You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CLAUDE.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -112,8 +112,10 @@ docs/ # Documentation
112
112
- Manually create or delete ReplicationSource/ReplicationDestination (Kyverno manages these)
113
113
- Use legacy `nfs:` block for NFS PVs (mountOptions silently ignored — use CSI)
114
114
- Use `RollingUpdate` strategy on Deployments with RWO PVCs (causes Multi-Attach deadlock)
115
-
- Use `background: true` on Kyverno generate policies — **causes API server overload from continuous background scanning of all matching resources; use `background: false` and rely on admission-time generation**
116
-
- Use `mutateExistingOnPolicyUpdate: true` on Kyverno generate policies — **re-evaluates ALL matching resources cluster-wide on any policy change, creating UpdateRequest storms**
115
+
- Use `background: true` on Kyverno generate policies — **causes API server overload from continuous background scanning; use `background: false`**
116
+
- Use `mutateExistingOnPolicyUpdate: true` on Kyverno generate policies — **re-evaluates ALL matching resources cluster-wide on any policy change**
117
+
- Use `synchronize: true` on Kyverno generate policies — **drift watchers create UpdateRequests on every controller status update, hammering the API server; use `synchronize: false`**
Copy file name to clipboardExpand all lines: infrastructure/controllers/kyverno/CLAUDE.md
+8-3Lines changed: 8 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -207,18 +207,23 @@ spec:
207
207
208
208
**Never use `mutateExistingOnPolicyUpdate: true` on generate policies**. This re-evaluates ALL matching resources cluster-wide whenever the policy YAML changes — even a comment edit triggers it. Combined with background scanning, this caused a 23-hour API server overload incident (2026-03-25).
209
209
210
-
**The safe pattern for all Kyverno generate policies:**
210
+
**The safe pattern for all Kyverno generate policies (canonical form):**
emitWarning: false # Kyverno default — include to match canonical form for ArgoCD sync
216
+
validationFailureAction: Audit # Kyverno default — include to match canonical form for ArgoCD sync
215
217
rules:
216
218
- name: my-generate-rule
219
+
skipBackgroundRequests: true # Kyverno default — include to match canonical form for ArgoCD sync
217
220
generate:
218
-
synchronize: true# OK — sync enforcement happens via admission webhook, not background scan
221
+
synchronize: false# REQUIRED — prevents drift watchers that generate UpdateRequests on every controller status update
219
222
```
220
223
221
-
`synchronize: true` still works with `background: false` because sync is enforced through the admission controller. Generated resources are created/recreated when the trigger resource goes through admission (e.g., PVC creation via ArgoCD sync).
224
+
**Why `synchronize: false`**: With `synchronize: true`, Kyverno watches every generated resource (ExternalSecrets, ReplicationSources, etc.) and creates UpdateRequests whenever their controllers update status. With ~114 watched resources, this generates hundreds of thousands of API calls. Resources are still created on admission (PVC creation via ArgoCD sync) — they just aren't re-synced on drift.
225
+
226
+
**Why canonical form**: Kyverno's admission webhook adds `emitWarning`, `validationFailureAction`, and `skipBackgroundRequests` as defaults. If these aren't in git, ArgoCD detects the diff and shows OutOfSync. Writing the defaults explicitly keeps ArgoCD happy.
222
227
223
228
**If you need to re-process existing resources after a policy change**, do a one-time ArgoCD sync or manually trigger resource re-admission — don't enable `mutateExistingOnPolicyUpdate`.
0 commit comments