# Kyverno — noble (policy engine)
#
# helm repo add kyverno https://kyverno.github.io/kyverno/
# helm repo update
# kubectl apply -f clusters/noble/bootstrap/kyverno/namespace.yaml
# helm upgrade --install kyverno kyverno/kyverno -n kyverno \
#   --version 3.7.1 -f clusters/noble/bootstrap/kyverno/values.yaml --wait --timeout 15m
#
# Baseline Pod Security policies (separate chart): see policies-values.yaml + README.md
#
# Raise Kubernetes client QPS/burst so under API/etcd load Kyverno does not hit
# "client rate limiter Wait" / flaky kyverno-health lease (defaults are very low).
# Two replicas: webhook Service keeps endpoints during rolling restarts (avoids
# apiserver "connection refused" to kyverno-svc:443 while a single pod cycles).
admissionController:
  replicas: 2
  # Insulate Kyverno API traffic via APF (helps when etcd/apiserver are busy).
  apiPriorityAndFairness: true
  container:
    extraArgs:
      clientRateLimitQPS: 30
      clientRateLimitBurst: 60