2020-07-21 20:22:47 +00:00
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/Chart.yaml packages/rancher-gatekeeper/charts/Chart.yaml
--- packages/rancher-gatekeeper/charts-original/Chart.yaml
+++ packages/rancher-gatekeeper/charts/Chart.yaml
2020-09-10 22:06:24 +00:00
@@ -1,10 +1,17 @@
2020-07-21 20:22:47 +00:00
apiVersion: v1
2020-09-10 22:06:24 +00:00
appVersion: v3.1.0
-description: A Helm chart for Gatekeeper
+description: Modifies Open Policy Agent's upstream gatekeeper chart that provides policy-based control for cloud native environments
home: https://github.com/open-policy-agent/gatekeeper
keywords:
-- open policy agent
2020-08-11 20:20:26 +00:00
-name: gatekeeper
2020-09-10 22:06:24 +00:00
+ - open policy agent
+ - security
2020-07-21 20:22:47 +00:00
+name: rancher-gatekeeper
sources:
2020-09-10 22:06:24 +00:00
-- https://github.com/open-policy-agent/gatekeeper.git
+ - https://github.com/open-policy-agent/gatekeeper.git
version: v3.1.0
2020-07-30 23:13:01 +00:00
+icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
2020-07-21 20:22:47 +00:00
+annotations:
2020-07-30 23:09:43 +00:00
+ catalog.cattle.io/certified: rancher
2020-08-11 20:20:26 +00:00
+ catalog.cattle.io/namespace: cattle-gatekeeper-system
2020-07-30 23:09:43 +00:00
+ catalog.cattle.io/release-name: rancher-gatekeeper
2020-09-10 22:06:24 +00:00
+ catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
2020-09-01 19:29:28 +00:00
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/README.md packages/rancher-gatekeeper/charts/README.md
--- packages/rancher-gatekeeper/charts-original/README.md
+++ packages/rancher-gatekeeper/charts/README.md
@@ -4,7 +4,7 @@
| Parameter | Description | Default |
|:--------------------------|:---------------------------------------------------------------------------------|:--------------------------------------------------------------------------|
-| auditInterval | The frequency with which audit is run | `60` |
+| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` |
2020-08-11 20:20:26 +00:00
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/crds/config-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/crds/config-customresourcedefinition.yaml
--- packages/rancher-gatekeeper/charts-original/crds/config-customresourcedefinition.yaml
+++ packages/rancher-gatekeeper/charts/crds/config-customresourcedefinition.yaml
2020-08-18 22:20:34 +00:00
@@ -0,0 +1,111 @@
2020-08-11 20:20:26 +00:00
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.3.0
+ helm.sh/hook-delete-policy: before-hook-creation
+ creationTimestamp: null
+ labels:
+ app: '{{ .Chart.Name }}'
+ chart: '{{ .Chart.Name }}'
+ gatekeeper.sh/system: "yes"
+ heritage: '{{ .Release.Service }}'
+ release: '{{ .Release.Name }}'
+ name: configs.config.gatekeeper.sh
+spec:
+ group: config.gatekeeper.sh
+ names:
+ kind: Config
+ listKind: ConfigList
+ plural: configs
+ shortNames:
+ - config
+ singular: config
+ scope: Namespaced
+ validation:
+ openAPIV3Schema:
+ description: Config is the Schema for the configs API
+ properties:
+ apiVersion:
2020-08-18 22:20:34 +00:00
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2020-08-11 20:20:26 +00:00
+ type: string
+ kind:
2020-08-18 22:20:34 +00:00
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2020-08-11 20:20:26 +00:00
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ConfigSpec defines the desired state of Config
+ properties:
+ match:
+ description: Configuration for namespace exclusion
+ items:
+ properties:
+ excludedNamespaces:
+ items:
+ type: string
+ type: array
+ processes:
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ readiness:
+ description: Configuration for readiness tracker
+ properties:
+ statsEnabled:
+ type: boolean
+ type: object
+ sync:
+ description: Configuration for syncing k8s objects
+ properties:
+ syncOnly:
2020-08-18 22:20:34 +00:00
+ description: If non-empty, only entries on this list will be replicated into OPA
2020-08-11 20:20:26 +00:00
+ items:
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ version:
+ type: string
+ type: object
+ type: array
+ type: object
+ validation:
+ description: Configuration for validation
+ properties:
+ traces:
2020-08-18 22:20:34 +00:00
+ description: List of requests to trace. Both "user" and "kinds" must be specified
2020-08-11 20:20:26 +00:00
+ items:
+ properties:
+ dump:
2020-08-18 22:20:34 +00:00
+ description: Also dump the state of OPA with the trace. Set to `All` to dump everything.
