Guilhem Lettron
Guilhem Lettron
Rules are working well. I'm only using mutations and are part of my business (isolating pods etc). I don't use any validation policy.
Absolutely not :) here is my installation: ```yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: kyverno resources: - https://raw.githubusercontent.com/kyverno/kyverno/v1.7.2-rc1/config/install.yaml images: - name: ghcr.io/kyverno/kyverno newName: custom newTag: custom patches: - patch: |- #...
> Any policies that are installed? What are the matching kinds in policies? I mainly mutate pods ``` $ kubectl get pod -A | wc -l 3283 ```
Discovery on all objects and CRD have big impact on API. As kyverno is watching and listing all CRD. (And here there is a lot of them) At some point,...
> what's the frequency of listing resources and updating the internal schema cache? Can you disable this? Right now it's 15 min with a total flush of all cache. I'm...
@realshuting I think I found my problem: https://github.com/kyverno/kyverno/blob/975a2a21fa8727b69a6b79e109e3244f7826a8e0/pkg/openapi/crdSync.go#L90 Kyverno is syncing CRD every 15s. with multiple replicas and a lot a CRD it make pressure on API. I disabled it...
> @guilhem looks like kyverno is crashing,[ CI logs](https://github.com/kyverno/kyverno/runs/7576155868?check_suite_focus=true#step:9:58) I will have a look, I think it's a problem with /tmp …
ok I found the problem: ``` E0731 15:31:07.365470 1 main.go:142] setup "msg"="Failed to create dynamic client" "error"="mkdir /tmp/discovery707370330: read-only file system" ``` ```yaml securityContext: readOnlyRootFilesystem: true ```
> @guilhem looks like kyverno is crashing,[ CI logs](https://github.com/kyverno/kyverno/runs/7576155868?check_suite_focus=true#step:9:58) fixed
> Hi @guilhem - this is interesting, do you have any reference that I can read up more on disk-based cache VS memory-base cache? We definitely want to optimize the...