kyverno: bump background-controller memory 384Mi → 2Gi (OOMKilled processing keel URs)

The mutateExistingOnPolicyUpdate=true on inject-keel-annotations produced 176 UpdateRequests for the initial bulk scan across enrolled namespaces. At the existing 384Mi limit, kyverno-background-controller OOMKilled while processing them — no annotations got injected on existing workloads (count stuck at 30). Live state already bumped via kubectl set resources; this commit makes it durable through Terraform. Also lowered the request to 256Mi (the 384Mi floor was tight against limit; 2Gi headroom for bulk scans, 256Mi steady state). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-16 23:36:16 +00:00 · 2026-05-16 23:36:16 +00:00 · 7e540292ad
commit 7e540292ad
parent 257679166b
1 changed files with 7 additions and 2 deletions
--- a/stacks/kyverno/modules/kyverno/main.tf
+++ b/stacks/kyverno/modules/kyverno/main.tf
@ -48,12 +48,17 @@ resource "helm_release" "kyverno" {

    backgroundController = {
      resources = {
+        # Bumped 2026-05-16 from 384Mi → 2Gi because the controller OOMKilled
+        # while processing 176 UpdateRequests for the inject-keel-annotations
+        # mutate-existing scan. With mutateExistingOnPolicyUpdate=true the
+        # background controller needs significantly more memory during the
+        # initial bulk scan.
        limits = {
-          memory = "384Mi"
+          memory = "2Gi"
        }
        requests = {
          cpu    = "100m"
-          memory = "384Mi"
+          memory = "256Mi"
        }
      }
    }