2020-08-11 20:20:26 +00:00
+ type: string
+ kind:
+ description: Only trace requests of the following GroupVersionKind
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ version:
+ type: string
+ type: object
+ user:
+ description: Only trace requests from the specified user
+ type: string
+ type: object
+ type: array
+ type: object
+ type: object
+ status:
+ description: ConfigStatus defines the observed state of Config
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/crds/constraintpodstatus-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/crds/constraintpodstatus-customresourcedefinition.yaml
--- packages/rancher-gatekeeper/charts-original/crds/constraintpodstatus-customresourcedefinition.yaml
+++ packages/rancher-gatekeeper/charts/crds/constraintpodstatus-customresourcedefinition.yaml
2020-08-18 22:20:34 +00:00
@@ -0,0 +1,78 @@
2020-08-11 20:20:26 +00:00
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.3.0
+ creationTimestamp: null
+ labels:
+ app: '{{ .Chart.Name }}'
+ chart: '{{ .Chart.Name }}'
+ gatekeeper.sh/system: "yes"
+ heritage: '{{ .Release.Service }}'
+ release: '{{ .Release.Name }}'
+ name: constraintpodstatuses.status.gatekeeper.sh
+spec:
+ group: status.gatekeeper.sh
+ names:
+ kind: ConstraintPodStatus
+ listKind: ConstraintPodStatusList
+ plural: constraintpodstatuses
+ singular: constraintpodstatus
+ scope: Namespaced
+ validation:
+ openAPIV3Schema:
2020-08-18 22:20:34 +00:00
+ description: ConstraintPodStatus is the Schema for the constraintpodstatuses API
2020-08-11 20:20:26 +00:00
+ properties:
+ apiVersion:
2020-08-18 22:20:34 +00:00
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2020-08-11 20:20:26 +00:00
+ type: string
+ kind:
2020-08-18 22:20:34 +00:00
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2020-08-11 20:20:26 +00:00
+ type: string
+ metadata:
+ type: object
+ status:
+ description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus
+ properties:
+ constraintUID:
2020-08-18 22:20:34 +00:00
+ description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch
2020-08-11 20:20:26 +00:00
+ type: string
+ enforced:
+ type: boolean
+ errors:
+ items:
2020-08-18 22:20:34 +00:00
+ description: Error represents a single error caught while adding a constraint to OPA
2020-08-11 20:20:26 +00:00
+ properties:
+ code:
+ type: string
+ location:
+ type: string
+ message:
+ type: string
+ required:
+ - code
+ - message
+ type: object
+ type: array
+ id:
+ type: string
+ observedGeneration:
+ format: int64
+ type: integer
+ operations:
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ version: v1beta1
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/crds/constrainttemplate-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/crds/constrainttemplate-customresourcedefinition.yaml
--- packages/rancher-gatekeeper/charts-original/crds/constrainttemplate-customresourcedefinition.yaml
+++ packages/rancher-gatekeeper/charts/crds/constrainttemplate-customresourcedefinition.yaml
2020-08-18 22:20:34 +00:00
@@ -0,0 +1,106 @@
2020-08-11 20:20:26 +00:00
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/hook-delete-policy: before-hook-creation
+ creationTimestamp: null
+ labels:
+ app: '{{ .Chart.Name }}'
+ chart: '{{ .Chart.Name }}'
+ controller-tools.k8s.io: "1.0"
+ gatekeeper.sh/system: "yes"
+ heritage: '{{ .Release.Service }}'
+ release: '{{ .Release.Name }}'
+ name: constrainttemplates.templates.gatekeeper.sh
+spec:
+ group: templates.gatekeeper.sh
+ names:
+ kind: ConstraintTemplate
+ plural: constrainttemplates
+ shortNames:
+ - constraints
+ scope: Cluster
+ subresources:
+ status: {}
