andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2879 from diogoasouza/adding-opa-3.13.0 

dev-v2.8 - gatekeeper 3.13.0
pull/2913/head
Sakala Venkata Krishna Rohit 2023-08-28 20:34:49 -07:00 committed by GitHub
parent 53ecec6aa1 305275f2db
commit 7222dd10f2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
72 changed files with 659 additions and 403 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz
View File

Binary file not shown.

BIN
assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.1.0+up3.13.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz
View File

Binary file not shown.

BIN
assets/rancher-gatekeeper/rancher-gatekeeper-103.1.0+up3.13.0.tgz Normal file
View File

Binary file not shown.

73
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml
View File

@ -1,73 +0,0 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
labels:
gatekeeper.sh/system: "yes"
name: expansiontemplate.expansion.gatekeeper.sh
spec:
group: expansion.gatekeeper.sh
names:
kind: ExpansionTemplate
listKind: ExpansionTemplateList
plural: expansiontemplate
singular: expansiontemplate
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ExpansionTemplate is the Schema for the ExpansionTemplate API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
enforcementAction:
description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation.
type: string
generatedGVK:
description: GeneratedGVK specifies the GVK of the resources which the generator resource creates.
properties:
group:
type: string
kind:
type: string
version:
type: string
type: object
templateSource:
description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template
type: string
type: object
type: object
served: true
storage: true

2
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/Chart.yaml
View File

@ -7,4 +7,4 @@ apiVersion: v1
description: Installs the CRDs for rancher-gatekeeper.
name: rancher-gatekeeper-crd
type: application
version: 103.0.1+up3.12.0
version: 103.1.0+up3.13.0

0
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/README.md
View File

18
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assign-customresourcedefinition.yaml
View File

@ -65,7 +65,7 @@ spec:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
@ -115,7 +115,7 @@ spec:
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
@ -151,7 +151,7 @@ spec:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
@ -310,7 +310,7 @@ spec:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
@ -360,7 +360,7 @@ spec:
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
@ -396,7 +396,7 @@ spec:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
@ -555,7 +555,7 @@ spec:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
@ -605,7 +605,7 @@ spec:
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
@ -641,7 +641,7 @@ spec:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:

6
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignimage-customresourcedefinition.yaml
View File

@ -65,7 +65,7 @@ spec:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
@ -115,7 +115,7 @@ spec:
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
@ -151,7 +151,7 @@ spec:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:

18
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignmetadata-customresourcedefinition.yaml
View File

@ -45,7 +45,7 @@ spec:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
@ -95,7 +95,7 @@ spec:
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
@ -131,7 +131,7 @@ spec:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
@ -256,7 +256,7 @@ spec:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
@ -306,7 +306,7 @@ spec:
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
@ -342,7 +342,7 @@ spec:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
@ -467,7 +467,7 @@ spec:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
@ -517,7 +517,7 @@ spec:
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
@ -553,7 +553,7 @@ spec:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:

2
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/config-customresourcedefinition.yaml
View File

@ -39,7 +39,7 @@ spec:
excludedNamespaces:
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
processes:

