This issue provides visibility into Renovate updates and their statuses. Learn more

This repository currently has no open or pending branches.

• Check this box to trigger a request for Renovate to run again on this repository

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: Cannot find preset's package (github>whitesource/merge-confidence:beta)

Context

New Release: https://github.com/kyverno/kyverno/releases/tag/v1.5.0

Alternatives

We're in the process of transferring more and more policies to the cloud agent.

Cloud agent already processes every pod request to apply node selectors and warn about unfair ratios.

Kyverno runs on master nodes to improve webhook latency and possibly fewer fails on network issues. Cloud agent should be scheduled on those nodes too.

Context

The component currently uses resource-locker.libjsonnet, which has been deprecated in

We should update the component to use patch-operator.libsonnet directly

We seem to generate a lot of generate requests even on the neglected and smaller beta cluster:

2500/h, possibly more if the client throttling is removed.

Can this hit us if we have bigger clusters with more quotas/namespaces?

Steps to Reproduce the Problem

See Kibana: https://logging.apps.lpg1.ocp4-poc.appuio-beta.ch/app/kibana/...

Expected Behavior

Generate requests only of something changed.

Context

As part of this component we introduced more and more kyverno policies. Some of these policies are quite complex and some are triggered by other policies.

We should add documentation on all policies and especially how they interact with each other. What I would like to have:

• Brief documentation on each policy (Might be able to auto-generate these)
• Description on some of the workflows. e.g.:
  • Namespace creation (What is checked, what is generated ..)
  • Project creation (How does the project template and kyverno policy interact)
  • Namespace quotas

Context

Our kyverno policies are starting to get very complex and when working on them we cannot easily tell if we do not introduce unintended side effects.

I would propose adding E2E tests by spinning up a local k8s cluster and testing our requirements on a high level.

Alternatives

Kyverno has the option to write unit tests, which we already use to an extend. While these can be helpful for single complex policies, they are not able to test the interaction between policies and they do little to support refactoring policies.

Context

We currently deploy the following alerting rule through the hierarchy:

parameters:
  openshift4_monitoring:
    rules:
      appuio-cloud:
        alert:UnlabelledTenantNamespace:
          expr: 'sum by (namespace) (kube_namespace_labels{namespace!~"default|cilium|syn.*|openshift.*|appuio-.*|kube-.*",label_appuio_io_organization=""}) > 0'
          for: "1m"
          annotations:
            message: |-
              Tenant namespace {{ $labels.namespace }} doesn't have the `appuio.io/organization` label.