+ validation:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
2020-08-18 22:20:34 +00:00
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2020-08-11 20:20:26 +00:00
+ type: string
+ kind:
2020-08-18 22:20:34 +00:00
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2020-08-11 20:20:26 +00:00
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ crd:
+ properties:
+ spec:
+ properties:
+ names:
+ properties:
+ kind:
+ type: string
+ shortNames:
+ items:
+ type: string
+ type: array
+ type: object
+ validation:
+ type: object
+ type: object
+ type: object
+ targets:
+ items:
+ properties:
+ libs:
+ items:
+ type: string
+ type: array
+ rego:
+ type: string
+ target:
+ type: string
+ type: object
+ type: array
+ type: object
+ status:
+ properties:
+ byPod:
+ items:
+ properties:
+ errors:
+ items:
+ properties:
+ code:
+ type: string
+ location:
+ type: string
+ message:
+ type: string
+ required:
+ - code
+ - message
+ type: object
+ type: array
+ id:
+ description: a unique identifier for the pod that wrote the status
+ type: string
+ observedGeneration:
+ format: int64
+ type: integer
+ type: object
+ type: array
+ created:
+ type: boolean
+ type: object
+ version: v1beta1
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+ - name: v1alpha1
+ served: true
+ storage: false
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/crds/constrainttemplatepodstatus-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/crds/constrainttemplatepodstatus-customresourcedefinition.yaml
--- packages/rancher-gatekeeper/charts-original/crds/constrainttemplatepodstatus-customresourcedefinition.yaml
+++ packages/rancher-gatekeeper/charts/crds/constrainttemplatepodstatus-customresourcedefinition.yaml
2020-08-18 22:20:34 +00:00
@@ -0,0 +1,77 @@
2020-08-11 20:20:26 +00:00
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.3.0
+ creationTimestamp: null
+ labels:
+ app: '{{ .Chart.Name }}'
+ chart: '{{ .Chart.Name }}'
+ gatekeeper.sh/system: "yes"
+ heritage: '{{ .Release.Service }}'
+ release: '{{ .Release.Name }}'
+ name: constrainttemplatepodstatuses.status.gatekeeper.sh
+spec:
+ group: status.gatekeeper.sh
+ names:
+ kind: ConstraintTemplatePodStatus
+ listKind: ConstraintTemplatePodStatusList
+ plural: constrainttemplatepodstatuses
+ singular: constrainttemplatepodstatus
+ scope: Namespaced
+ validation:
+ openAPIV3Schema:
2020-08-18 22:20:34 +00:00
+ description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API
2020-08-11 20:20:26 +00:00
+ properties:
+ apiVersion:
2020-08-18 22:20:34 +00:00
+ description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2020-08-11 20:20:26 +00:00
+ type: string
+ kind:
2020-08-18 22:20:34 +00:00
+ description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2020-08-11 20:20:26 +00:00
+ type: string
+ metadata:
+ type: object
+ status:
2020-08-18 22:20:34 +00:00
+ description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus
2020-08-11 20:20:26 +00:00
+ properties:
+ errors:
+ items:
2020-08-18 22:20:34 +00:00
+ description: CreateCRDError represents a single error caught during parsing, compiling, etc.
2020-08-11 20:20:26 +00:00
+ properties:
+ code:
+ type: string
+ location:
+ type: string
+ message:
+ type: string
+ required:
+ - code
+ - message
+ type: object
+ type: array
+ id:
2020-08-18 22:20:34 +00:00
+ description: 'Important: Run "make" to regenerate code after modifying this file'
2020-08-11 20:20:26 +00:00
+ type: string
+ observedGeneration:
+ format: int64
+ type: integer
+ operations:
+ items:
+ type: string
+ type: array
+ templateUID:
2020-08-18 22:20:34 +00:00
+ description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated.
