23 lines
982 B
YAML
23 lines
982 B
YAML
# Kyverno — noble (policy engine)
|
|
#
|
|
# helm repo add kyverno https://kyverno.github.io/kyverno/
|
|
# helm repo update
|
|
# kubectl apply -f clusters/noble/bootstrap/kyverno/namespace.yaml
|
|
# helm upgrade --install kyverno kyverno/kyverno -n kyverno \
|
|
# --version 3.7.1 -f clusters/noble/bootstrap/kyverno/values.yaml --wait --timeout 15m
|
|
#
|
|
# Baseline Pod Security policies (separate chart): see policies-values.yaml + README.md
|
|
#
|
|
# Raise Kubernetes client QPS/burst so under API/etcd load Kyverno does not hit
|
|
# "client rate limiter Wait" / flaky kyverno-health lease (defaults are very low).
|
|
# Two replicas: webhook Service keeps endpoints during rolling restarts (avoids
|
|
# apiserver "connection refused" to kyverno-svc:443 while a single pod cycles).
|
|
admissionController:
|
|
replicas: 2
|
|
# Insulate Kyverno API traffic via APF (helps when etcd/apiserver are busy).
|
|
apiPriorityAndFairness: true
|
|
container:
|
|
extraArgs:
|
|
clientRateLimitQPS: 30
|
|
clientRateLimitBurst: 60
|