diff --git a/community/assessments/projects/kyverno/self-assessment.md b/community/assessments/projects/kyverno/self-assessment.md index 1188351c0..ab62178b1 100644 --- a/community/assessments/projects/kyverno/self-assessment.md +++ b/community/assessments/projects/kyverno/self-assessment.md @@ -92,21 +92,31 @@ The `Admission Controller` component registers as a validating and mutating admi The `Admission Controller` also creates and updates `UpdateRequest`, `ClusterEphemeralReport` and `EphemeralReport` resources to trigger updates via other Kyverno controllers. + ### Cert Renewer On startup, Kyverno's `Cert Renewer` component generates a self-signed certificate (or uses a user-provided certificate) and stores it in Kyverno managed secret. The component also renews the generated certificate 15 days before it becomes invalid. + ### Webhook Controller On startup, Kyverno's `Webhook Controller` component auto-creates the webhook configurations required to register Kyverno as an admission webhook with the certificate fetched from Kyverno managed secret. The component also periodically monitors if Kyverno is receiving webhook events and recreates the certificate and webhook configurations if needed. + +### Report Controllers + +The `Report Controller` consumes `ClusterEphemeralReport` and `EphemeralReport` resources and creates, updates Kyverno [Policy Report](https://kyverno.io/docs/policy-reports/) resources. The component performs periodic background scans on existing configurations and creates or updates policy reports based on changes and background scans. The `Policy Controller` also watches for changes in policies definitions to update policy reports. `ClusterEphemeralReport` and `EphemeralReport` are intermediary resources and removed after being consumed. + + ### Background Controller -The `Background Controller` watches `UpdateRequest` resources and creates, updates, and deletes Kubernetes resources based on Kyverno [generate rules](https://kyverno.io/docs/writing-policies/generate/), or mutate existing Kubernetes resources based on [mutate exsiting rules](https://kyverno.io/docs/writing-policies/mutate/#mutate-existing-resources). The `Background Controller` also watches for changes in policy definitions to update generated resources. +The `Background Controller` watches `UpdateRequest` resources and creates, updates, and deletes Kubernetes resources based on Kyverno [generate rules](https://kyverno.io/docs/writing-policies/generate/), or mutate existing Kubernetes resources based on [mutate exsiting rules](https://kyverno.io/docs/writing-policies/mutate/#mutate-existing-resources). The `Background Controller` also watches for changes in policy definitions to update generated resources. `UpdateRequest` is an intermediary resource and removed after being consumed. -### Report Controllers -The `Report Controller` merges `ClusterEphemeralReport` and `EphemeralReport` generated by `Admission Controller` to Kyverno [Policy Report](https://kyverno.io/docs/policy-reports/). The component performs periodic background scans on existing configurations and creates or updates policy reports based on changes and background scans. The `Report Controller` watches `ClusterEphemeralReport` and `EphemeralReport` resources and creates, updates, and delete Kyverno `Policy Report` resources. The `Policy Controller` also watches for changes in policies definitions to update policy reports. +### Cleanup Controller + +The `Cleanup Controller` component cleans up existing resources by either using a declarative policy definition in a `CleanupPolicy` or `ClusterCleanupPolicy`, or by utilizing a reserved time-to-live (TTL) label added to a resource. This component registers a validation admission webhook with the TTL label key as the selector and receives filtered `AdmissionReview` requests from the API server to clean up resources with TTL label. + ## Physical Architecture