2020-08-11 20:20:26 +00:00
+ type: string
+ type: object
+ type: object
+ version: v1beta1
+ versions:
+ - name: v1beta1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/_helpers.tpl packages/rancher-gatekeeper/charts/templates/_helpers.tpl
--- packages/rancher-gatekeeper/charts-original/templates/_helpers.tpl
+++ packages/rancher-gatekeeper/charts/templates/_helpers.tpl
@@ -42,3 +42,11 @@
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
+
+{{- define "system_default_registry" -}}
2020-09-10 22:06:24 +00:00
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
2020-08-11 20:20:26 +00:00
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
2020-08-18 22:20:34 +00:00
\ No newline at end of file
2020-08-11 20:20:26 +00:00
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/config-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/templates/config-customresourcedefinition.yaml
--- packages/rancher-gatekeeper/charts-original/templates/config-customresourcedefinition.yaml
+++ packages/rancher-gatekeeper/charts/templates/config-customresourcedefinition.yaml
2020-08-18 22:20:34 +00:00
@@ -1,112 +0,0 @@
2020-08-07 19:50:44 +00:00
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- annotations:
2020-08-11 20:20:26 +00:00
- controller-gen.kubebuilder.io/version: v0.3.0
2020-08-07 19:50:44 +00:00
- helm.sh/hook: crd-install
- helm.sh/hook-delete-policy: before-hook-creation
2020-08-11 20:20:26 +00:00
- creationTimestamp: null
- labels:
- app: '{{ template "gatekeeper.name" . }}'
- chart: '{{ template "gatekeeper.name" . }}'
- gatekeeper.sh/system: "yes"
- heritage: '{{ .Release.Service }}'
- release: '{{ .Release.Name }}'
- name: configs.config.gatekeeper.sh
2020-08-07 19:50:44 +00:00
-spec:
2020-08-11 20:20:26 +00:00
- group: config.gatekeeper.sh
2020-08-07 19:50:44 +00:00
- names:
2020-08-11 20:20:26 +00:00
- kind: Config
- listKind: ConfigList
- plural: configs
2020-08-07 19:50:44 +00:00
- shortNames:
2020-08-11 20:20:26 +00:00
- - config
- singular: config
- scope: Namespaced
- validation:
- openAPIV3Schema:
- description: Config is the Schema for the configs API
- properties:
- apiVersion:
2020-08-18 22:20:34 +00:00
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2020-08-11 20:20:26 +00:00
- type: string
- kind:
2020-08-18 22:20:34 +00:00
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2020-08-11 20:20:26 +00:00
- type: string
- metadata:
- type: object
- spec:
- description: ConfigSpec defines the desired state of Config
- properties:
- match:
- description: Configuration for namespace exclusion
- items:
- properties:
- excludedNamespaces:
- items:
- type: string
- type: array
- processes:
- items:
- type: string
- type: array
- type: object
- type: array
- readiness:
- description: Configuration for readiness tracker
- properties:
- statsEnabled:
- type: boolean
- type: object
- sync:
- description: Configuration for syncing k8s objects
- properties:
- syncOnly:
2020-08-18 22:20:34 +00:00
- description: If non-empty, only entries on this list will be replicated into OPA
2020-08-11 20:20:26 +00:00
- items:
- properties:
- group:
- type: string
- kind:
- type: string
- version:
- type: string
- type: object
- type: array
- type: object
- validation:
- description: Configuration for validation
- properties:
- traces:
2020-08-18 22:20:34 +00:00
- description: List of requests to trace. Both "user" and "kinds" must be specified
2020-08-11 20:20:26 +00:00
- items:
- properties:
- dump:
2020-08-18 22:20:34 +00:00
- description: Also dump the state of OPA with the trace. Set to `All` to dump everything.
