andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1463 from rayandas/rayan-3.6.0 

Update gatekeeper to 3.6.0
pull/1471/head
Denise 2021-09-13 16:28:14 -07:00 committed by GitHub
parent 33db418568 f937248a10
commit 6c7e71e7ff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
50 changed files with 2581 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/rancher-gatekeeper/rancher-gatekeeper-100.0.1+up3.6.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-gatekeeper/rancher-gatekeeper-crd-100.0.1+up3.6.0.tgz Normal file
View File

Binary file not shown.

10
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.1+up3.6.0/Chart.yaml Normal file
View File

@ -0,0 +1,10 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-gatekeeper-system
catalog.cattle.io/release-name: rancher-gatekeeper-crd
apiVersion: v1
description: Installs the CRDs for rancher-gatekeeper.
name: rancher-gatekeeper-crd
type: application
version: 100.0.1+up3.6.0

2
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.1+up3.6.0/README.md Normal file
View File

@ -0,0 +1,2 @@
# rancher-gatekeeper-crd
A Rancher chart that installs the CRDs used by rancher-gatekeeper.

209
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.1+up3.6.0/crd-manifest/assign-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,209 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
labels:
gatekeeper.sh/system: "yes"
name: assign.mutations.gatekeeper.sh
spec:
group: mutations.gatekeeper.sh
names:
kind: Assign
listKind: AssignList
plural: assign
singular: assign
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Assign is the Schema for the assign API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AssignSpec defines the desired state of Assign.
properties:
applyTo:
description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster Important: Run "make" to regenerate code after modifying this file'
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
location:
type: string
match:
description: Match selects objects to apply mutations to.
properties:
excludedNamespaces:
items:
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaceSelector:
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
items:
type: string
type: array
scope:
description: ResourceScope is an enum defining the different scopes available to a custom resource
type: string
type: object
parameters:
properties:
assign:
description: Assign.value holds the value to be assigned
type: object
x-kubernetes-preserve-unknown-fields: true
assignIf:
description: once https://github.com/kubernetes-sigs/controller-tools/pull/528 is merged, we can use an actual object
type: object
pathTests:
items:
description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
properties:
condition:
description: Condition describes whether the path either MustExist or MustNotExist in the original object
enum:
- MustExist
- MustNotExist
type: string
subPath:
type: string
type: object
type: array
type: object
type: object
status:
description: AssignStatus defines the observed state of Assign.
properties:
byPod:
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}

174
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.1+up3.6.0/crd-manifest/assignmetadata-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,174 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
labels:
gatekeeper.sh/system: "yes"
name: assignmetadata.mutations.gatekeeper.sh
spec:
group: mutations.gatekeeper.sh
names:
kind: AssignMetadata
listKind: AssignMetadataList
plural: assignmetadata
singular: assignmetadata
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: AssignMetadata is the Schema for the assignmetadata API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AssignMetadataSpec defines the desired state of AssignMetadata.
properties:
location:
type: string
match:
description: Match selects objects to apply mutations to.
properties:
excludedNamespaces:
items:
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaceSelector:
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
items:
type: string
type: array
scope:
description: ResourceScope is an enum defining the different scopes available to a custom resource
type: string
type: object
parameters:
properties:
assign:
description: Assign.value holds the value to be assigned
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
status:
description: AssignMetadataStatus defines the observed state of AssignMetadata.
properties:
byPod:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}

105
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.1+up3.6.0/crd-manifest/config-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,105 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
labels:
gatekeeper.sh/system: "yes"
name: configs.config.gatekeeper.sh
spec:
group: config.gatekeeper.sh
names:
kind: Config
listKind: ConfigList
plural: configs
singular: config
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Config is the Schema for the configs API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConfigSpec defines the desired state of Config.
properties:
match:
description: Configuration for namespace exclusion
items:
properties:
excludedNamespaces:
items:
description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.'
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
processes:
items:
type: string
type: array
type: object
type: array
readiness:
description: Configuration for readiness tracker
properties:
statsEnabled:
type: boolean
type: object
sync:
description: Configuration for syncing k8s objects
properties:
syncOnly:
description: If non-empty, only entries on this list will be replicated into OPA
items:
properties:
group:
type: string
kind:
type: string
version:
type: string
type: object
type: array
type: object
validation:
description: Configuration for validation
properties:
traces:
description: List of requests to trace. Both "user" and "kinds" must be specified
items:
properties:
dump:
description: Also dump the state of OPA with the trace. Set to `All` to dump everything.
type: string
kind:
description: Only trace requests of the following GroupVersionKind
properties:
group:
type: string
kind:
type: string
version:
type: string
type: object
user:
description: Only trace requests from the specified user
type: string
type: object
type: array
type: object
type: object
status:
description: ConfigStatus defines the observed state of Config.
type: object
type: object
served: true
storage: true

