andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-charts/packages/rancher-gatekeeper/rancher-gatekeeper.patch

293 lines
11 KiB
Diff
Raw Normal View History

(dev-v2.6-archive) Initial commit (partially cherry picked from commit 44e16849c3a6108080e26c6f327f8bc60e58a671)
2020-07-21 20:22:47 +00:00
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/Chart.yaml packages/rancher-gatekeeper/charts/Chart.yaml
--- packages/rancher-gatekeeper/charts-original/Chart.yaml
+++ packages/rancher-gatekeeper/charts/Chart.yaml
(dev-v2.6-archive) copy charts from dev-charts (partially cherry picked from commit f7dd80a3c1c41affdb44231f5fedcbf0a799e204)
2020-07-30 23:09:43 +00:00
@@ -1,10 +1,16 @@
(dev-v2.6-archive) Initial commit (partially cherry picked from commit 44e16849c3a6108080e26c6f327f8bc60e58a671)
2020-07-21 20:22:47 +00:00
apiVersion: v1
description: A Helm chart for Gatekeeper
-name: gatekeeper-operator
+name: rancher-gatekeeper
keywords:
- open policy agent
-version: v3.1.0-beta.7
+version: 0.1.0
home: https://github.com/open-policy-agent/gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
appVersion: v3.1.0-beta.7
(dev-v2.6-archive) copy charts from dev-charts (partially cherry picked from commit f7dd80a3c1c41affdb44231f5fedcbf0a799e204)
2020-07-30 23:09:43 +00:00
+icon: https://dev-charts.rancher.io/logos/gatekeeper.svg
(dev-v2.6-archive) Initial commit (partially cherry picked from commit 44e16849c3a6108080e26c6f327f8bc60e58a671)
2020-07-21 20:22:47 +00:00
+annotations:
(dev-v2.6-archive) copy charts from dev-charts (partially cherry picked from commit f7dd80a3c1c41affdb44231f5fedcbf0a799e204)
2020-07-30 23:09:43 +00:00
+ catalog.cattle.io/certified: rancher
+ catalog.cattle.io/experimental: true
+ catalog.cattle.io/namespace: gatekeeper-system
+ catalog.cattle.io/release-name: rancher-gatekeeper
(dev-v2.6-archive) Initial commit (partially cherry picked from commit 44e16849c3a6108080e26c6f327f8bc60e58a671)
2020-07-21 20:22:47 +00:00
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/helm-modifications/helm-modifications.yaml packages/rancher-gatekeeper/charts/helm-modifications/helm-modifications.yaml
--- packages/rancher-gatekeeper/charts-original/helm-modifications/helm-modifications.yaml
+++ packages/rancher-gatekeeper/charts/helm-modifications/helm-modifications.yaml
@@ -1,61 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: gatekeeper-webhook-service
- namespace: gatekeeper-system
-spec:
- selector:
- app: GATEKEEPER_APP_LABEL
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: configs.config.gatekeeper.sh
- annotations:
- helm.sh/hook: crd-install
- helm.sh/hook-delete-policy: before-hook-creation
-status: null
-spec:
- names:
- shortNames:
- - config # add shortName to CRD until https://github.com/kubernetes-sigs/kubebuilder/issues/404 is solved
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: constrainttemplates.templates.gatekeeper.sh
- annotations:
- helm.sh/hook: crd-install
- helm.sh/hook-delete-policy: before-hook-creation
-status: null
-spec:
- names:
- shortNames:
- - constraints # add shortName to CRD until https://github.com/kubernetes-sigs/kubebuilder/issues/404 is solved
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: gatekeeper-controller-manager
- namespace: gatekeeper-system
-spec:
- replicas: HELMSUBST_DEPLOYMENT_REPLICAS
- selector:
- matchLabels:
- app: gatekeeper-operator
- release: RELEASE_NAME
- template:
- spec:
- containers:
- - name: manager
- args:
- - --audit-interval={{ .Values.auditInterval }}
- - --port=8443
- - --logtostderr
- - --constraint-violations-limit={{ .Values.constraintViolationsLimit }}
- - --audit-from-cache={{ .Values.auditFromCache }}
- - --exempt-namespace=gatekeeper-system
- imagePullPolicy: "{{ .Values.image.pullPolicy }}"
- image: "{{ .Values.image.repository }}:{{ .Values.image.release }}"
- resources: HELMSUBST_DEPLOYMENT_CONTAINER_RESOURCES
- nodeSelector: HELMSUBST_DEPLOYMENT_POD_SCHEDULING
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/helm-modifications/kustomization.yaml packages/rancher-gatekeeper/charts/helm-modifications/kustomization.yaml
--- packages/rancher-gatekeeper/charts-original/helm-modifications/kustomization.yaml
+++ packages/rancher-gatekeeper/charts/helm-modifications/kustomization.yaml
@@ -1,9 +0,0 @@
-commonLabels:
- app: '{{ template "gatekeeper-operator.name" . }}'
- chart: '{{ template "gatekeeper-operator.name" . }}'
- release: '{{ .Release.Name }}'
- heritage: '{{ .Release.Service }}'
-resources:
- - _temp.yaml
-patchesStrategicMerge:
- - helm-modifications.yaml
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/allowedrepos.yaml packages/rancher-gatekeeper/charts/templates/allowedrepos.yaml
--- packages/rancher-gatekeeper/charts-original/templates/allowedrepos.yaml
+++ packages/rancher-gatekeeper/charts/templates/allowedrepos.yaml
@@ -0,0 +1,35 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+ name: k8sallowedrepos
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sAllowedRepos
+ validation:
+ # Schema for the `parameters` field
+ openAPIV3Schema:
+ properties:
+ repos:
+ type: array
+ items:
+ type: string
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8sallowedrepos
+
+ violation[{"msg": msg}] {
+ container := input.review.object.spec.containers[_]
+ satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+ not any(satisfied)
+ msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+ }
+
+ violation[{"msg": msg}] {
+ container := input.review.object.spec.initContainers[_]
+ satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
+ not any(satisfied)
+ msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
+ }
\ No newline at end of file
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper.yaml
--- packages/rancher-gatekeeper/charts-original/templates/gatekeeper.yaml
+++ packages/rancher-gatekeeper/charts/templates/gatekeeper.yaml
@@ -485,7 +485,7 @@
valueFrom:
fieldRef:
fieldPath: metadata.name
- image: '{{ .Values.image.repository }}:{{ .Values.image.release }}'
+ image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
imagePullPolicy: '{{ .Values.image.pullPolicy }}'
livenessProbe:
httpGet:
@@ -517,7 +517,7 @@
- mountPath: /certs
name: cert
readOnly: true
- nodeSelector:
+ nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/_helpers.tpl packages/rancher-gatekeeper/charts/templates/_helpers.tpl
--- packages/rancher-gatekeeper/charts-original/templates/_helpers.tpl
+++ packages/rancher-gatekeeper/charts/templates/_helpers.tpl
@@ -42,3 +42,11 @@
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/job-constraints-crd.yaml packages/rancher-gatekeeper/charts/templates/job-constraints-crd.yaml
--- packages/rancher-gatekeeper/charts-original/templates/job-constraints-crd.yaml
+++ packages/rancher-gatekeeper/charts/templates/job-constraints-crd.yaml
@@ -0,0 +1,19 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+ namespace: {{ .Release.Namespace }}
+ name: gatekeeper-delete-constraints-crd-job
+ annotations:
+ "helm.sh/hook": "pre-delete"
+ "helm.sh/hook-delete-policy": "hook-succeeded, before-hook-creation, hook-failed"
+spec:
+ template:
+ spec:
+ serviceAccountName: gatekeeper-admin
+ containers:
+ - name: gatekeeper-delete-constraints-crd
+ image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+ imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+ command: ["kubectl", "delete", "constrainttemplates", "--all"]
+ restartPolicy: Never
+ backoffLimit: 1
\ No newline at end of file
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/requiredlabels.yaml packages/rancher-gatekeeper/charts/templates/requiredlabels.yaml
--- packages/rancher-gatekeeper/charts-original/templates/requiredlabels.yaml
+++ packages/rancher-gatekeeper/charts/templates/requiredlabels.yaml
@@ -0,0 +1,57 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+ name: k8srequiredlabels
+spec:
+ crd:
+ spec:
+ names:
+ kind: K8sRequiredLabels
+ validation:
+ # Schema for the `parameters` field
+ openAPIV3Schema:
+ properties:
+ message:
+ type: string
+ labels:
+ type: array
+ items:
+ type: object
+ properties:
+ key:
+ type: string
+ allowedRegex:
+ type: string
+ targets:
+ - target: admission.k8s.gatekeeper.sh
+ rego: |
+ package k8srequiredlabels
+
+ get_message(parameters, _default) = msg {
+ not parameters.message
+ msg := _default
+ }
+
+ get_message(parameters, _default) = msg {
+ msg := parameters.message
+ }
+
+ violation[{"msg": msg, "details": {"missing_labels": missing}}] {
+ provided := {label | input.review.object.metadata.labels[label]}
+ required := {label | label := input.parameters.labels[_].key}
+ missing := required - provided
+ count(missing) > 0
+ def_msg := sprintf("you must provide labels: %v", [missing])
+ msg := get_message(input.parameters, def_msg)
+ }
+
+ violation[{"msg": msg}] {
+ value := input.review.object.metadata.labels[key]
+ expected := input.parameters.labels[_]
+ expected.key == key
+ # do not match if allowedRegex is not defined, or is an empty string
+ expected.allowedRegex != ""
+ not re_match(expected.allowedRegex, value)
+ def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])
+ msg := get_message(input.parameters, def_msg)
+ }
\ No newline at end of file
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/values.yaml packages/rancher-gatekeeper/charts/values.yaml
--- packages/rancher-gatekeeper/charts-original/values.yaml
+++ packages/rancher-gatekeeper/charts/values.yaml
@@ -1,12 +1,12 @@
replicas: 1
-auditInterval: 60
+auditInterval: 300
constraintViolationsLimit: 20
auditFromCache: false
image:
- repository: quay.io/open-policy-agent/gatekeeper
- release: v3.1.0-beta.7
+ repository: rancher/opa-gatekeeper
+ tag: v3.1.0-beta.7
pullPolicy: IfNotPresent
-nodeSelector: {}
+nodeSelector: {"beta.kubernetes.io/os": "linux"}
tolerations: []
resources:
limits:
@@ -15,3 +15,8 @@
requests:
cpu: 100m
memory: 256Mi
+global:
+ systemDefaultRegistry: ""
+ kubectl:
+ repository: rancher/istio-kubectl
+ tag: 1.4.6
\ No newline at end of file