From 7e540292ad2272916b0dcac6a18c229a27aa9a99 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 16 May 2026 23:36:16 +0000
Subject: [PATCH] =?UTF-8?q?kyverno:=20bump=20background-controller=20memor?=
 =?UTF-8?q?y=20384Mi=20=E2=86=92=202Gi=20(OOMKilled=20processing=20keel=20?=
 =?UTF-8?q?URs)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The mutateExistingOnPolicyUpdate=true on inject-keel-annotations produced
176 UpdateRequests for the initial bulk scan across enrolled namespaces.
At the existing 384Mi limit, kyverno-background-controller OOMKilled while
processing them — no annotations got injected on existing workloads (count
stuck at 30).

Live state already bumped via kubectl set resources; this commit makes it
durable through Terraform. Also lowered the request to 256Mi (the 384Mi
floor was tight against limit; 2Gi headroom for bulk scans, 256Mi steady
state).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/kyverno/modules/kyverno/main.tf | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/stacks/kyverno/modules/kyverno/main.tf b/stacks/kyverno/modules/kyverno/main.tf
index 4e64c89d..cc5fd890 100644
--- a/stacks/kyverno/modules/kyverno/main.tf
+++ b/stacks/kyverno/modules/kyverno/main.tf
@@ -48,12 +48,17 @@ resource "helm_release" "kyverno" {
 
     backgroundController = {
       resources = {
+        # Bumped 2026-05-16 from 384Mi → 2Gi because the controller OOMKilled
+        # while processing 176 UpdateRequests for the inject-keel-annotations
+        # mutate-existing scan. With mutateExistingOnPolicyUpdate=true the
+        # background controller needs significantly more memory during the
+        # initial bulk scan.
         limits = {
-          memory = "384Mi"
+          memory = "2Gi"
         }
         requests = {
           cpu    = "100m"
-          memory = "384Mi"
+          memory = "256Mi"
         }
       }
     }