67
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.1+up3.6.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,67 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
labels:
gatekeeper.sh/system: "yes"
name: constraintpodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: ConstraintPodStatus
listKind: ConstraintPodStatusList
plural: constraintpodstatuses
singular: constraintpodstatus
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: ConstraintPodStatus is the Schema for the constraintpodstatuses API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus.
properties:
constraintUID:
description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
enforced:
type: boolean
errors:
items:
description: Error represents a single error caught while adding a constraint to OPA.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: object
served: true
storage: true

297
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.1+up3.6.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,297 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
labels:
gatekeeper.sh/system: "yes"
name: constrainttemplates.templates.gatekeeper.sh
spec:
group: templates.gatekeeper.sh
names:
kind: ConstraintTemplate
listKind: ConstraintTemplateList
plural: constrainttemplates
singular: constrainttemplate
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate
properties:
crd:
properties:
spec:
properties:
names:
properties:
kind:
type: string
shortNames:
items:
type: string
type: array
type: object
validation:
properties:
legacySchema:
default: false
type: boolean
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
targets:
items:
properties:
libs:
items:
type: string
type: array
rego:
type: string
target:
type: string
type: object
type: array
type: object
status:
description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate
properties:
byPod:
items:
description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: a unique identifier for the pod that wrote the status
type: string
observedGeneration:
format: int64
type: integer
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
created:
type: boolean
type: object
type: object
served: true
storage: true
subresources:
status: {}
- name: v1alpha1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate
properties:
crd:
properties:
spec:
properties:
names:
properties:
kind:
type: string
shortNames:
items:
type: string
type: array
type: object
validation:
properties:
legacySchema:
default: true
type: boolean
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
targets:
items:
properties:
libs:
items:
type: string
type: array
rego:
type: string
target:
type: string
type: object
type: array
type: object
status:
description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate
properties:
byPod:
items:
description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: a unique identifier for the pod that wrote the status
type: string
observedGeneration:
format: int64
type: integer
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
created:
type: boolean
type: object
type: object
served: true
storage: false
subresources:
status: {}
- name: v1beta1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate
properties:
crd:
properties:
spec:
properties:
names:
properties:
kind:
type: string
shortNames:
items:
type: string
type: array
type: object
validation:
properties:
legacySchema:
default: true
type: boolean
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
targets:
items:
properties:
libs:
items:
type: string
type: array
rego:
type: string
target:
type: string
type: object
type: array
type: object
status:
description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate
properties:
byPod:
items:
description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: a unique identifier for the pod that wrote the status
type: string
observedGeneration:
format: int64
type: integer
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
created:
type: boolean
type: object
type: object
served: true
storage: false
subresources:
status: {}

66
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.1+up3.6.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,66 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
labels:
gatekeeper.sh/system: "yes"
name: constrainttemplatepodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: ConstraintTemplatePodStatus
listKind: ConstraintTemplatePodStatusList
plural: constrainttemplatepodstatuses
singular: constrainttemplatepodstatus
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus.
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: 'Important: Run "make" to regenerate code after modifying this file'
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
templateUID:
description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated.
type: string
type: object
type: object
served: true
storage: true

62
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.1+up3.6.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,62 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
labels:
gatekeeper.sh/system: "yes"
name: mutatorpodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: MutatorPodStatus
listKind: MutatorPodStatusList
plural: mutatorpodstatuses
singular: mutatorpodstatus
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: MutatorPodStatus is the Schema for the mutationpodstatuses API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: object
served: true
storage: true

7
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.1+up3.6.0/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,7 @@
# Rancher
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- end -}}
{{- end -}}

92
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.1+up3.6.0/templates/jobs.yaml Normal file
View File

@ -0,0 +1,92 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Chart.Name }}-create
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}
annotations:
"helm.sh/hook": post-install, post-upgrade, post-rollback
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
name: {{ .Chart.Name }}-create
labels:
app: {{ .Chart.Name }}
spec:
serviceAccountName: {{ .Chart.Name }}-manager
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: create-crds
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: IfNotPresent
command:
- /bin/kubectl
- apply
- -f
- /etc/config/crd-manifest.yaml
volumeMounts:
- name: crd-manifest
readOnly: true
mountPath: /etc/config
restartPolicy: OnFailure
volumes:
- name: crd-manifest
configMap:
name: {{ .Chart.Name }}-manifest
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Chart.Name }}-delete
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
name: {{ .Chart.Name }}-delete
labels:
app: {{ .Chart.Name }}
spec:
serviceAccountName: {{ .Chart.Name }}-manager
securityContext:
runAsNonRoot: true
runAsUser: 1000
initContainers:
- name: remove-finalizers
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: IfNotPresent
command:
- /bin/kubectl
- apply
- -f
- /etc/config/crd-manifest.yaml
volumeMounts:
- name: crd-manifest
readOnly: true
mountPath: /etc/config
containers:
- name: delete-crds
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: IfNotPresent
command:
- /bin/kubectl
- delete
- -f
- /etc/config/crd-manifest.yaml
volumeMounts:
- name: crd-manifest
readOnly: true
mountPath: /etc/config
restartPolicy: OnFailure
volumes:
- name: crd-manifest
configMap:
name: {{ .Chart.Name }}-manifest