2020-08-11 20:20:26 +00:00
- type: string
- kind:
- description: Only trace requests of the following GroupVersionKind
- properties:
- group:
- type: string
- kind:
- type: string
- version:
- type: string
- type: object
- user:
- description: Only trace requests from the specified user
- type: string
- type: object
- type: array
- type: object
- type: object
- status:
- description: ConfigStatus defines the observed state of Config
- type: object
- type: object
- version: v1alpha1
- versions:
- - name: v1alpha1
- served: true
- storage: true
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/constraintpodstatus-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/templates/constraintpodstatus-customresourcedefinition.yaml
--- packages/rancher-gatekeeper/charts-original/templates/constraintpodstatus-customresourcedefinition.yaml
+++ packages/rancher-gatekeeper/charts/templates/constraintpodstatus-customresourcedefinition.yaml
2020-08-18 22:20:34 +00:00
@@ -1,78 +0,0 @@
2020-08-11 20:20:26 +00:00
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.3.0
- creationTimestamp: null
- labels:
- app: '{{ template "gatekeeper.name" . }}'
- chart: '{{ template "gatekeeper.name" . }}'
- gatekeeper.sh/system: "yes"
- heritage: '{{ .Release.Service }}'
- release: '{{ .Release.Name }}'
- name: constraintpodstatuses.status.gatekeeper.sh
-spec:
- group: status.gatekeeper.sh
- names:
- kind: ConstraintPodStatus
- listKind: ConstraintPodStatusList
- plural: constraintpodstatuses
- singular: constraintpodstatus
- scope: Namespaced
- validation:
- openAPIV3Schema:
2020-08-18 22:20:34 +00:00
- description: ConstraintPodStatus is the Schema for the constraintpodstatuses API
2020-08-11 20:20:26 +00:00
- properties:
- apiVersion:
2020-08-18 22:20:34 +00:00
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2020-08-11 20:20:26 +00:00
- type: string
- kind:
2020-08-18 22:20:34 +00:00
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2020-08-11 20:20:26 +00:00
- type: string
- metadata:
- type: object
- status:
- description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus
- properties:
- constraintUID:
2020-08-18 22:20:34 +00:00
- description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch
2020-08-11 20:20:26 +00:00
- type: string
- enforced:
- type: boolean
- errors:
- items:
2020-08-18 22:20:34 +00:00
- description: Error represents a single error caught while adding a constraint to OPA
2020-08-11 20:20:26 +00:00
- properties:
- code:
- type: string
- location:
- type: string
- message:
- type: string
- required:
- - code
- - message
- type: object
- type: array
- id:
- type: string
- observedGeneration:
- format: int64
- type: integer
- operations:
- items:
- type: string
- type: array
- type: object
- type: object
- version: v1beta1
- versions:
- - name: v1beta1
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/constrainttemplate-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/templates/constrainttemplate-customresourcedefinition.yaml
--- packages/rancher-gatekeeper/charts-original/templates/constrainttemplate-customresourcedefinition.yaml
+++ packages/rancher-gatekeeper/charts/templates/constrainttemplate-customresourcedefinition.yaml
2020-08-18 22:20:34 +00:00
@@ -1,107 +0,0 @@
2020-08-07 19:50:44 +00:00
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- helm.sh/hook: crd-install
- helm.sh/hook-delete-policy: before-hook-creation
2020-08-11 20:20:26 +00:00
- creationTimestamp: null
- labels:
- app: '{{ template "gatekeeper.name" . }}'
- chart: '{{ template "gatekeeper.name" . }}'
- controller-tools.k8s.io: "1.0"
- gatekeeper.sh/system: "yes"
- heritage: '{{ .Release.Service }}'
- release: '{{ .Release.Name }}'
- name: constrainttemplates.templates.gatekeeper.sh
2020-08-07 19:50:44 +00:00
-spec:
2020-08-11 20:20:26 +00:00
- group: templates.gatekeeper.sh
2020-08-07 19:50:44 +00:00
- names:
2020-08-11 20:20:26 +00:00
- kind: ConstraintTemplate
- plural: constrainttemplates
2020-08-07 19:50:44 +00:00
- shortNames:
2020-08-11 20:20:26 +00:00
- - constraints
- scope: Cluster
- subresources:
- status: {}
- validation:
- openAPIV3Schema:
- properties:
- apiVersion:
2020-08-18 22:20:34 +00:00
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2020-08-11 20:20:26 +00:00
- type: string
- kind:
2020-08-18 22:20:34 +00:00
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2020-08-11 20:20:26 +00:00
- type: string
- metadata:
- type: object
- spec:
- properties:
- crd:
- properties:
- spec:
- properties:
- names:
- properties:
- kind:
- type: string
- shortNames:
- items:
- type: string
- type: array
- type: object
- validation:
- type: object
- type: object
- type: object
- targets:
- items:
- properties:
- libs:
- items:
- type: string
- type: array
- rego:
- type: string
- target:
- type: string
- type: object
- type: array
- type: object
- status:
- properties:
- byPod:
- items:
- properties:
- errors:
- items:
- properties:
- code:
- type: string
- location:
- type: string
- message:
- type: string
- required:
- - code
- - message
- type: object
- type: array
- id:
- description: a unique identifier for the pod that wrote the status
- type: string
- observedGeneration:
- format: int64
- type: integer
- type: object
- type: array
- created:
- type: boolean
- type: object
- version: v1beta1
- versions:
- - name: v1beta1
- served: true
- storage: true
- - name: v1alpha1
- served: true
- storage: false
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/constrainttemplatepodstatus-customresourcedefinition.yaml packages/rancher-gatekeeper/charts/templates/constrainttemplatepodstatus-customresourcedefinition.yaml
--- packages/rancher-gatekeeper/charts-original/templates/constrainttemplatepodstatus-customresourcedefinition.yaml
+++ packages/rancher-gatekeeper/charts/templates/constrainttemplatepodstatus-customresourcedefinition.yaml
2020-08-18 22:20:34 +00:00
@@ -1,77 +0,0 @@
2020-08-11 20:20:26 +00:00
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
2020-08-07 19:50:44 +00:00
-metadata:
2020-08-11 20:20:26 +00:00
- annotations:
- controller-gen.kubebuilder.io/version: v0.3.0
- creationTimestamp: null
- labels:
- app: '{{ template "gatekeeper.name" . }}'
- chart: '{{ template "gatekeeper.name" . }}'
- gatekeeper.sh/system: "yes"
- heritage: '{{ .Release.Service }}'
- release: '{{ .Release.Name }}'
- name: constrainttemplatepodstatuses.status.gatekeeper.sh
2020-08-11 17:28:46 +00:00
-spec:
2020-08-11 20:20:26 +00:00
- group: status.gatekeeper.sh
- names:
- kind: ConstraintTemplatePodStatus
- listKind: ConstraintTemplatePodStatusList
- plural: constrainttemplatepodstatuses
- singular: constrainttemplatepodstatus
- scope: Namespaced
- validation:
- openAPIV3Schema:
2020-08-18 22:20:34 +00:00
- description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API
2020-08-11 20:20:26 +00:00
- properties:
- apiVersion:
2020-08-18 22:20:34 +00:00
- description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2020-08-11 20:20:26 +00:00
- type: string
- kind:
2020-08-18 22:20:34 +00:00
- description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2020-08-11 20:20:26 +00:00
- type: string
- metadata:
- type: object
- status:
2020-08-18 22:20:34 +00:00
- description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus
2020-08-11 20:20:26 +00:00
- properties:
- errors:
- items:
2020-08-18 22:20:34 +00:00
- description: CreateCRDError represents a single error caught during parsing, compiling, etc.
2020-08-11 20:20:26 +00:00
- properties:
- code:
- type: string
- location:
- type: string
- message:
- type: string
- required:
- - code
- - message
- type: object
- type: array
- id:
2020-08-18 22:20:34 +00:00
- description: 'Important: Run "make" to regenerate code after modifying this file'
2020-08-11 20:20:26 +00:00
- type: string
- observedGeneration:
- format: int64
- type: integer
- operations:
- items:
- type: string
- type: array
- templateUID:
2020-08-18 22:20:34 +00:00
- description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated.
2020-08-11 20:20:26 +00:00
- type: string
- type: object
- type: object
- version: v1beta1
- versions:
- - name: v1beta1
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-admin-serviceaccount.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-admin-serviceaccount.yaml
--- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-admin-serviceaccount.yaml
+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-admin-serviceaccount.yaml
@@ -8,4 +8,4 @@
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-admin
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-audit-deployment.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-audit-deployment.yaml
--- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-audit-deployment.yaml
+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-audit-deployment.yaml
@@ -10,7 +10,7 @@
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-audit
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
spec:
replicas: 1
selector:
@@ -58,7 +58,7 @@
2020-08-11 16:54:31 +00:00
valueFrom:
fieldRef:
fieldPath: metadata.name
- image: '{{ .Values.image.repository }}:{{ .Values.image.release }}'
+ image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
imagePullPolicy: '{{ .Values.image.pullPolicy }}'
livenessProbe:
httpGet:
2020-08-11 20:20:26 +00:00
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-controller-manager-deployment.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-controller-manager-deployment.yaml
--- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-controller-manager-deployment.yaml
+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-controller-manager-deployment.yaml
@@ -10,7 +10,7 @@
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-controller-manager
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
spec:
replicas: {{ .Values.replicas }}
selector:
@@ -67,7 +67,7 @@
valueFrom:
fieldRef:
