From 281a573d1d498c020fc5754f17c1577e58e22172 Mon Sep 17 00:00:00 2001
From: Andy Sadler <ansadler@redhat.com>
Date: Fri, 26 Sep 2025 16:18:29 -0500
Subject: [PATCH] kyverno: bump to v1.15.2 in development overlay

Bump kyverno to v1.15.2 by updating the helm chart to v3.5.2

Part-of: KFLUXINFRA-1963
Signed-off-by: Andy Sadler <ansadler@redhat.com>
---
 .../kyverno/development/kustomization.yaml    | 24 -------------------
 .../development/kyverno-helm-generator.yaml   |  5 +---
 .../development/kyverno-helm-values.yaml      |  5 ++++
 3 files changed, 6 insertions(+), 28 deletions(-)

diff --git a/components/kyverno/development/kustomization.yaml b/components/kyverno/development/kustomization.yaml
index 31467805a37..e165f0a2757 100644
--- a/components/kyverno/development/kustomization.yaml
+++ b/components/kyverno/development/kustomization.yaml
@@ -6,30 +6,6 @@ namespace: konflux-kyverno
 generators:
   - kyverno-helm-generator.yaml
 
-replacements:
-  # enforce serviceAccountName is used instead of serviceAccount in Jobs
-  # TODO: these replacements can be removed when bumping to kyverno:1.14
-  # https://github.com/kyverno/kyverno/pull/12158
-  - source:
-      group: batch
-      version: v1
-      kind: Job
-      name: konflux-kyverno-migrate-resources
-      namespace: konflux-kyverno
-      fieldPath: spec.template.spec.serviceAccount
-    targets:
-      - select:
-          group: batch
-          version: v1
-          kind: Job
-          namespace: konflux-kyverno
-          name: konflux-kyverno-migrate-resources
-        fieldPaths:
-          - spec.template.spec.serviceAccountName
-        options:
-          create: true
-
-# set resources to jobs
 patches:
   - path: job_resources.yaml
     target:
diff --git a/components/kyverno/development/kyverno-helm-generator.yaml b/components/kyverno/development/kyverno-helm-generator.yaml
index 19f3e2577bd..14cac5a982c 100644
--- a/components/kyverno/development/kyverno-helm-generator.yaml
+++ b/components/kyverno/development/kyverno-helm-generator.yaml
@@ -4,10 +4,7 @@ metadata:
   name: kyverno
 name: kyverno
 repo: https://kyverno.github.io/kyverno/
-# TODO: when bumping to kyverno:1.14 we can remove ServiceAccountName 
-# replacements from the kustomization.yaml file
-# https://github.com/kyverno/kyverno/pull/12158
-version: 3.3.7
+version: 3.5.2
 namespace: konflux-kyverno
 valuesFile: kyverno-helm-values.yaml
 releaseName: kyverno
diff --git a/components/kyverno/development/kyverno-helm-values.yaml b/components/kyverno/development/kyverno-helm-values.yaml
index f97a50bc315..d61c99bfa20 100644
--- a/components/kyverno/development/kyverno-helm-values.yaml
+++ b/components/kyverno/development/kyverno-helm-values.yaml
@@ -26,6 +26,11 @@ admissionController:
         - "ALL"
   metering:
     disabled: false
+  podDisruptionBudget:
+    enabled: true
+    maxUnavailable: 2
+    minAvailable: null
+    unhealthyPodEvictionPolicy: AlwaysAllow
   serviceMonitor:
     enabled: true
     # kyverno doesn't seem to support HTTPS on metrics