14
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.1+up3.6.0/templates/manifest.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-manifest
namespace: {{ .Release.Namespace }}
data:
crd-manifest.yaml: |
{{- $currentScope := . -}}
{{- $crds := (.Files.Glob "crd-manifest/**.yaml") -}}
{{- range $path, $_ := $crds -}}
{{- with $currentScope -}}
{{ .Files.Get $path | nindent 4 }}
---
{{- end -}}{{- end -}}

72
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.1+up3.6.0/templates/rbac.yaml Normal file
View File

@ -0,0 +1,72 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Chart.Name }}-manager
labels:
app: {{ .Chart.Name }}-manager
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs: ['create', 'get', 'patch', 'delete']
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ .Chart.Name }}-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Chart.Name }}-manager
labels:
app: {{ .Chart.Name }}-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Chart.Name }}-manager
subjects:
- kind: ServiceAccount
name: {{ .Chart.Name }}-manager
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Chart.Name }}-manager
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}-manager
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ .Chart.Name }}-manager
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}-manager
spec:
privileged: false
allowPrivilegeEscalation: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
volumes:
- 'configMap'
- 'secret'

11
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.1+up3.6.0/values.yaml Normal file
View File

@ -0,0 +1,11 @@
# Default values for rancher-gatekeeper-crd.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
cattle:
systemDefaultRegistry: ""
image:
repository: rancher/kubectl
tag: v1.20.2

21
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

15
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/CHANGELOG.md Normal file
View File

@ -0,0 +1,15 @@
# Changelog
All notable changes from the upstream OPA Gatekeeper chart will be added to this file
## [Package Version 00] - 2020-09-10
### Added
- Enabled the CRD chart generator in `package.yaml`
### Modified
- Updated namespace to `cattle-gatekeeper-system`
- Updated for Helm 3 compatibility
- Moved crds to `crds` directory
- Removed `crd-install` hooks and templates from crds
### Removed
- Removed `gatekeeper-system-namespace.yaml` as Rancher handles namespaces for chart installation

23
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/Chart.yaml Normal file
View File

@ -0,0 +1,23 @@
annotations:
catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: OPA Gatekeeper
catalog.cattle.io/namespace: cattle-gatekeeper-system
catalog.cattle.io/os: linux
catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
catalog.cattle.io/release-name: rancher-gatekeeper
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/ui-component: gatekeeper
apiVersion: v2
appVersion: v3.6.0
description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
policy-based control for cloud native environments
home: https://github.com/open-policy-agent/gatekeeper
icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
keywords:
- open policy agent
- security
name: rancher-gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
version: 100.0.1+up3.6.0

121
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/README.md Normal file
View File

@ -0,0 +1,121 @@
# Gatekeeper Helm Chart
## Get Repo Info
```console
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update
```
_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
## Install Chart
```console
# Helm install with gatekeeper-system namespace already created
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
# Helm install and create namespace
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
```
_See [parameters](#parameters) below._
_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
## Upgrade Chart
**Upgrading from < v3.4.0**
Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices.
Option 1:
A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater.
```console
$ helm uninstall gatekeeper
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
```
Option 2:
Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them.
```console
$ helm_migrate.sh
$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper
```
**Upgrading from >= v3.4.0**
```console
$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
```
_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._
## Exempting Namespace
The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook.
_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._
## Parameters
| Parameter | Description | Default |
| :------------------------------------------- | :------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ |
| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` |
| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `line/kubectl-kustomize` |
| postInstall.labelNamespace.image.tag | Image tag | `1.20.4-4.0.5` |
| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` |
| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` |
| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` |
| disableValidatingWebhook | Disable the validating webhook | `false` |
| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` |
| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` |
| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` |
| enableDeleteOperations | Enable validating webhook for delete operations | `false` |
| experimentalEnableMutation | Enable mutation (alpha feature) | `false` |
| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` |
| logDenies | Log detailed info on each deny | `false` |
| logLevel | Minimum log level | `INFO` |
| image.pullPolicy | The image pull policy | `IfNotPresent` |
| image.repository | Image repository | `openpolicyagent/gatekeeper` |
| image.release | The image release tag to use | Current release version: `v3.6.0` |
| image.pullSecrets | Specify an array of imagePullSecrets | `[]` |
| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| affinity | The node affinity to use for pod scheduling | `{}` |
| tolerations | The tolerations to use for pod scheduling | `[]` |
| controllerManager.healthPort | Health port for controller manager | `9090` |
| controllerManager.port | Webhook-server port for controller manager | `8443` |
| controllerManager.metricsPort | Metrics port for controller manager | `8888` |
| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` |
| controllerManager.exemptNamespaces | The namespaces to exempt | `[]` |
| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` |
| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` |
| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` |
| audit.healthPort | Health port for audit | `9090` |
| audit.metricsPort | Metrics port for audit | `8888` |
| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` |
| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |
| podLabels | The labels to add to the Gatekeeper pods | `{}` |
| podCountLimit | The maximum number of Gatekeeper pods to run | `100` |
| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` |
| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` |
| service.type | Service type | `ClusterIP` |
| service.loadBalancerIP | The IP address of LoadBalancer service | `` |
## Contributing Changes
This Helm chart is autogenerated from the Gatekeeper static manifest. The
generator code lives under `cmd/build/helmify`. To make modifications to this
template, please edit `kustomization.yaml`, `kustomize-for-helm.yaml` and
`replacements.go` under that directory and then run `make manifests`. Your
changes will show up in the `manifest_staging` directory and will be promoted
to the root `charts` directory the next time a Gatekeeper release is cut.

14
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/app-readme.md Normal file
View File

@ -0,0 +1,14 @@
# Rancher OPA Gatekeeper
This chart is based off of the upstream [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper/tree/master/charts/gatekeeper) chart.
For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/opa-gatekeper/).
The chart installs the following components:
- OPA Gatekeeper Controller-Manager - OPA Gatekeeper is a policy engine for providing policy based governance for Kubernetes clusters. The controller installs as a [validating admission controller webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) on the cluster and intercepts all admission requests that create, update or delete a resource in the cluster.
- [Audit](https://github.com/open-policy-agent/gatekeeper#audit) - A periodic audit of the cluster resources against the enforced policies. Any existing resource that violates a policy will be recorded as violations.
- [Constraint Template](https://github.com/open-policy-agent/gatekeeper#constraint-templates) - A template is a CRD (`ConstraintTemplate`) that defines the schema and Rego logic of a policy to be applied to the cluster by Gatekeeper's admission controller webhook. This chart installs a few default `ConstraintTemplate` custom resources.
- [Constraint](https://github.com/open-policy-agent/gatekeeper#constraints) - A constraint is a custom resource that defines the scope of resources which a specific constraint template should apply to. The complete policy is defined by a combination of `ConstraintTemplates` (i.e. what the policy is) and `Constraints` (i.e. what resource to apply the policy to).
For more information on how to configure the Helm chart, refer to the Helm README.

49
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,49 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "gatekeeper.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "gatekeeper.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "gatekeeper.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Adds additional pod labels to the common ones
*/}}
{{- define "gatekeeper.podLabels" -}}
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}

35
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/allowedrepos.yaml Normal file
View File

@ -0,0 +1,35 @@
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sallowedrepos
spec:
crd:
spec:
names:
kind: K8sAllowedRepos
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
repos:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sallowedrepos
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}
violation[{"msg": msg}] {
container := input.review.object.spec.initContainers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}

35
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/gatekeeper-admin-podsecuritypolicy.yaml Normal file
View File

@ -0,0 +1,35 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-admin
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- projected
- secret
- downwardAPI

11
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/gatekeeper-admin-serviceaccount.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-admin
namespace: '{{ .Release.Namespace }}'

108
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/gatekeeper-audit-deployment.yaml Normal file
View File

@ -0,0 +1,108 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: audit-controller
gatekeeper.sh/operation: audit
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-audit
namespace: '{{ .Release.Namespace }}'
spec:
replicas: 1
selector:
matchLabels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: audit-controller
gatekeeper.sh/operation: audit
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
template:
metadata:
annotations:
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
labels:
{{- include "gatekeeper.podLabels" . }}
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: audit-controller
gatekeeper.sh/operation: audit
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
spec:
affinity:
{{- toYaml .Values.audit.affinity | nindent 8 }}
automountServiceAccountToken: true
containers:
- args:
- --audit-interval={{ .Values.auditInterval }}
- --log-level={{ .Values.logLevel }}
- --constraint-violations-limit={{ .Values.constraintViolationsLimit }}
- --audit-from-cache={{ .Values.auditFromCache }}
- --audit-chunk-size={{ .Values.auditChunkSize }}
- --audit-match-kind-only={{ .Values.auditMatchKindOnly }}
- --emit-audit-events={{ .Values.emitAuditEvents }}
- --operation=audit
- --operation=status
- --logtostderr
- --health-addr=:{{ .Values.audit.healthPort }}
- --prometheus-port={{ .Values.audit.metricsPort }}
command:
- /manager
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
imagePullPolicy: '{{ .Values.image.pullPolicy }}'
livenessProbe:
httpGet:
path: /healthz
port: {{ .Values.audit.healthPort }}
name: manager
ports:
- containerPort: {{ .Values.audit.metricsPort }}
name: metrics
protocol: TCP
- containerPort: {{ .Values.audit.healthPort }}
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: {{ .Values.audit.healthPort }}
resources:
{{- toYaml .Values.audit.resources | nindent 10 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
hostNetwork: {{ .Values.audit.hostNetwork }}
imagePullSecrets:
{{- toYaml .Values.image.pullSecrets | nindent 8 }}
nodeSelector:
{{- toYaml .Values.audit.nodeSelector | nindent 8 }}
{{- if .Values.audit.priorityClassName }}
priorityClassName: {{ .Values.audit.priorityClassName }}
{{- end }}
serviceAccountName: gatekeeper-admin
terminationGracePeriodSeconds: 60
tolerations:
{{- toYaml .Values.audit.tolerations | nindent 8 }}

126
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/gatekeeper-controller-manager-deployment.yaml Normal file
View File

@ -0,0 +1,126 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: controller-manager
gatekeeper.sh/operation: webhook
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-controller-manager
namespace: '{{ .Release.Namespace }}'
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: controller-manager
gatekeeper.sh/operation: webhook
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
template:
metadata:
annotations:
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
labels:
{{- include "gatekeeper.podLabels" . }}
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: controller-manager
gatekeeper.sh/operation: webhook
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
spec:
affinity:
{{- toYaml .Values.controllerManager.affinity | nindent 8 }}
automountServiceAccountToken: true
containers:
- args:
- --port={{ .Values.controllerManager.port }}
- --health-addr=:{{ .Values.controllerManager.healthPort }}
- --prometheus-port={{ .Values.controllerManager.metricsPort }}
- --logtostderr
- --log-denies={{ .Values.logDenies }}
- --emit-admission-events={{ .Values.emitAdmissionEvents }}
- --log-level={{ .Values.logLevel }}
- --exempt-namespace={{ .Release.Namespace }}
- --operation=webhook
- --enable-mutation={{ .Values.experimentalEnableMutation}}
{{- range .Values.disabledBuiltins}}
- --disable-opa-builtin={{ . }}
{{- end }}
{{- range .Values.controllerManager.exemptNamespaces}}
- --exempt-namespace={{ . }}
{{- end }}
command:
- /manager
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
imagePullPolicy: '{{ .Values.image.pullPolicy }}'
livenessProbe:
httpGet:
path: /healthz
port: {{ .Values.controllerManager.healthPort }}
name: manager
ports:
- containerPort: {{ .Values.controllerManager.port }}
name: webhook-server
protocol: TCP
- containerPort: {{ .Values.controllerManager.metricsPort }}
name: metrics
protocol: TCP
- containerPort: {{ .Values.controllerManager.healthPort }}
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: {{ .Values.controllerManager.healthPort }}
resources:
{{- toYaml .Values.controllerManager.resources | nindent 10 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /certs
name: cert
readOnly: true
hostNetwork: {{ .Values.controllerManager.hostNetwork }}
imagePullSecrets:
{{- toYaml .Values.image.pullSecrets | nindent 8 }}
nodeSelector:
{{- toYaml .Values.controllerManager.nodeSelector | nindent 8 }}
{{- if .Values.controllerManager.priorityClassName }}
priorityClassName: {{ .Values.controllerManager.priorityClassName }}
{{- end }}
serviceAccountName: gatekeeper-admin
terminationGracePeriodSeconds: 60
tolerations:
{{- toYaml .Values.controllerManager.tolerations | nindent 8 }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: gatekeeper-webhook-server-cert

26
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if .Capabilities.APIVersions.Has "policy/v1" }}
apiVersion: policy/v1
{{ else }}
apiVersion: policy/v1beta1
{{ end -}}
kind: PodDisruptionBudget
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-controller-manager
namespace: '{{ .Release.Namespace }}'
spec:
minAvailable: {{ .Values.pdb.controllerManager.minAvailable }}
selector:
matchLabels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: controller-manager
gatekeeper.sh/operation: webhook
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'

23
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/gatekeeper-critical-pods-resourcequota.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if .Values.resourceQuota }}
apiVersion: v1
kind: ResourceQuota
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-critical-pods
namespace: '{{ .Release.Namespace }}'
spec:
hard:
pods: {{ .Values.podCountLimit }}
scopeSelector:
matchExpressions:
- operator: In
scopeName: PriorityClass
values:
- {{ .Values.controllerManager.priorityClassName }}
- {{ .Values.audit.priorityClassName }}
{{- end }}

153
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/gatekeeper-manager-role-clusterrole.yaml Normal file
View File

@ -0,0 +1,153 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-manager-role
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- config.gatekeeper.sh
resources:
- configs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- config.gatekeeper.sh
resources:
- configs/status
verbs:
- get
- patch
- update
- apiGroups:
- constraints.gatekeeper.sh
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- mutations.gatekeeper.sh
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- policy
resourceNames:
- gatekeeper-admin
resources:
- podsecuritypolicies
verbs:
- use
- apiGroups:
- status.gatekeeper.sh
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- templates.gatekeeper.sh
resources:
- constrainttemplates
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- templates.gatekeeper.sh
resources:
- constrainttemplates/finalizers
verbs:
- delete
- get
- patch
- update
- apiGroups:
- templates.gatekeeper.sh
resources:
- constrainttemplates/status
verbs:
- get
- patch
- update
- apiGroups:
- admissionregistration.k8s.io
resourceNames:
- gatekeeper-validating-webhook-configuration
resources:
- validatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- admissionregistration.k8s.io
resourceNames:
- gatekeeper-mutating-webhook-configuration
resources:
- mutatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch

32
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/gatekeeper-manager-role-role.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-manager-role
namespace: '{{ .Release.Namespace }}'
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch

18
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gatekeeper-manager-role
subjects:
- kind: ServiceAccount
name: gatekeeper-admin
namespace: '{{ .Release.Namespace }}'

19
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-manager-rolebinding
namespace: '{{ .Release.Namespace }}'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: gatekeeper-manager-role
subjects:
- kind: ServiceAccount
name: gatekeeper-admin
namespace: '{{ .Release.Namespace }}'

40
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml Normal file
View File

@ -0,0 +1,40 @@
{{- if .Values.experimentalEnableMutation }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
creationTimestamp: null
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-mutating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
path: /v1/mutate
failurePolicy: Ignore
matchPolicy: Exact
name: mutation.gatekeeper.sh
namespaceSelector:
matchExpressions:
- key: admission.gatekeeper.sh/ignore
operator: DoesNotExist
rules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- '*'
sideEffects: None
timeoutSeconds: 3
{{- end }}

66
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml Normal file
View File

@ -0,0 +1,66 @@
{{- if not .Values.disableValidatingWebhook }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-validating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
path: /v1/admit
failurePolicy: {{ .Values.validatingWebhookFailurePolicy }}
matchPolicy: Exact
name: validation.gatekeeper.sh
namespaceSelector:
matchExpressions:
- key: admission.gatekeeper.sh/ignore
operator: DoesNotExist
rules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
{{- if .Values.enableDeleteOperations }}
- DELETE
{{- end}}
resources:
- '*'
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
path: /v1/admitlabel
failurePolicy: {{ .Values.validatingWebhookCheckIgnoreFailurePolicy }}
matchPolicy: Exact
name: check-ignore-label.gatekeeper.sh
rules:
- apiGroups:
- ""
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- namespaces
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }}
{{- end }}

12
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/gatekeeper-webhook-server-cert-secret.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Secret
metadata:
annotations: {{- toYaml .Values.secretAnnotations | trim | nindent 4 }}
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-webhook-server-cert
namespace: '{{ .Release.Namespace }}'

29
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/gatekeeper-webhook-service-service.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
spec:
{{- if .Values.service }}
type: {{ .Values.service.type | default "ClusterIP" }}
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- end }}
ports:
- port: 443
targetPort: webhook-server
selector:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: controller-manager
gatekeeper.sh/operation: webhook
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'

98
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/namespace-post-install.yaml Normal file
View File

@ -0,0 +1,98 @@
{{- if .Values.postInstall.labelNamespace.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: gatekeeper-update-namespace-label
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
spec:
template:
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
release: '{{ .Release.Name }}'
spec:
restartPolicy: OnFailure
{{- if .Values.postInstall.labelNamespace.image.pullSecrets }}
imagePullSecrets:
{{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
{{- end }}
serviceAccount: gatekeeper-update-namespace-label
nodeSelector:
kubernetes.io/os: linux
containers:
- name: kubectl-label
image: '{{ template "system_default_registry" . }}{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}'
imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }}
command:
- kubectl
- label
- ns
- {{ .Release.Namespace }}
- admission.gatekeeper.sh/ignore=no-self-managing
- --overwrite
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gatekeeper-update-namespace-label
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gatekeeper-update-namespace-label
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- update
- patch
resourceNames:
- {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: gatekeeper-update-namespace-label
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: gatekeeper-update-namespace-label
subjects:
- kind: ServiceAccount
name: gatekeeper-update-namespace-label
namespace: {{ .Release.Namespace | quote }}
{{- end }}

57
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/requiredlabels.yaml Normal file
View File

@ -0,0 +1,57 @@
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
message:
type: string
labels:
type: array
items:
type: object
properties:
key:
type: string
allowedRegex:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
get_message(parameters, _default) = msg {
not parameters.message
msg := _default
}
get_message(parameters, _default) = msg {
msg := parameters.message
}
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_].key}
missing := required - provided
count(missing) > 0
def_msg := sprintf("you must provide labels: %v", [missing])
msg := get_message(input.parameters, def_msg)
}
violation[{"msg": msg}] {
value := input.review.object.metadata.labels[key]
expected := input.parameters.labels[_]
expected.key == key
# do not match if allowedRegex is not defined, or is an empty string
expected.allowedRegex != ""
not re_match(expected.allowedRegex, value)
def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])
msg := get_message(input.parameters, def_msg)
}

82
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/upgrade-crds-hook.yaml Normal file
View File

@ -0,0 +1,82 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gatekeeper-admin-upgrade-crds
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "1"
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gatekeeper-admin-upgrade-crds
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "1"
subjects:
- kind: ServiceAccount
name: gatekeeper-admin-upgrade-crds
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: gatekeeper-admin-upgrade-crds
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
name: gatekeeper-admin-upgrade-crds
namespace: '{{ .Release.Namespace }}'
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "1"
---
apiVersion: batch/v1
kind: Job
metadata:
name: gatekeeper-update-crds-hook
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "gatekeeper.name" . }}
chart: {{ template "gatekeeper.name" . }}
gatekeeper.sh/system: "yes"
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-weight: "1"
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
spec:
backoffLimit: 0
template:
metadata:
name: gatekeeper-update-crds-hook
spec:
serviceAccountName: gatekeeper-admin-upgrade-crds
restartPolicy: Never
containers:
- name: crds-upgrade
image: '{{ template "system_default_registry" . }}{{ .Values.image.crdRepository }}:{{ .Values.image.tag }}'
imagePullPolicy: '{{ .Values.image.pullPolicy }}'
args:
- apply
- -f
- crds/
nodeSelector:
kubernetes.io/os: linux

20
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/templates/validate-install-crd.yaml Normal file
View File

@ -0,0 +1,20 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
# {{- $found := dict -}}
# {{- set $found "mutations.gatekeeper.sh/v1alpha1/Assign" false -}}
# {{- set $found "mutations.gatekeeper.sh/v1alpha1/AssignMetadata" false -}}
# {{- set $found "config.gatekeeper.sh/v1alpha1/Config" false -}}
# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintPodStatus" false -}}
# {{- set $found "templates.gatekeeper.sh/v1/ConstraintTemplate" false -}}
# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintTemplatePodStatus" false -}}
# {{- set $found "status.gatekeeper.sh/v1beta1/MutatorPodStatus" false -}}
# {{- range .Capabilities.APIVersions -}}
# {{- if hasKey $found (toString .) -}}
# {{- set $found (toString .) true -}}
# {{- end -}}
# {{- end -}}
# {{- range $_, $exists := $found -}}
# {{- if (eq $exists false) -}}
# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
# {{- end -}}
# {{- end -}}
#{{- end -}}

90
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.1+up3.6.0/values.yaml Normal file
View File

@ -0,0 +1,90 @@
replicas: 3
auditInterval: 300
auditMatchKindOnly: false
constraintViolationsLimit: 20
auditFromCache: false
disableValidatingWebhook: false
validatingWebhookTimeoutSeconds: 3
validatingWebhookFailurePolicy: Ignore
validatingWebhookCheckIgnoreFailurePolicy: Fail
enableDeleteOperations: false
experimentalEnableMutation: false
auditChunkSize: 0
logLevel: INFO
logDenies: false
emitAdmissionEvents: false
emitAuditEvents: false
resourceQuota: true
postInstall:
labelNamespace:
enabled: true
image:
repository: rancher/kubectl
tag: v1.20.2
pullPolicy: IfNotPresent
pullSecrets: []
image:
repository: rancher/mirrored-openpolicyagent-gatekeeper
crdRepository: rancher/mirrored-openpolicyagent-gatekeeper-crds
tag: v3.6.0
pullPolicy: IfNotPresent
pullSecrets: []
podAnnotations:
{ container.seccomp.security.alpha.kubernetes.io/manager: runtime/default }
podLabels: {}
podCountLimit: 100
secretAnnotations: {}
controllerManager:
exemptNamespaces: []
hostNetwork: false
port: 8443
metricsPort: 8888
healthPort: 9090
priorityClassName: system-cluster-critical
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: gatekeeper.sh/operation
operator: In
values:
- webhook
topologyKey: kubernetes.io/hostname
weight: 100
tolerations: []
nodeSelector: { kubernetes.io/os: linux }
resources:
limits:
cpu: 1000m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
audit:
hostNetwork: false
metricsPort: 8888
healthPort: 9090
priorityClassName: system-cluster-critical
affinity: {}
tolerations: []
nodeSelector: { kubernetes.io/os: linux }
resources:
limits:
cpu: 1000m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
pdb:
controllerManager:
minAvailable: 1
global:
cattle:
systemDefaultRegistry: ""
kubectl:
repository: rancher/kubectl
tag: v1.20.2
service: {}
disabledBuiltins:

41
index.yaml
View File

@ -1390,6 +1390,33 @@ entries:
- assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz
version: 0.1.400
rancher-gatekeeper:
- annotations:
catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: OPA Gatekeeper
catalog.cattle.io/namespace: cattle-gatekeeper-system
catalog.cattle.io/os: linux
catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
catalog.cattle.io/release-name: rancher-gatekeeper
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/ui-component: gatekeeper
apiVersion: v2
appVersion: v3.6.0
created: "2021-09-06T14:56:33.06135944+05:30"
description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
policy-based control for cloud native environments
digest: df8ba4696a6523aa34d2beaff1586c24434aa56c6f816fba9f4734e013eb784b
home: https://github.com/open-policy-agent/gatekeeper
icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
keywords:
- open policy agent
- security
name: rancher-gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
urls:
- assets/rancher-gatekeeper/rancher-gatekeeper-100.0.1+up3.6.0.tgz
version: 100.0.1+up3.6.0
- annotations:
catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
catalog.cattle.io/certified: rancher
@ -1548,6 +1575,20 @@ entries:
- assets/rancher-gatekeeper/rancher-gatekeeper-3.1.100.tgz
version: 3.1.100
rancher-gatekeeper-crd:
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-gatekeeper-system
catalog.cattle.io/release-name: rancher-gatekeeper-crd
apiVersion: v1
created: "2021-09-06T14:56:33.06605737+05:30"
description: Installs the CRDs for rancher-gatekeeper.
digest: 660391ebe73dbf5e32b7e357344c2d51b923ad41cfb9547a51a7754610a6014b
name: rancher-gatekeeper-crd
type: application
urls:
- assets/rancher-gatekeeper/rancher-gatekeeper-crd-100.0.1+up3.6.0.tgz
version: 100.0.1+up3.6.0
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"

12
packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch
View File

@ -2,18 +2,20 @@
+++ charts/Chart.yaml
@@ -1,10 +1,22 @@
apiVersion: v2
appVersion: v3.5.1
appVersion: v3.6.0
-description: A Helm chart for Gatekeeper
+description: Modifies Open Policy Agent's upstream gatekeeper chart that provides policy-based control for cloud native environments
home: https://github.com/open-policy-agent/gatekeeper
keywords:
- open policy agent
-- open policy agent
-name: gatekeeper
+- security
+ - open policy agent
+ - security
+name: rancher-gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
version: 3.5.1
-- https://github.com/open-policy-agent/gatekeeper.git
+ - https://github.com/open-policy-agent/gatekeeper.git
version: 3.6.0
+icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
+annotations:
+ catalog.cattle.io/certified: rancher

2
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch
View File

@ -1,6 +1,6 @@
--- charts-original/templates/gatekeeper-audit-deployment.yaml
+++ charts/templates/gatekeeper-audit-deployment.yaml
@@ -63,7 +63,7 @@
@@ -65,7 +65,7 @@
valueFrom:
fieldRef:
fieldPath: metadata.name

2
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch
View File

@ -1,6 +1,6 @@
--- charts-original/templates/gatekeeper-controller-manager-deployment.yaml
+++ charts/templates/gatekeeper-controller-manager-deployment.yaml
@@ -65,7 +65,7 @@
@@ -71,7 +71,7 @@
valueFrom:
fieldRef:
fieldPath: metadata.name

11
packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch Normal file
View File

@ -0,0 +1,11 @@
--- charts-original/templates/upgrade-crds-hook.yaml
+++ charts/templates/upgrade-crds-hook.yaml
@@ -72,7 +72,7 @@
restartPolicy: Never
containers:
- name: crds-upgrade
- image: '{{ .Values.image.crdRepository }}:{{ .Values.image.release }}'
+ image: '{{ template "system_default_registry" . }}{{ .Values.image.crdRepository }}:{{ .Values.image.tag }}'
imagePullPolicy: '{{ .Values.image.pullPolicy }}'
args:
- apply

10
packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch
View File

@ -7,7 +7,7 @@
auditMatchKindOnly: false
constraintViolationsLimit: 20
auditFromCache: false
@@ -16,13 +16,13 @@
@@ -19,14 +19,14 @@
labelNamespace:
enabled: true
image:
@ -19,13 +19,15 @@
pullSecrets: []
image:
- repository: openpolicyagent/gatekeeper
- release: v3.5.1
- crdRepository: openpolicyagent/gatekeeper-crds
- release: v3.6.0
+ repository: rancher/mirrored-openpolicyagent-gatekeeper
+ tag: v3.5.1
+ crdRepository: rancher/mirrored-openpolicyagent-gatekeeper-crds
+ tag: v3.6.0
pullPolicy: IfNotPresent
pullSecrets: []
podAnnotations:
@@ -70,5 +70,11 @@
@@ -80,5 +80,11 @@
pdb:
controllerManager:
minAvailable: 1

4
packages/rancher-gatekeeper/package.yaml
View File

@ -1,5 +1,5 @@
url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.5.1.tgz
version: 100.0.0
url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.6.0.tgz
version: 100.0.1
additionalCharts:
- workingDir: charts-crd
crdOptions:

2
packages/rancher-gatekeeper/templates/crd-template/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v1
version: 3.5.1
version: 3.6.0
description: Installs the CRDs for rancher-gatekeeper.
name: rancher-gatekeeper-crd
type: application