fieldPath: metadata.name
- image: '{{ .Values.image.repository }}:{{ .Values.image.release }}'
+ image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
imagePullPolicy: '{{ .Values.image.pullPolicy }}'
livenessProbe:
httpGet:
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-manager-role-role.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-manager-role-role.yaml
--- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-manager-role-role.yaml
+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-manager-role-role.yaml
@@ -9,7 +9,7 @@
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-manager-role
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
rules:
- apiGroups:
- ""
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml
--- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml
+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml
@@ -15,4 +15,4 @@
subjects:
- kind: ServiceAccount
name: gatekeeper-admin
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-manager-rolebinding-rolebinding.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-manager-rolebinding-rolebinding.yaml
--- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-manager-rolebinding-rolebinding.yaml
+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-manager-rolebinding-rolebinding.yaml
@@ -8,7 +8,7 @@
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-manager-rolebinding
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -16,4 +16,4 @@
subjects:
- kind: ServiceAccount
name: gatekeeper-admin
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-system-namespace.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-system-namespace.yaml
--- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-system-namespace.yaml
+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-system-namespace.yaml
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
- labels:
- admission.gatekeeper.sh/ignore: no-self-managing
- app: '{{ template "gatekeeper.name" . }}'
- chart: '{{ template "gatekeeper.name" . }}'
- control-plane: controller-manager
- gatekeeper.sh/system: "yes"
- heritage: '{{ .Release.Service }}'
- release: '{{ .Release.Name }}'
- name: gatekeeper-system
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
--- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
@@ -15,7 +15,7 @@
caBundle: Cg==
service:
name: gatekeeper-webhook-service
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
path: /v1/admit
failurePolicy: Ignore
name: validation.gatekeeper.sh
2020-08-18 22:20:34 +00:00
@@ -39,7 +39,7 @@
2020-08-11 20:20:26 +00:00
caBundle: Cg==
service:
name: gatekeeper-webhook-service
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
path: /v1/admitlabel
failurePolicy: Fail
name: check-ignore-label.gatekeeper.sh
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-webhook-server-cert-secret.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-webhook-server-cert-secret.yaml
--- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-webhook-server-cert-secret.yaml
+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-webhook-server-cert-secret.yaml
@@ -8,4 +8,4 @@
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-webhook-server-cert
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/templates/gatekeeper-webhook-service-service.yaml packages/rancher-gatekeeper/charts/templates/gatekeeper-webhook-service-service.yaml
--- packages/rancher-gatekeeper/charts-original/templates/gatekeeper-webhook-service-service.yaml
+++ packages/rancher-gatekeeper/charts/templates/gatekeeper-webhook-service-service.yaml
@@ -8,7 +8,7 @@
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-webhook-service
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
spec:
ports:
- port: 443
2020-07-21 20:22:47 +00:00
diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-gatekeeper/charts-original/values.yaml packages/rancher-gatekeeper/charts/values.yaml
--- packages/rancher-gatekeeper/charts-original/values.yaml
+++ packages/rancher-gatekeeper/charts/values.yaml
2020-08-11 20:20:26 +00:00
@@ -1,5 +1,5 @@
replicas: 3
2020-07-21 20:22:47 +00:00
-auditInterval: 60
+auditInterval: 300
constraintViolationsLimit: 20
auditFromCache: false
2020-08-11 20:20:26 +00:00
disableValidatingWebhook: false
@@ -8,8 +8,8 @@
emitAdmissionEvents: false
emitAuditEvents: false
2020-07-21 20:22:47 +00:00
image:
2020-08-11 20:20:26 +00:00
- repository: openpolicyagent/gatekeeper
2020-09-10 22:06:24 +00:00
- release: v3.1.0
+ repository: rancher/openpolicyagent-gatekeeper
+ tag: v3.1.0
2020-07-21 20:22:47 +00:00
pullPolicy: IfNotPresent
2020-08-11 20:20:26 +00:00
nodeSelector: { kubernetes.io/os: linux }
affinity: {}
2020-09-10 22:06:24 +00:00
@@ -23,3 +23,9 @@
2020-07-21 20:22:47 +00:00
requests:
cpu: 100m
memory: 256Mi
+global:
2020-09-10 22:06:24 +00:00
+ cattle:
+ systemDefaultRegistry: ""
2020-07-21 20:22:47 +00:00
+ kubectl:
2020-09-10 22:06:24 +00:00
+ repository: rancher/kubectl
+ tag: v1.18.6
