General MR

Summary

Removed default limits on pods and set default requests to follow upstream recommendations
Removed resource requests and limits from cypress as they are the same as its defaults
Removed TLSConfig and Scheme for Reports Service Monitor as it is no longer needed in Sidecar or Ambient mode

Relevant logs/screenshots

Report URL now function properly (It works without any changes in Ambient mode):

Validated any user provided annotations are not overridden:

kubectl get po -n anchore -o yaml | grep annotations: -A 12

--
    annotations:
      checksum/enterprise-config: 0d67f8bbe58e3ce955c1520d56883488d5054d36df0d3ef081bad57c4fa57bb1
      checksum/enterprise-envvar: 390e00305ef6946cb63998eb90c13bab5237bab662032d0184328ad03e777f6f
      checksum/secrets: 2349562a2087e9fef0cd6c75c215945cab3043e9172b74abc66ceb6723d03925
      istio.io/rev: default
      kubectl.kubernetes.io/default-container: upstream-api
      kubectl.kubernetes.io/default-logs-container: upstream-api
      myCustomAnnotation: myCustomValue
      prometheus.io/path: /stats/prometheus
      prometheus.io/port: "15020"
      prometheus.io/scrape: "true"
      sidecar.istio.io/status: '{"initContainers":["istio-init","istio-proxy"],"containers":null,"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert","istio-ca-crl"],"imagePullSecrets":["private-registry"],"revision":"default"}'
      traffic.sidecar.istio.io/excludeOutboundPorts: "8558"
--
    annotations:
      checksum/enterprise-config: 0d67f8bbe58e3ce955c1520d56883488d5054d36df0d3ef081bad57c4fa57bb1
      checksum/enterprise-envvar: 390e00305ef6946cb63998eb90c13bab5237bab662032d0184328ad03e777f6f
      checksum/secrets: 2349562a2087e9fef0cd6c75c215945cab3043e9172b74abc66ceb6723d03925
      istio.io/rev: default
      kubectl.kubernetes.io/default-container: upstream-reports
      kubectl.kubernetes.io/default-logs-container: upstream-reports
      myCustomAnnotation: myCustomValue
      prometheus.io/path: /stats/prometheus
      prometheus.io/port: "15020"
      prometheus.io/scrape: "true"
      sidecar.istio.io/status: '{"initContainers":["istio-init","istio-proxy"],"containers":null,"volumes":["workload-socket","credential-socket","workload-certs","istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert","istio-ca-crl"],"imagePullSecrets":["private-registry"],"revision":"default"}'
      traffic.sidecar.istio.io/excludeInboundPorts: "8558"

Validated port exclusion annotations are not present in ambient mode:

kubectl get po -n anchore -o yaml | grep annotations: -A 6

--
    annotations:
      ambient.istio.io/redirection: enabled
      checksum/enterprise-config: 0d67f8bbe58e3ce955c1520d56883488d5054d36df0d3ef081bad57c4fa57bb1
      checksum/enterprise-envvar: 390e00305ef6946cb63998eb90c13bab5237bab662032d0184328ad03e777f6f
      checksum/secrets: 4b939941d628329c9d65b3c1479f7abb0ea0df88fcd6240a37d6d0686b007bf6
    creationTimestamp: "2026-05-19T10:45:55Z"
    generateName: anchore-enterprise-anchore-enterprise-api-649f5dc96b-
--
    annotations:
      ambient.istio.io/redirection: enabled
      checksum/enterprise-config: 0d67f8bbe58e3ce955c1520d56883488d5054d36df0d3ef081bad57c4fa57bb1
      checksum/enterprise-envvar: 390e00305ef6946cb63998eb90c13bab5237bab662032d0184328ad03e777f6f
      checksum/secrets: e0a31944f560639bc6b3d87b435bac27f885d022767007045e53ad5f34de4467
    creationTimestamp: "2026-05-19T10:45:52Z"
    generateName: anchore-enterprise-anchore-enterprise-reports-5d97bd5d98-

Ambient Mode now shows service monitors:

Without this change they simply don't show up and errors are seen on the prometheus side

Validated they still show up as expected when in sidecar mode also:

Linked Issue

Clean up resources issue Update service monitors for Ambient Reports not rendering

Upgrade Notices

N/A

Umbrella Branch

anchore-ambient-svcmonitor-fix

Edited May 19, 2026 by Jimmy Bourque

Admin message

Update Default Resources and Service Monitors