diff --git a/Makefile b/Makefile index 57f1a445815..21c06e2f403 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ DEV_TAG ?= dev USE_LOCAL_IMG ?= false ENABLE_GENERATOR_EXPANSION ?= false -VERSION := v3.12.0-beta.0 +VERSION := v3.12.0-rc.0 KIND_VERSION ?= 0.17.0 # note: k8s version pinned since KIND image availability lags k8s releases diff --git a/charts/gatekeeper/Chart.yaml b/charts/gatekeeper/Chart.yaml index 38a5497d03d..a4cca0d7ab3 100644 --- a/charts/gatekeeper/Chart.yaml +++ b/charts/gatekeeper/Chart.yaml @@ -4,8 +4,8 @@ name: gatekeeper icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg keywords: - open policy agent -version: 3.12.0-beta.0 +version: 3.12.0-rc.0 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.12.0-beta.0 +appVersion: v3.12.0-rc.0 diff --git a/charts/gatekeeper/README.md b/charts/gatekeeper/README.md index 4278419da1c..964289353c0 100644 --- a/charts/gatekeeper/README.md +++ b/charts/gatekeeper/README.md @@ -68,7 +68,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | | postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0-beta.0` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0-rc.0` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | @@ -89,7 +89,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | | postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | | postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0-beta.0` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0-rc.0` | | postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` | @@ -97,9 +97,11 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` | | postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | | postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.12.0-rc.0` | | preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.12.0-beta.0` | +| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.12.0-rc.0` | | preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.deleteWebhooks.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | @@ -123,6 +125,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | | disableValidatingWebhook | Disable the validating webhook | `false` | | disableMutation | Disable mutation | `false` | +| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` | | validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | | validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | | validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | @@ -136,6 +139,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | | maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` | | metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` | +| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` | | mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | | mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | | mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | @@ -143,19 +147,21 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` | | mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | | mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | -| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` | -| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` | +| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | +| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | +| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | +| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | logDenies | Log detailed info on each deny | `false` | | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.12.0-beta.0` | +| image.release | The image release tag to use | Current release version: `v3.12.0-rc.0` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| affinity | The node affinity to use for pod scheduling | `{}` | -| topologySpreadConstraints | The topology spread constraints to use for pod scheduling | `[]` | -| tolerations | The tolerations to use for pod scheduling | `[]` | +| controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` | +| controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` | +| controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` | | controllerManager.healthPort | Health port for controller manager | `9090` | | controllerManager.port | Webhook-server port for controller manager | `8443` | | controllerManager.metricsPort | Metrics port for controller manager | `8888` | @@ -171,6 +177,11 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` | | controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | +| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` | +| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` | +| audit.affinity | The node affinity to use for audit pod scheduling | `{}` | +| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` | +| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | diff --git a/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml b/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml new file mode 100644 index 00000000000..bab801672a6 --- /dev/null +++ b/charts/gatekeeper/crds/assignimage-customresourcedefinition.yaml @@ -0,0 +1,237 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assignimage.