kyverno: bump to v1.15.2 in development overlay

[sadlerap]

Bump kyverno to v1.15.2 by updating the helm chart to v3.5.2

[github-actions]

🤖 Gemini AI Assistant Available

Hi @sadlerap! I'm here to help with your pull request. You can interact with me using the following commands:

Available Commands

• @gemini-cli /review - Request a comprehensive code review

  • Example: @gemini-cli /review Please focus on security and performance

• @gemini-cli <your question> - Ask me anything about the codebase

  • Example: @gemini-cli How can I improve this function?
  • Example: @gemini-cli What are the best practices for error handling here?

How to Use

1. Simply type one of the commands above in a comment on this PR
2. I'll analyze your code and provide detailed feedback
3. You can track my progress in the workflow logs

Permissions

Only OWNER, MEMBER, or COLLABORATOR users can trigger my responses. This ensures secure and appropriate usage.

---

This message was automatically added to help you get started with the Gemini AI assistant. Feel free to delete this comment if you don't need assistance.

[github-actions]

🤖 Hi @sadlerap, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[filariow]

/lgtm

[sadlerap]

/retest

[hugares]

/lgtm

[openshift-ci]

@sadlerap: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/konflux-e2e-v418-optional	2e55372	link	false	/test konflux-e2e-v418-optional

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[sadlerap]

@filariow @hugares please reapprove, I needed to repush to add a fix.

The bump from v1.13 to v1.15 introduces a new validation change in kyverno's webhooks, resulting in the following warning in argo:

admission webhook "validate-policy.kyverno.svc" denied the request: path: spec.rules[0].generate..: celPrecondition can only be used with validate.cel

One of our namespace bootstrapping policies is in violation of this validation, resulting in the second commit in this PR.

Our current chainsaw testing setup on top of kind doesn't run validation webhooks correctly (AIUI it's not picking up certs correctly, because openshift certificate manager doesn't run on our kind clusters), which is why this change fell through our testing setup. We may want to look into running our tests on openshift via prow in the future.

In good news, this validation failure was getting picked up in e2e tests, which was failing on the policies component not coming alive when trying to set up the clusters. However, e2e tests didn't trigger on the staging (#8216) and production (#8343) PRs due to this check not kicking in, which is why only this PR failed.

[hugares]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: filariow, hugares, sadlerap

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• components/kyverno/OWNERS [filariow,hugares,sadlerap]
• components/policies/OWNERS [filariow,hugares,sadlerap]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment