev/type' in oldObject.metadata.labels && oldObject.metadata.labels['konflux-ci.dev/type] == 'tenant')" + preconditions: + any: + - key: "{{ request.operation || '' }}" + operator: NotEquals + value: "UPDATE" + - key: "{{ lookup(request.oldObject.metadata.labels, 'konflux-ci.dev/type') || '' }}" + operator: Equals + value: "tenant" generate: generateExisting: true synchronize: false @@ -39,9 +44,14 @@ spec: selector: matchLabels: konflux-ci.dev/type: tenant - celPreconditions: - - name: "on update, oldObject had no konflux-ci.dev/type=tenant label" - expression: "request.operation != UPDATE || ! (has(oldObject.metadata.labels) && 'konflux-ci.dev/type' in oldObject.metadata.labels && oldObject.metadata.labels['konflux-ci.dev/type] == 'tenant')" + preconditions: + any: + - key: "{{ request.operation || '' }}" + operator: NotEquals + value: "UPDATE" + - key: "{{ lookup(request.oldObject.metadata.labels, 'konflux-ci.dev/type') || '' }}" + operator: Equals + value: "tenant" generate: generateExisting: true synchronize: false