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignImage + listKind: AssignImageList + plural: assignimage + singular: assignimage + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignImage is the Schema for the assignimage API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignImageSpec defines the desired state of AssignImage. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].image`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assignDomain: + description: AssignDomain sets the domain component on an image string. The trailing slash should not be included. + type: string + assignPath: + description: AssignPath sets the domain component on an image string. + type: string + assignTag: + description: AssignImage sets the image component on an image string. It must start with a `:` or `@`. + type: string + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignImageStatus defines the observed state of AssignImage. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml b/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml index 3a63eef3cb3..468b01fccdb 100644 --- a/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml @@ -39,7 +39,7 @@ spec: location: type: string match: - description: Match selects objects to apply mutations to. + description: Match selects which objects are in scope. properties: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' @@ -250,7 +250,7 @@ spec: location: type: string match: - description: Match selects objects to apply mutations to. + description: Match selects which objects are in scope. properties: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' @@ -461,7 +461,7 @@ spec: location: type: string match: - description: Match selects objects to apply mutations to. + description: Match selects which objects are in scope. properties: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' diff --git a/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml b/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml index a4da4e9e90f..737e3aff15b 100644 --- a/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/constrainttemplate-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 labels: gatekeeper.sh/system: "yes" name: constrainttemplates.templates.gatekeeper.sh @@ -61,6 +61,24 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -156,6 +174,24 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -251,6 +287,24 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string diff --git a/charts/gatekeeper/crds/provider-customresourcedefinition.yaml b/charts/gatekeeper/crds/provider-customresourcedefinition.yaml index 0deb6f630b1..95e66a8b8aa 100644 --- a/charts/gatekeeper/crds/provider-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/provider-customresourcedefinition.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 labels: gatekeeper.sh/system: "yes" name: providers.externaldata.gatekeeper.sh @@ -41,12 +41,12 @@ spec: description: Timeout is the timeout when querying the provider. type: integer url: - description: URL is the url for the provider. URL is prefixed with http:// or https://. + description: URL is the url for the provider. URL is prefixed with https://. type: string type: object type: object served: true - storage: true + storage: false - name: v1beta1 schema: openAPIV3Schema: @@ -70,9 +70,9 @@ spec: description: Timeout is the timeout when querying the provider. type: integer url: - description: URL is the url for the provider. URL is prefixed with http:// or https://. + description: URL is the url for the provider. URL is prefixed with https://. type: string type: object type: object served: true - storage: false + storage: true diff --git a/charts/gatekeeper/templates/_helpers.tpl b/charts/gatekeeper/templates/_helpers.tpl index 5ab6fe2b456..c486ca0039a 100644 --- a/charts/gatekeeper/templates/_helpers.tpl +++ b/charts/gatekeeper/templates/_helpers.tpl @@ -47,8 +47,9 @@ Output post install webhook probe container entry - name: webhook-probe-post image: "{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}" imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }} - args: + command: - "curl" + args: - "--retry" - "99999" - "--retry-max-time" diff --git a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 3409d2f588e..a2437efc37c 100644 --- a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -51,10 +51,13 @@ spec: - --audit-interval={{ .Values.auditInterval }} - --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }} - --constraint-violations-limit={{ .Values.constraintViolationsLimit }} + - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} + - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - --audit-from-cache={{ .Values.auditFromCache }} - --audit-chunk-size={{ .Values.auditChunkSize }} - --audit-match-kind-only={{ .Values.auditMatchKindOnly }} - --emit-audit-events={{ .Values.emitAuditEvents }} + - --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }} - --operation=audit - --operation=status {{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }} @@ -67,6 +70,10 @@ spec: {{- range .Values.metricsBackends}} - --metrics-backend={{ . }} {{- end }} + + {{- if .Values.audit.logFile}} + - --log-file={{ .Values.audit.logFile }} + {{- end }} - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }} command: - /manager diff --git a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index ebb1d2559e9..95ddefa3aec 100644 --- a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -54,6 +54,7 @@ spec: - --logtostderr - --log-denies={{ .Values.logDenies }} - --emit-admission-events={{ .Values.emitAdmissionEvents }} + - --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }} - --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }} - --exempt-namespace={{ .Release.Namespace }} - --operation=webhook @@ -83,6 +84,14 @@ spec: {{- range .Values.controllerManager.exemptNamespacePrefixes}} - --exempt-namespace-prefix={{ . }} {{- end }} + + {{- range .Values.controllerManager.exemptNamespaceSuffixes}} + - --exempt-namespace-suffix={{ . }} + {{- end }} + + {{- if .Values.controllerManager.logFile}} + - --log-file={{ .Values.controllerManager.logFile }} + {{- end }} command: - /manager env: diff --git a/charts/gatekeeper/templates/gatekeeper-controller-manager-network-policy.yaml b/charts/gatekeeper/templates/gatekeeper-controller-manager-network-policy.yaml new file mode 100644 index 00000000000..e05213feb46 --- /dev/null +++ b/charts/gatekeeper/templates/gatekeeper-controller-manager-network-policy.yaml @@ -0,0 +1,30 @@ +{{- if .Values.controllerManager.networkPolicy.enabled -}} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + release: '{{ .Release.Name }}' + {{- with .Values.controllerManager.networkPolicy.ingress }} + {{- toYaml . | nindent 4 }} + {{- end }} + podSelector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' +{{- end -}} diff --git a/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml b/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml index 8b32f96014b..a57b2b80c88 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml @@ -11,6 +11,13 @@ metadata: release: '{{ .Release.Name }}' name: gatekeeper-manager-role rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch - apiGroups: - '*' resources: @@ -22,7 +29,7 @@ rules: - apiGroups: - admissionregistration.k8s.io resourceNames: - - gatekeeper-mutating-webhook-configuration + - {{ .Values.mutatingWebhookName }} resources: - mutatingwebhookconfigurations verbs: @@ -153,7 +160,7 @@ rules: - apiGroups: - admissionregistration.k8s.io resourceNames: - - gatekeeper-validating-webhook-configuration + - {{ .Values.validatingWebhookName }} resources: - validatingwebhookconfigurations verbs: diff --git a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 30a23b4fb9d..0bc3bc43eb4 100644 --- a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -9,7 +9,7 @@ metadata: gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' - name: gatekeeper-mutating-webhook-configuration + name: '{{ .Values.mutatingWebhookName }}' webhooks: - admissionReviewVersions: - v1 diff --git a/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index a51dcef6bd6..f0dd85d5e5c 100644 --- a/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -9,7 +9,7 @@ metadata: gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' - name: gatekeeper-validating-webhook-configuration + name: '{{ .Values.validatingWebhookName }}' webhooks: - admissionReviewVersions: - v1 diff --git a/charts/gatekeeper/templates/namespace-post-install.yaml b/charts/gatekeeper/templates/namespace-post-install.yaml index 4f84b52b409..d152aee83b6 100644 --- a/charts/gatekeeper/templates/namespace-post-install.yaml +++ b/charts/gatekeeper/templates/namespace-post-install.yaml @@ -3,6 +3,7 @@ apiVersion: batch/v1 kind: Job metadata: name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' @@ -96,6 +97,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} labels: release: {{ .Release.Name }} heritage: {{ .Release.Service }} diff --git a/charts/gatekeeper/templates/namespace-post-upgrade.yaml b/charts/gatekeeper/templates/namespace-post-upgrade.yaml index 43a1dadd9fa..f1f7592e447 100644 --- a/charts/gatekeeper/templates/namespace-post-upgrade.yaml +++ b/charts/gatekeeper/templates/namespace-post-upgrade.yaml @@ -3,6 +3,7 @@ apiVersion: batch/v1 kind: Job metadata: name: gatekeeper-update-namespace-label-post-upgrade + namespace: {{ .Release.Namespace | quote }} labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' diff --git a/charts/gatekeeper/templates/upgrade-crds-hook.yaml b/charts/gatekeeper/templates/upgrade-crds-hook.yaml index cd57573f37a..07b74d92dec 100644 --- a/charts/gatekeeper/templates/upgrade-crds-hook.yaml +++ b/charts/gatekeeper/templates/upgrade-crds-hook.yaml @@ -93,10 +93,18 @@ spec: {{- end }} containers: - name: crds-upgrade - {{- if not .Values.image.release }} - image: '{{ .Values.image.crdRepository }}' + {{- if .Values.preInstall.crdRepository.image.repository }} + {{- if not .Values.preInstall.crdRepository.image.tag }} + image: '{{ .Values.preInstall.crdRepository.image.repository }}' + {{- else }} + image: '{{ .Values.preInstall.crdRepository.image.repository }}:{{ .Values.preInstall.crdRepository.image.tag }}' + {{- end }} {{- else }} + {{- if not .Values.image.release }} + image: '{{ .Values.image.crdRepository }}' + {{- else }} image: '{{ .Values.image.crdRepository }}:{{ .Values.image.release }}' + {{- end }} {{- end }} imagePullPolicy: '{{ .Values.image.pullPolicy }}' args: diff --git a/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml b/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml index d610394de36..ec52f3acb79 100644 --- a/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml +++ b/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml @@ -3,6 +3,7 @@ apiVersion: batch/v1 kind: Job metadata: name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' @@ -39,10 +40,10 @@ spec: args: - delete {{- if not .Values.disableValidatingWebhook }} - - validatingwebhookconfiguration/gatekeeper-validating-webhook-configuration + - validatingwebhookconfiguration/{{ .Values.validatingWebhookName }} {{- end }} {{- if not .Values.disableMutation }} - - mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration + - mutatingwebhookconfiguration/{{ .Values.mutatingWebhookName }} {{- end }} resources: {{- toYaml .Values.preUninstall.resources | nindent 10 }} @@ -65,6 +66,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} labels: release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -92,7 +94,7 @@ rules: resources: - validatingwebhookconfigurations resourceNames: - - gatekeeper-validating-webhook-configuration + - {{ .Values.validatingWebhookName }} verbs: - delete {{- end }} @@ -102,7 +104,7 @@ rules: resources: - mutatingwebhookconfigurations resourceNames: - - gatekeeper-mutating-webhook-configuration + - {{ .Values.mutatingWebhookName }} verbs: - delete {{- end }} diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml index 823dc06f364..5dd4c692840 100644 --- a/charts/gatekeeper/values.yaml +++ b/charts/gatekeeper/values.yaml @@ -6,6 +6,7 @@ constraintViolationsLimit: 20 auditFromCache: false disableMutation: false disableValidatingWebhook: false +validatingWebhookName: gatekeeper-validating-webhook-configuration validatingWebhookTimeoutSeconds: 3 validatingWebhookFailurePolicy: Ignore validatingWebhookAnnotations: {} @@ -18,6 +19,7 @@ enableExternalData: true enableGeneratorResourceExpansion: false enableTLSHealthcheck: false maxServingThreads: -1 +mutatingWebhookName: gatekeeper-mutating-webhook-configuration mutatingWebhookFailurePolicy: Ignore mutatingWebhookReinvocationPolicy: Never mutatingWebhookAnnotations: {} @@ -32,13 +34,26 @@ logDenies: false logMutations: false emitAdmissionEvents: false emitAuditEvents: false +admissionEventsInvolvedNamespace: false +auditEventsInvolvedNamespace: false resourceQuota: true +image: + repository: openpolicyagent/gatekeeper + crdRepository: openpolicyagent/gatekeeper-crds + release: v3.12.0-rc.0 + pullPolicy: IfNotPresent + pullSecrets: [] +preInstall: + crdRepository: + image: + repository: null + tag: v3.12.0-rc.0 postUpgrade: labelNamespace: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.12.0-beta.0 + tag: v3.12.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -68,7 +83,7 @@ postInstall: extraRules: [] image: repository: openpolicyagent/gatekeeper-crds - tag: v3.12.0-beta.0 + tag: v3.12.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -107,7 +122,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.12.0-beta.0 + tag: v3.12.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] affinity: {} @@ -123,12 +138,6 @@ preUninstall: runAsGroup: 999 runAsNonRoot: true runAsUser: 1000 -image: - repository: openpolicyagent/gatekeeper - crdRepository: openpolicyagent/gatekeeper-crds - release: v3.12.0-beta.0 - pullPolicy: IfNotPresent - pullSecrets: [] podAnnotations: {} podLabels: {} podCountLimit: "100" @@ -183,6 +192,12 @@ controllerManager: supplementalGroups: - 999 extraRules: [] + networkPolicy: + enabled: false + ingress: { } + # - from: + # - ipBlock: + # cidr: 0.0.0.0/0 audit: hostNetwork: false dnsPolicy: ClusterFirst diff --git a/cmd/build/helmify/static/Chart.yaml b/cmd/build/helmify/static/Chart.yaml index 38a5497d03d..a4cca0d7ab3 100644 --- a/cmd/build/helmify/static/Chart.yaml +++ b/cmd/build/helmify/static/Chart.yaml @@ -4,8 +4,8 @@ name: gatekeeper icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg keywords: - open policy agent -version: 3.12.0-beta.0 +version: 3.12.0-rc.0 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.12.0-beta.0 +appVersion: v3.12.0-rc.0 diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 1a1a15f3d68..964289353c0 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -68,7 +68,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | | postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0-beta.0` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0-rc.0` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | @@ -89,7 +89,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | | postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | | postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0-beta.0` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0-rc.0` | | postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` | @@ -98,10 +98,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | | postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | -| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.12.0-beta.0` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.12.0-rc.0` | | preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.12.0-beta.0` | +| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.12.0-rc.0` | | preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.deleteWebhooks.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | @@ -155,7 +155,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.12.0-beta.0` | +| image.release | The image release tag to use | Current release version: `v3.12.0-rc.0` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 2c94fc250c1..5dd4c692840 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -40,20 +40,20 @@ resourceQuota: true image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.12.0-beta.0 + release: v3.12.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] preInstall: crdRepository: image: repository: null - tag: v3.12.0-beta.0 + tag: v3.12.0-rc.0 postUpgrade: labelNamespace: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.12.0-beta.0 + tag: v3.12.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -83,7 +83,7 @@ postInstall: extraRules: [] image: repository: openpolicyagent/gatekeeper-crds - tag: v3.12.0-beta.0 + tag: v3.12.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -122,7 +122,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.12.0-beta.0 + tag: v3.12.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] affinity: {} diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 5eeeee9022c..e46eb5b81c8 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -56,7 +56,7 @@ spec: - "--operation=webhook" - "--operation=mutation-webhook" - "--disable-opa-builtin={http.send}" - image: openpolicyagent/gatekeeper:v3.12.0-beta.0 + image: openpolicyagent/gatekeeper:v3.12.0-rc.0 imagePullPolicy: Always name: manager ports: @@ -148,7 +148,7 @@ spec: - --disable-cert-rotation command: - /manager - image: openpolicyagent/gatekeeper:v3.12.0-beta.0 + image: openpolicyagent/gatekeeper:v3.12.0-rc.0 env: # used by Gatekeeper - name: POD_NAMESPACE diff --git a/deploy/gatekeeper.yaml b/deploy/gatekeeper.yaml index 5b7d55b4d62..74dd24d0c77 100644 --- a/deploy/gatekeeper.yaml +++ b/deploy/gatekeeper.yaml @@ -790,6 +790,244 @@ spec: --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assignimage.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignImage + listKind: AssignImageList + plural: assignimage + singular: assignimage + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignImage is the Schema for the assignimage API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignImageSpec defines the desired state of AssignImage. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].image`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assignDomain: + description: AssignDomain sets the domain component on an image string. The trailing slash should not be included. + type: string + assignPath: + description: AssignPath sets the domain component on an image string. + type: string + assignTag: + description: AssignImage sets the image component on an image string. It must start with a `:` or `@`. + type: string + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignImageStatus defines the observed state of AssignImage. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.10.0 @@ -829,7 +1067,7 @@ spec: location: type: string match: - description: Match selects objects to apply mutations to. + description: Match selects which objects are in scope. properties: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' @@ -1040,7 +1278,7 @@ spec: location: type: string match: - description: Match selects objects to apply mutations to. + description: Match selects which objects are in scope. properties: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' @@ -1251,7 +1489,7 @@ spec: location: type: string match: - description: Match selects objects to apply mutations to. + description: Match selects which objects are in scope. properties: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' @@ -1689,7 +1927,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 labels: gatekeeper.sh/system: "yes" name: constrainttemplates.templates.gatekeeper.sh @@ -1748,6 +1986,24 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -1843,6 +2099,24 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -1938,6 +2212,24 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -2810,7 +3102,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 labels: gatekeeper.sh/system: "yes" name: providers.externaldata.gatekeeper.sh @@ -2849,12 +3141,12 @@ spec: description: Timeout is the timeout when querying the provider. type: integer url: - description: URL is the url for the provider. URL is prefixed with http:// or https://. + description: URL is the url for the provider. URL is prefixed with https://. type: string type: object type: object served: true - storage: true + storage: false - name: v1beta1 schema: openAPIV3Schema: @@ -2878,12 +3170,12 @@ spec: description: Timeout is the timeout when querying the provider. type: integer url: - description: URL is the url for the provider. URL is prefixed with http:// or https://. + description: URL is the url for the provider. URL is prefixed with https://. type: string type: object type: object served: true - storage: false + storage: true --- apiVersion: v1 kind: ServiceAccount @@ -2930,6 +3222,13 @@ metadata: gatekeeper.sh/system: "yes" name: gatekeeper-manager-role rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch - apiGroups: - '*' resources: @@ -3189,7 +3488,7 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager - image: openpolicyagent/gatekeeper:v3.12.0-beta.0 + image: openpolicyagent/gatekeeper:v3.12.0-rc.0 imagePullPolicy: Always livenessProbe: httpGet: @@ -3306,7 +3605,7 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager - image: openpolicyagent/gatekeeper:v3.12.0-beta.0 + image: openpolicyagent/gatekeeper:v3.12.0-rc.0 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/manifest_staging/charts/gatekeeper/Chart.yaml b/manifest_staging/charts/gatekeeper/Chart.yaml index 38a5497d03d..a4cca0d7ab3 100644 --- a/manifest_staging/charts/gatekeeper/Chart.yaml +++ b/manifest_staging/charts/gatekeeper/Chart.yaml @@ -4,8 +4,8 @@ name: gatekeeper icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg keywords: - open policy agent -version: 3.12.0-beta.0 +version: 3.12.0-rc.0 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.12.0-beta.0 +appVersion: v3.12.0-rc.0 diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 1a1a15f3d68..964289353c0 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -68,7 +68,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | | postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0-beta.0` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0-rc.0` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | @@ -89,7 +89,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | | postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | | postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0-beta.0` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0-rc.0` | | postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` | @@ -98,10 +98,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | | postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | -| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.12.0-beta.0` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.12.0-rc.0` | | preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.12.0-beta.0` | +| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.12.0-rc.0` | | preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.deleteWebhooks.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | @@ -155,7 +155,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.12.0-beta.0` | +| image.release | The image release tag to use | Current release version: `v3.12.0-rc.0` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 2c94fc250c1..5dd4c692840 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -40,20 +40,20 @@ resourceQuota: true image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.12.0-beta.0 + release: v3.12.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] preInstall: crdRepository: image: repository: null - tag: v3.12.0-beta.0 + tag: v3.12.0-rc.0 postUpgrade: labelNamespace: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.12.0-beta.0 + tag: v3.12.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -83,7 +83,7 @@ postInstall: extraRules: [] image: repository: openpolicyagent/gatekeeper-crds - tag: v3.12.0-beta.0 + tag: v3.12.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -122,7 +122,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.12.0-beta.0 + tag: v3.12.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] affinity: {} diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index 98bc929522d..74dd24d0c77 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -3488,7 +3488,7 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager - image: openpolicyagent/gatekeeper:v3.12.0-beta.0 + image: openpolicyagent/gatekeeper:v3.12.0-rc.0 imagePullPolicy: Always livenessProbe: httpGet: @@ -3605,7 +3605,7 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager - image: openpolicyagent/gatekeeper:v3.12.0-beta.0 + image: openpolicyagent/gatekeeper:v3.12.0-rc.0 imagePullPolicy: Always livenessProbe: httpGet: