diff --git a/Makefile b/Makefile index 564bf12ba8a..4efc98d4f39 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ DEV_TAG ?= dev USE_LOCAL_IMG ?= false ENABLE_EXTERNAL_DATA ?= false -VERSION := v3.7.0 +VERSION := v3.8.0-rc.1 KIND_VERSION ?= 0.11.0 # note: k8s version pinned since KIND image availability lags k8s releases diff --git a/charts/gatekeeper/Chart.yaml b/charts/gatekeeper/Chart.yaml index 5a6fd67b223..d6be21c9282 100644 --- a/charts/gatekeeper/Chart.yaml +++ b/charts/gatekeeper/Chart.yaml @@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper name: gatekeeper keywords: - open policy agent -version: 3.7.0 +version: 3.8.0-rc.1 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.7.0 +appVersion: v3.8.0-rc.1 diff --git a/charts/gatekeeper/README.md b/charts/gatekeeper/README.md index a760cc2895f..4eb66606ade 100644 --- a/charts/gatekeeper/README.md +++ b/charts/gatekeeper/README.md @@ -62,69 +62,82 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi ## Parameters -| Parameter | Description | Default | -|:---------------------------------------------|:---------------------------------------------------------------------------------------|:--------------------------------------------------------------------------| -| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | -| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.7.0` | -| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | -| psp.enabled | Enabled PodSecurityPolicy | `true` | -| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | -| auditInterval | The frequency with which audit is run | `60` | -| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | -| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | -| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | -| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | -| disableValidatingWebhook | Disable the validating webhook | `false` | -| disableMutation | Disable mutation | `false` | -| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | -| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | -| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | -| enableDeleteOperations | Enable validating webhook for delete operations | `false` | -| enableExternalData | Enable external data (alpha feature) | `false` | -| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | -| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | -| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` | -| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` | -| logDenies | Log detailed info on each deny | `false` | -| logLevel | Minimum log level | `INFO` | -| image.pullPolicy | The image pull policy | `IfNotPresent` | -| image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.7.0` | -| image.pullSecrets | Specify an array of imagePullSecrets | `[]` | -| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | -| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| affinity | The node affinity to use for pod scheduling | `{}` | -| tolerations | The tolerations to use for pod scheduling | `[]` | -| controllerManager.healthPort | Health port for controller manager | `9090` | -| controllerManager.port | Webhook-server port for controller manager | `8443` | -| controllerManager.metricsPort | Metrics port for controller manager | `8888` | -| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | -| controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` | -| controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` | -| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | -| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `Default` | -| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | -| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | -| audit.dnsPolicy | Set the dnsPolicy for audit pods | `Default` | -| audit.healthPort | Health port for audit | `9090` | -| audit.metricsPort | Metrics port for audit | `8888` | -| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | -| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | -| podLabels | The labels to add to the Gatekeeper pods | `{}` | -| podCountLimit | The maximum number of Gatekeeper pods to run | `100` | -| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | -| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | -| service.type | Service type | `ClusterIP` | -| service.loadBalancerIP | The IP address of LoadBalancer service | `` | -| rbac.create | Enable the creation of RBAC resources | `true` | +| Parameter | Description | Default | +| :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | +| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | +| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.8.0-rc.1` | +| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | +| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | +| preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | +| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.8.0-rc.1` | +| preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | +| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| psp.enabled | Enabled PodSecurityPolicy | `true` | +| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | +| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | +| auditInterval | The frequency with which audit is run | `60` | +| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | +| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | +| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | +| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | +| disableValidatingWebhook | Disable the validating webhook | `false` | +| disableMutation | Disable mutation | `false` | +| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | +| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | +| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | +| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | +| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | +| enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` | +| enableExternalData | Enable external data (alpha feature) | `false` | +| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | +| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | +| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | +| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | +| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | +| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | +| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` | +| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` | +| logDenies | Log detailed info on each deny | `false` | +| logLevel | Minimum log level | `INFO` | +| image.pullPolicy | The image pull policy | `IfNotPresent` | +| image.repository | Image repository | `openpolicyagent/gatekeeper` | +| image.release | The image release tag to use | Current release version: `v3.8.0-rc.1` | +| image.pullSecrets | Specify an array of imagePullSecrets | `[]` | +| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| affinity | The node affinity to use for pod scheduling | `{}` | +| tolerations | The tolerations to use for pod scheduling | `[]` | +| controllerManager.healthPort | Health port for controller manager | `9090` | +| controllerManager.port | Webhook-server port for controller manager | `8443` | +| controllerManager.metricsPort | Metrics port for controller manager | `8888` | +| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | +| controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` | +| controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` | +| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | +| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` | +| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | +| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | +| audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` | +| audit.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| audit.healthPort | Health port for audit | `9090` | +| audit.metricsPort | Metrics port for audit | `8888` | +| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | +| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | +| podLabels | The labels to add to the Gatekeeper pods | `{}` | +| podCountLimit | The maximum number of Gatekeeper pods to run | `100` | +| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | +| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | +| service.type | Service type | `ClusterIP` | +| service.loadBalancerIP | The IP address of LoadBalancer service | `` | +| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` + | +| rbac.create | Enable the creation of RBAC resources | `true` | ## Contributing Changes -This Helm chart is autogenerated from the Gatekeeper static manifest. The -generator code lives under `cmd/build/helmify`. To make modifications to this -template, please edit `kustomization.yaml`, `kustomize-for-helm.yaml` and -`replacements.go` under that directory and then run `make manifests`. Your -changes will show up in the `manifest_staging` directory and will be promoted -to the root `charts` directory the next time a Gatekeeper release is cut. +Please refer to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) for modifying the Helm chart. diff --git a/charts/gatekeeper/crds/assign-customresourcedefinition.yaml b/charts/gatekeeper/crds/assign-customresourcedefinition.yaml index 7cfecd790d9..ce84b311d14 100644 --- a/charts/gatekeeper/crds/assign-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/assign-customresourcedefinition.yaml @@ -62,9 +62,10 @@ spec: description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. properties: excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -83,7 +84,7 @@ spec: type: object type: array labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -113,11 +114,11 @@ spec: type: object type: object name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -147,13 +148,14 @@ spec: type: object type: object namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: - description: ResourceScope is an enum defining the different scopes available to a custom resource + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string type: object parameters: @@ -162,6 +164,31 @@ spec: assign: description: Assign.value holds the value to be assigned properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object fromMetadata: description: FromMetadata assigns a value from the specified metadata field. properties: @@ -273,9 +300,10 @@ spec: description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. properties: excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -294,7 +322,7 @@ spec: type: object type: array labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -324,11 +352,11 @@ spec: type: object type: object name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -358,13 +386,14 @@ spec: type: object type: object namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: - description: ResourceScope is an enum defining the different scopes available to a custom resource + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string type: object parameters: @@ -373,6 +402,31 @@ spec: assign: description: Assign.value holds the value to be assigned properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object fromMetadata: description: FromMetadata assigns a value from the specified metadata field. properties: diff --git a/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml b/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml index 9c8ea4d4ec6..51bf7da8af0 100644 --- a/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml @@ -42,9 +42,10 @@ spec: description: Match selects objects to apply mutations to. properties: excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -63,7 +64,7 @@ spec: type: object type: array labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -93,11 +94,11 @@ spec: type: object type: object name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -127,13 +128,14 @@ spec: type: object type: object namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: - description: ResourceScope is an enum defining the different scopes available to a custom resource + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string type: object parameters: @@ -141,6 +143,31 @@ spec: assign: description: Assign.value holds the value to be assigned properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object fromMetadata: description: FromMetadata assigns a value from the specified metadata field. properties: @@ -219,9 +246,10 @@ spec: description: Match selects objects to apply mutations to. properties: excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -240,7 +268,7 @@ spec: type: object type: array labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -270,11 +298,11 @@ spec: type: object type: object name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -304,13 +332,14 @@ spec: type: object type: object namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: - description: ResourceScope is an enum defining the different scopes available to a custom resource + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string type: object parameters: @@ -318,6 +347,31 @@ spec: assign: description: Assign.value holds the value to be assigned properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object fromMetadata: description: FromMetadata assigns a value from the specified metadata field. properties: diff --git a/charts/gatekeeper/crds/config-customresourcedefinition.yaml b/charts/gatekeeper/crds/config-customresourcedefinition.yaml index 9fbd4f11892..dd4fa359b4a 100644 --- a/charts/gatekeeper/crds/config-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/config-customresourcedefinition.yaml @@ -38,8 +38,8 @@ spec: properties: excludedNamespaces: items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array processes: diff --git a/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml b/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml index 44229fb5b6b..df77d3ecb30 100644 --- a/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml @@ -62,9 +62,10 @@ spec: description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. properties: excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -83,7 +84,7 @@ spec: type: object type: array labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -113,11 +114,11 @@ spec: type: object type: object name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -147,13 +148,14 @@ spec: type: object type: object namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: - description: ResourceScope is an enum defining the different scopes available to a custom resource + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string type: object parameters: @@ -271,9 +273,10 @@ spec: description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. properties: excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -292,7 +295,7 @@ spec: type: object type: array labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -322,11 +325,11 @@ spec: type: object type: object name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -356,13 +359,14 @@ spec: type: object type: object namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: - description: ResourceScope is an enum defining the different scopes available to a custom resource + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string type: object parameters: diff --git a/charts/gatekeeper/templates/gatekeeper-admin-podsecuritypolicy.yaml b/charts/gatekeeper/templates/gatekeeper-admin-podsecuritypolicy.yaml index 1f9b144ec71..eee2ac964d5 100644 --- a/charts/gatekeeper/templates/gatekeeper-admin-podsecuritypolicy.yaml +++ b/charts/gatekeeper/templates/gatekeeper-admin-podsecuritypolicy.yaml @@ -34,4 +34,5 @@ spec: - projected - secret - downwardAPI + - emptyDir {{- end }} diff --git a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 38d8dd4f43c..542cf226153 100644 --- a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -40,7 +40,12 @@ spec: {{- toYaml .Values.audit.affinity | nindent 8 }} automountServiceAccountToken: true containers: - - args: + - {{- if .Values.image.release }} + image: {{ .Values.image.repository }}:{{ .Values.image.release }} + {{- else }} + image: {{ .Values.image.repository }} + {{- end }} + args: - --audit-interval={{ .Values.auditInterval }} - --log-level={{ .Values.logLevel }} - --constraint-violations-limit={{ .Values.constraintViolationsLimit }} @@ -67,7 +72,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - image: '{{ .Values.image.repository }}:{{ .Values.image.release }}' imagePullPolicy: '{{ .Values.image.pullPolicy }}' livenessProbe: httpGet: @@ -88,14 +92,7 @@ spec: resources: {{- toYaml .Values.audit.resources | nindent 10 }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 + {{- toYaml .Values.audit.securityContext | nindent 10}} volumeMounts: - mountPath: /tmp/audit name: tmp-volume @@ -105,7 +102,7 @@ spec: {{- toYaml .Values.image.pullSecrets | nindent 8 }} nodeSelector: {{- toYaml .Values.audit.nodeSelector | nindent 8 }} - {{- if .Values.audit.priorityClassName }} + {{- if .Values.audit.priorityClassName }} priorityClassName: {{ .Values.audit.priorityClassName }} {{- end }} serviceAccountName: gatekeeper-admin @@ -113,10 +110,10 @@ spec: tolerations: {{- toYaml .Values.audit.tolerations | nindent 8 }} volumes: - {{- if .Values.audit.writeToRAMDisk }} + {{- if .Values.audit.writeToRAMDisk }} - emptyDir: medium: Memory - {{ else }} + {{ else }} - emptyDir: {} {{- end }} name: tmp-volume diff --git a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index a2141e367a1..32bb56d283c 100644 --- a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -40,7 +40,12 @@ spec: {{- toYaml .Values.controllerManager.affinity | nindent 8 }} automountServiceAccountToken: true containers: - - args: + - {{- if .Values.image.release }} + image: {{ .Values.image.repository }}:{{ .Values.image.release }} + {{- else }} + image: {{ .Values.image.repository }} + {{- end }} + args: - --port={{ .Values.controllerManager.port }} - --health-addr=:{{ .Values.controllerManager.healthPort }} - --prometheus-port={{ .Values.controllerManager.metricsPort }} @@ -51,6 +56,9 @@ spec: - --exempt-namespace={{ .Release.Namespace }} - --operation=webhook - --enable-external-data={{ .Values.enableExternalData }} + - --log-mutations={{ .Values.logMutations }} + - --mutation-annotations={{ .Values.mutationAnnotations }} + {{ if .Values.enableTLSHealthcheck}}- --enable-tls-healthcheck{{- end }} {{ if not .Values.disableMutation}}- --operation=mutation-webhook{{- end }} {{- range .Values.disabledBuiltins}} @@ -76,7 +84,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - image: '{{ .Values.image.repository }}:{{ .Values.image.release }}' imagePullPolicy: '{{ .Values.image.pullPolicy }}' livenessProbe: httpGet: @@ -100,14 +107,7 @@ spec: resources: {{- toYaml .Values.controllerManager.resources | nindent 10 }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 + {{- toYaml .Values.controllerManager.securityContext | nindent 10}} volumeMounts: - mountPath: /certs name: cert @@ -118,7 +118,7 @@ spec: {{- toYaml .Values.image.pullSecrets | nindent 8 }} nodeSelector: {{- toYaml .Values.controllerManager.nodeSelector | nindent 8 }} - {{- if .Values.controllerManager.priorityClassName }} + {{- if .Values.controllerManager.priorityClassName }} priorityClassName: {{ .Values.controllerManager.priorityClassName }} {{- end }} serviceAccountName: gatekeeper-admin diff --git a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 19e68b0cb53..ad409d1ae97 100644 --- a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -25,7 +25,17 @@ webhooks: matchExpressions: - key: admission.gatekeeper.sh/ignore operator: DoesNotExist + + {{- range $key, $value := .Values.mutatingWebhookExemptNamespacesLabels}} + - key: {{ $key }} + operator: NotIn + value: {{ $value }} + {{- end }} + reinvocationPolicy: {{ .Values.mutatingWebhookReinvocationPolicy }} rules: + {{- if .Values.mutatingWebhookCustomRules }} + {{- toYaml .Values.mutatingWebhookCustomRules | nindent 2 }} + {{- else }} - apiGroups: - '*' apiVersions: @@ -35,6 +45,7 @@ webhooks: - UPDATE resources: - '*' + {{- end }} sideEffects: None timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }} {{- end }} diff --git a/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index 4ab0e97d6e5..ba07e823b5e 100644 --- a/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -25,19 +25,29 @@ webhooks: matchExpressions: - key: admission.gatekeeper.sh/ignore operator: DoesNotExist + + {{- range $key, $value := .Values.validatingWebhookExemptNamespacesLabels}} + - key: {{ $key }} + operator: NotIn + value: {{ $value }} + {{- end }} rules: + {{- if .Values.validatingWebhookCustomRules }} + {{- toYaml .Values.validatingWebhookCustomRules | nindent 2 }} + {{- else }} - apiGroups: - '*' apiVersions: - '*' - operations: + operations: - CREATE - UPDATE {{- if .Values.enableDeleteOperations }} - DELETE - {{- end}} + {{- end }} resources: - '*' + {{- end }} sideEffects: None timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} - admissionReviewVersions: diff --git a/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml b/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml index f8f72b62e23..3c0f4453a11 100644 --- a/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml +++ b/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml @@ -10,16 +10,24 @@ metadata: name: gatekeeper-webhook-service namespace: '{{ .Release.Namespace }}' spec: + + ports: + - name: https-webhook-server + port: 443 + targetPort: webhook-server +{{- if .Values.service }} +{{- if .Values.service.healthzPort }} + - name: http-webhook-healthz + port: {{ .Values.service.healthzPort }} + targetPort: healthz + {{- end }} + {{- end }} {{- if .Values.service }} - type: {{ .Values.service.type | default "ClusterIP" }} + type: {{ .Values.service.type | default "ClusterIP" }} {{- if .Values.service.loadBalancerIP }} loadBalancerIP: {{ .Values.service.loadBalancerIP }} {{- end }} {{- end }} - ports: - - name: https-webhook-server - port: 443 - targetPort: webhook-server selector: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' diff --git a/charts/gatekeeper/templates/namespace-post-install.yaml b/charts/gatekeeper/templates/namespace-post-install.yaml index 41dabefd08a..0c277d92112 100644 --- a/charts/gatekeeper/templates/namespace-post-install.yaml +++ b/charts/gatekeeper/templates/namespace-post-install.yaml @@ -39,14 +39,7 @@ spec: - admission.gatekeeper.sh/ignore=no-self-managing - --overwrite securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 + {{- toYaml .Values.postInstall.securityContext | nindent 12 }} --- apiVersion: v1 kind: ServiceAccount diff --git a/charts/gatekeeper/templates/upgrade-crds-hook.yaml b/charts/gatekeeper/templates/upgrade-crds-hook.yaml index 42a15381781..f69d10971d7 100644 --- a/charts/gatekeeper/templates/upgrade-crds-hook.yaml +++ b/charts/gatekeeper/templates/upgrade-crds-hook.yaml @@ -81,7 +81,11 @@ spec: {{- end }} containers: - name: crds-upgrade + {{- if not .Values.image.release }} + image: '{{ .Values.image.crdRepository }}' + {{- else }} image: '{{ .Values.image.crdRepository }}:{{ .Values.image.release }}' + {{- end }} imagePullPolicy: '{{ .Values.image.pullPolicy }}' args: - apply @@ -90,14 +94,7 @@ spec: resources: {{- toYaml .Values.crds.resources | nindent 10 }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 + {{- toYaml .Values.crds.securityContext | nindent 10 }} nodeSelector: kubernetes.io/os: linux diff --git a/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml b/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml new file mode 100644 index 00000000000..93febafaff7 --- /dev/null +++ b/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml @@ -0,0 +1,114 @@ +{{- if and (or (not .Values.disableValidatingWebhook) (not .Values.disableMutation)) .Values.preUninstall.deleteWebhookConfigurations.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-delete-webhook-configs + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets }} + imagePullSecrets: + {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-delete-webhook-configs + nodeSelector: + kubernetes.io/os: linux + containers: + - name: kubectl-delete + image: "{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}" + imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }} + args: + - delete + {{- if not .Values.disableValidatingWebhook }} + - validatingwebhookconfiguration/gatekeeper-validating-webhook-configuration + {{- end }} + {{- if not .Values.disableMutation }} + - mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration + {{- end }} + securityContext: + {{- toYaml .Values.preUninstall.securityContext | nindent 10 }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-delete-webhook-configs + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-delete-webhook-configs + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{- if not .Values.disableValidatingWebhook }} + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + resourceNames: + - gatekeeper-validating-webhook-configuration + verbs: + - delete + {{- end }} + {{- if not .Values.disableMutation }} + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - gatekeeper-mutating-webhook-configuration + verbs: + - delete + {{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-delete-webhook-configs + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-delete-webhook-configs +subjects: + - kind: ServiceAccount + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml index eac2fe0e92c..95df4d25b84 100644 --- a/charts/gatekeeper/values.yaml +++ b/charts/gatekeeper/values.yaml @@ -7,14 +7,22 @@ disableMutation: false disableValidatingWebhook: false validatingWebhookTimeoutSeconds: 3 validatingWebhookFailurePolicy: Ignore +validatingWebhookExemptNamespacesLabels: {} validatingWebhookCheckIgnoreFailurePolicy: Fail +validatingWebhookCustomRules: {} enableDeleteOperations: false enableExternalData: false +enableTLSHealthcheck: false mutatingWebhookFailurePolicy: Ignore -mutatingWebhookTimeoutSeconds: 3 +mutatingWebhookReinvocationPolicy: Never +mutatingWebhookExemptNamespacesLabels: {} +mutatingWebhookTimeoutSeconds: 1 +mutatingWebhookCustomRules: {} +mutationAnnotations: false auditChunkSize: 500 logLevel: INFO logDenies: false +logMutations: false emitAdmissionEvents: false emitAuditEvents: false resourceQuota: true @@ -23,17 +31,43 @@ postInstall: enabled: true image: repository: openpolicyagent/gatekeeper-crds - tag: v3.7.0 + tag: v3.8.0-rc.1 pullPolicy: IfNotPresent pullSecrets: [] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +preUninstall: + deleteWebhookConfigurations: + enabled: false + image: + repository: openpolicyagent/gatekeeper-crds + tag: v3.8.0-rc.1 + pullPolicy: IfNotPresent + pullSecrets: [] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.7.0 + release: v3.8.0-rc.1 pullPolicy: IfNotPresent pullSecrets: [] podAnnotations: - { container.seccomp.security.alpha.kubernetes.io/manager: runtime/default } + {container.seccomp.security.alpha.kubernetes.io/manager: runtime/default} podLabels: {} podCountLimit: 100 secretAnnotations: {} @@ -41,7 +75,7 @@ controllerManager: exemptNamespaces: [] exemptNamespacePrefixes: [] hostNetwork: false - dnsPolicy: Default + dnsPolicy: ClusterFirst port: 8443 metricsPort: 8888 healthPort: 9090 @@ -59,7 +93,7 @@ controllerManager: topologyKey: kubernetes.io/hostname weight: 100 tolerations: [] - nodeSelector: { kubernetes.io/os: linux } + nodeSelector: {kubernetes.io/os: linux} resources: limits: cpu: 1000m @@ -67,15 +101,24 @@ controllerManager: requests: cpu: 100m memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 audit: hostNetwork: false - dnsPolicy: Default + dnsPolicy: ClusterFirst metricsPort: 8888 healthPort: 9090 priorityClassName: system-cluster-critical affinity: {} tolerations: [] - nodeSelector: { kubernetes.io/os: linux } + nodeSelector: {kubernetes.io/os: linux} writeToRAMDisk: false resources: limits: @@ -84,13 +127,31 @@ audit: requests: cpu: 100m memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 crds: resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 pdb: controllerManager: minAvailable: 1 service: {} -disabledBuiltins: +disabledBuiltins: ["{http.send}"] psp: enabled: true upgradeCRDs: diff --git a/cmd/build/helmify/static/Chart.yaml b/cmd/build/helmify/static/Chart.yaml index 5a6fd67b223..d6be21c9282 100644 --- a/cmd/build/helmify/static/Chart.yaml +++ b/cmd/build/helmify/static/Chart.yaml @@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper name: gatekeeper keywords: - open policy agent -version: 3.7.0 +version: 3.8.0-rc.1 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.7.0 +appVersion: v3.8.0-rc.1 diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index d17923f33b4..4eb66606ade 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -66,13 +66,13 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.7.0` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.8.0-rc.1` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.7.0` | +| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.8.0-rc.1` | | preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | @@ -105,7 +105,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.7.0` | +| image.release | The image release tag to use | Current release version: `v3.8.0-rc.1` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 9fbb277b339..95df4d25b84 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -31,7 +31,7 @@ postInstall: enabled: true image: repository: openpolicyagent/gatekeeper-crds - tag: v3.7.0 + tag: v3.8.0-rc.1 pullPolicy: IfNotPresent pullSecrets: [] securityContext: @@ -48,7 +48,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.7.0 + tag: v3.8.0-rc.1 pullPolicy: IfNotPresent pullSecrets: [] securityContext: @@ -63,7 +63,7 @@ preUninstall: image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.7.0 + release: v3.8.0-rc.1 pullPolicy: IfNotPresent pullSecrets: [] podAnnotations: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index f7d2a4c79e0..2e143ef5e78 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -52,7 +52,7 @@ spec: - "--operation=webhook" - "--operation=mutation-webhook" - "--disable-opa-builtin={http.send}" - image: openpolicyagent/gatekeeper:v3.7.0 + image: openpolicyagent/gatekeeper:v3.8.0-rc.1 imagePullPolicy: Always name: manager ports: @@ -143,7 +143,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - image: openpolicyagent/gatekeeper:v3.7.0 + image: openpolicyagent/gatekeeper:v3.8.0-rc.1 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/deploy/gatekeeper.yaml b/deploy/gatekeeper.yaml index 203e815cc59..8484da80bc2 100644 --- a/deploy/gatekeeper.yaml +++ b/deploy/gatekeeper.yaml @@ -88,9 +88,10 @@ spec: description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. properties: excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -109,7 +110,7 @@ spec: type: object type: array labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -139,11 +140,11 @@ spec: type: object type: object name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -173,13 +174,14 @@ spec: type: object type: object namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: - description: ResourceScope is an enum defining the different scopes available to a custom resource + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string type: object parameters: @@ -188,6 +190,31 @@ spec: assign: description: Assign.value holds the value to be assigned properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object fromMetadata: description: FromMetadata assigns a value from the specified metadata field. properties: @@ -299,9 +326,10 @@ spec: description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. properties: excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -320,7 +348,7 @@ spec: type: object type: array labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -350,11 +378,11 @@ spec: type: object type: object name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -384,13 +412,14 @@ spec: type: object type: object namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: - description: ResourceScope is an enum defining the different scopes available to a custom resource + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string type: object parameters: @@ -399,6 +428,31 @@ spec: assign: description: Assign.value holds the value to be assigned properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object fromMetadata: description: FromMetadata assigns a value from the specified metadata field. properties: @@ -519,9 +573,10 @@ spec: description: Match selects objects to apply mutations to. properties: excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -540,7 +595,7 @@ spec: type: object type: array labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -570,11 +625,11 @@ spec: type: object type: object name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -604,13 +659,14 @@ spec: type: object type: object namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: - description: ResourceScope is an enum defining the different scopes available to a custom resource + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string type: object parameters: @@ -618,6 +674,31 @@ spec: assign: description: Assign.value holds the value to be assigned properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object fromMetadata: description: FromMetadata assigns a value from the specified metadata field. properties: @@ -696,9 +777,10 @@ spec: description: Match selects objects to apply mutations to. properties: excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -717,7 +799,7 @@ spec: type: object type: array labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -747,11 +829,11 @@ spec: type: object type: object name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -781,13 +863,14 @@ spec: type: object type: object namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: - description: ResourceScope is an enum defining the different scopes available to a custom resource + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string type: object parameters: @@ -795,6 +878,31 @@ spec: assign: description: Assign.value holds the value to be assigned properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object fromMetadata: description: FromMetadata assigns a value from the specified metadata field. properties: @@ -898,8 +1006,8 @@ spec: properties: excludedNamespaces: items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array processes: @@ -1491,9 +1599,10 @@ spec: description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. properties: excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -1512,7 +1621,7 @@ spec: type: object type: array labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -1542,11 +1651,11 @@ spec: type: object type: object name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -1576,13 +1685,14 @@ spec: type: object type: object namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: - description: ResourceScope is an enum defining the different scopes available to a custom resource + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string type: object parameters: @@ -1700,9 +1810,10 @@ spec: description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. properties: excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -1721,7 +1832,7 @@ spec: type: object type: array labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -1751,11 +1862,11 @@ spec: type: object type: object name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -1785,13 +1896,14 @@ spec: type: object type: object namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: - description: ResourceScope is an enum defining the different scopes available to a custom resource + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) type: string type: object parameters: @@ -2036,6 +2148,7 @@ spec: - projected - secret - downwardAPI + - emptyDir --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -2312,7 +2425,9 @@ spec: - args: - --operation=audit - --operation=status + - --operation=mutation-status - --logtostderr + - --disable-opa-builtin={http.send} command: - /manager env: @@ -2325,7 +2440,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - image: openpolicyagent/gatekeeper:v3.7.0 + image: openpolicyagent/gatekeeper:v3.8.0-rc.1 imagePullPolicy: Always livenessProbe: httpGet: @@ -2416,6 +2531,7 @@ spec: - --exempt-namespace=gatekeeper-system - --operation=webhook - --operation=mutation-webhook + - --disable-opa-builtin={http.send} command: - /manager env: @@ -2428,7 +2544,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - image: openpolicyagent/gatekeeper:v3.7.0 + image: openpolicyagent/gatekeeper:v3.8.0-rc.1 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/manifest_staging/charts/gatekeeper/Chart.yaml b/manifest_staging/charts/gatekeeper/Chart.yaml index 5a6fd67b223..d6be21c9282 100644 --- a/manifest_staging/charts/gatekeeper/Chart.yaml +++ b/manifest_staging/charts/gatekeeper/Chart.yaml @@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper name: gatekeeper keywords: - open policy agent -version: 3.7.0 +version: 3.8.0-rc.1 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.7.0 +appVersion: v3.8.0-rc.1 diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index d17923f33b4..4eb66606ade 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -66,13 +66,13 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.7.0` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.8.0-rc.1` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.7.0` | +| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.8.0-rc.1` | | preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | @@ -105,7 +105,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.7.0` | +| image.release | The image release tag to use | Current release version: `v3.8.0-rc.1` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 9fbb277b339..95df4d25b84 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -31,7 +31,7 @@ postInstall: enabled: true image: repository: openpolicyagent/gatekeeper-crds - tag: v3.7.0 + tag: v3.8.0-rc.1 pullPolicy: IfNotPresent pullSecrets: [] securityContext: @@ -48,7 +48,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.7.0 + tag: v3.8.0-rc.1 pullPolicy: IfNotPresent pullSecrets: [] securityContext: @@ -63,7 +63,7 @@ preUninstall: image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.7.0 + release: v3.8.0-rc.1 pullPolicy: IfNotPresent pullSecrets: [] podAnnotations: diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index 3ffc7a868c6..8484da80bc2 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -2440,7 +2440,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - image: openpolicyagent/gatekeeper:v3.7.0 + image: openpolicyagent/gatekeeper:v3.8.0-rc.1 imagePullPolicy: Always livenessProbe: httpGet: @@ -2544,7 +2544,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - image: openpolicyagent/gatekeeper:v3.7.0 + image: openpolicyagent/gatekeeper:v3.8.0-rc.1 imagePullPolicy: Always livenessProbe: httpGet: