Kyverno support & policy exceptions

[akyriako]

Heads-up for anyone running Kyverno alongside the Typesense Kubernetes Operator (TyKO).

Kyverno is not and will not be supported for mutating or validating operator-managed resources (StatefulSets, Pods, Services, etc.) created by TyKO.

Why?

The operator shall remain the sole reconciler of the resources it creates and owns. Kyverno mutate rules on the other hand, act as a "secondary controller" and can cause reconciliation loops, drift, or unexpected rollouts. Even validate rules can block reconciliation in ways the operator can’t reason about. This has already shown up as repeated updates, pod restarts, and unstable clusters in real setups.

Because of this, running Kyverno against operator-owned objects is undefined behavior and not something we can reliably or willingfully support.

Required Actions

If you use Kyverno, you must exclude operator-managed resources using the standard label introduced for every operator-managed resource as of the upcoming pre-release 0.3.8-rc.4:

app.kubernetes.io/managed-by=typesense-operator

Then use this label within a PolicyException, which is the cleanest Kyverno-native way to carve out workloads:

apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
  name: exclude-typesense-operator-managed
  namespace: kyverno
spec:
  exceptions:
    - policyName: "*"
      ruleNames:
        - "*"
  match:
    any:
      - resources:
          selector:
            matchLabels:
              app.kubernetes.io/managed-by: typesense-operator

This will keep Kyverno from acting as a competing controller and avoid configuration drifts.