0
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml
View File

0
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml
View File

0
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml
View File

200
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,200 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
labels:
gatekeeper.sh/system: "yes"
name: expansiontemplate.expansion.gatekeeper.sh
spec:
group: expansion.gatekeeper.sh
names:
kind: ExpansionTemplate
listKind: ExpansionTemplateList
plural: expansiontemplate
singular: expansiontemplate
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ExpansionTemplate is the Schema for the ExpansionTemplate API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
enforcementAction:
description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation.
type: string
generatedGVK:
description: GeneratedGVK specifies the GVK of the resources which the generator resource creates.
properties:
group:
type: string
kind:
type: string
version:
type: string
type: object
templateSource:
description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template
type: string
type: object
status:
description: ExpansionTemplateStatus defines the observed state of ExpansionTemplate.
properties:
byPod:
items:
description: ExpansionTemplatePodStatusStatus defines the observed state of ExpansionTemplatePodStatus.
properties:
errors:
items:
properties:
message:
type: string
type:
type: string
required:
- message
type: object
type: array
id:
description: 'Important: Run "make" to regenerate code after modifying this file'
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
templateUID:
description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated.
type: string
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}
- name: v1beta1
schema:
openAPIV3Schema:
description: ExpansionTemplate is the Schema for the ExpansionTemplate API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
enforcementAction:
description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation.
type: string
generatedGVK:
description: GeneratedGVK specifies the GVK of the resources which the generator resource creates.
properties:
group:
type: string
kind:
type: string
version:
type: string
type: object
templateSource:
description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template
type: string
type: object
status:
description: ExpansionTemplateStatus defines the observed state of ExpansionTemplate.
properties:
byPod:
items:
description: ExpansionTemplatePodStatusStatus defines the observed state of ExpansionTemplatePodStatus.
properties:
errors:
items:
properties:
message:
type: string
type:
type: string
required:
- message
type: object
type: array
id:
description: 'Important: Run "make" to regenerate code after modifying this file'
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
templateUID:
description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated.
type: string
type: object
type: array
type: object
type: object
served: true
storage: false
subresources:
status: {}

62
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplatepodstatus-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,62 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
labels:
gatekeeper.sh/system: "yes"
name: expansiontemplatepodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: ExpansionTemplatePodStatus
listKind: ExpansionTemplatePodStatusList
plural: expansiontemplatepodstatuses
singular: expansiontemplatepodstatus
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: ExpansionTemplatePodStatus is the Schema for the expansiontemplatepodstatuses API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: ExpansionTemplatePodStatusStatus defines the observed state of ExpansionTemplatePodStatus.
properties:
errors:
items:
properties:
message:
type: string
type:
type: string
required:
- message
type: object
type: array
id:
description: 'Important: Run "make" to regenerate code after modifying this file'
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
templateUID:
description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated.
type: string
type: object
type: object
served: true
storage: true

18
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/modifyset-customresourcedefinition.yaml
View File

@ -65,7 +65,7 @@ spec:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
@ -115,7 +115,7 @@ spec:
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
@ -151,7 +151,7 @@ spec:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
@ -283,7 +283,7 @@ spec:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
@ -333,7 +333,7 @@ spec:
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
@ -369,7 +369,7 @@ spec:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
@ -501,7 +501,7 @@ spec:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
@ -551,7 +551,7 @@ spec:
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
@ -587,7 +587,7 @@ spec:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:

0
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml
View File

0
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/provider-customresourcedefinition.yaml
View File

0
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/_helpers.tpl
View File

0
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/jobs.yaml
View File

0
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/manifest.yaml
View File

0
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/rbac.yaml
View File

0
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/validate-psp-install.yaml
View File

0
charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml → charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/values.yaml
View File

210
charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md
View File

@ -1,210 +0,0 @@
# Gatekeeper Helm Chart
## Get Repo Info
```console
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update
```
_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
## Install Chart
```console
# Helm install with gatekeeper-system namespace already created
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
# Helm install and create namespace
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
```
_See [parameters](#parameters) below._
_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
## Upgrade Chart
**Upgrading from < v3.4.0**
Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices.
Option 1:
A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater.
```console
$ helm uninstall gatekeeper
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
```
Option 2:
Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them.
```console
$ helm_migrate.sh
$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper
```
**Upgrading from >= v3.4.0**
```console
$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
```
_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._
## Exempting Namespace
The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook.
_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._
## Parameters
| Parameter | Description | Default |
| :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ |
| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` |
| postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` |
| postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` |
| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` |
| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0` |
| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` |
| postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` |
| postInstall.probeWebhook.enabled | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer | `true` |
| postInstall.probeWebhook.image.repository | Image with curl to probe the webhook API | `curlimages/curl` |
| postInstall.probeWebhook.image.tag | Image tag | `7.83.1` |
| postInstall.probeWebhook.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postInstall.probeWebhook.image.pullSecrets | Image pullSecrets | `[]` |
| postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | `60` |
| postInstall.probeWebhook.httpTimeout | HTTP client timeout | `2` |
| postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | `false` |
| postInstall.affinity | The affinity to use for pod scheduling in postInstall hook jobs | `{}` |
| postInstall.tolerations | The tolerations to use for pod scheduling in postInstall hook jobs | `[]` |
| postInstall.nodeSelector | The node selector to use for pod scheduling in postInstall hook jobs | `kubernetes.io/os: linux` |
| postInstall.resources | The resource request/limits for the container image in postInstall hook jobs | `{}` |
| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | `false` |
| postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` |
| postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` |
| postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` |
| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0` |
| postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]`
| postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` |
| postUpgrade.tolerations | The tolerations to use for pod scheduling in postUpgrade hook jobs | `[]` |
| postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` |
| postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` |
| postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` |
| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.12.0` |
| preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` |
| preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` |
| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.12.0` |
| preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` |
| preUninstall.deleteWebhooks.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` |
| preUninstall.affinity | The affinity to use for pod scheduling in preUninstall hook jobs | `{}` |
| preUninstall.tolerations | The tolerations to use for pod scheduling in preUninstall hook jobs | `[]` |
| preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` |
| preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` |
| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| psp.enabled | Enabled PodSecurityPolicy | `true` |
| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` |
| upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` |
| crds.affinity | The affinity to use for pod scheduling in crds hook jobs | `{}` |
| crds.tolerations | The tolerations to use for pod scheduling in crds hook jobs | `[]` |
| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` |
| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` |
| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` |
| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the audit cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` |
| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` |
| disableValidatingWebhook | Disable the validating webhook | `false` |
| disableMutation | Disable mutation | `false` |
| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` |
| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` |
| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` |
| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` |
| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` |
| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` |
| enableExternalData | Enable external data | `true` |
| enableGeneratorResourceExpansion | Enable generator resource expansion (alpha feature) | `false` |
| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` |
| maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` |
| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` |
| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` |
| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` |
| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` |
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` |
| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` |
| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| logDenies | Log detailed info on each deny | `false` |
| logLevel | Minimum log level | `INFO` |
| image.pullPolicy | The image pull policy | `IfNotPresent` |
| image.repository | Image repository | `openpolicyagent/gatekeeper` |
| image.release | The image release tag to use | Current release version: `v3.12.0` |
| image.pullSecrets | Specify an array of imagePullSecrets | `[]` |
| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` |
| controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` |
| controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` |
| controllerManager.healthPort | Health port for controller manager | `9090` |
| controllerManager.port | Webhook-server port for controller manager | `8443` |
| controllerManager.metricsPort | Metrics port for controller manager | `8888` |
| controllerManager.readinessTimeout | Timeout in seconds for the controller manager's readiness probe | `1` |
| controllerManager.livenessTimeout | Timeout in seconds for the controller manager's liveness probe | `1` |
| controllerManager.logLevel | The minimum log level for the controller manager, takes precedence over `logLevel` when specified | `null`
| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` |
| controllerManager.podSecurityContext | Security context on pod level for controller manager | {fsGroup: 999, suplementalGroups: [999]} |
| controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` |
| controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` |
| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` |
| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` |
| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` |
| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` |
| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` |
| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` |
| audit.affinity | The node affinity to use for audit pod scheduling | `{}` |
| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` |
| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` |
| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` |
| audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} |
| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` |
| audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` |
| audit.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| audit.healthPort | Health port for audit | `9090` |
| audit.metricsPort | Metrics port for audit | `8888` |
| audit.readinessTimeout | Timeout in seconds for audit's readiness probe | `1` |
| audit.livenessTimeout | Timeout in seconds for the audit's liveness probe | `1` |
| audit.logLevel | The minimum log level for audit, takes precedence over `logLevel` when specified | `null`
| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` |
| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |
| podLabels | The labels to add to the Gatekeeper pods | `{}` |
| podCountLimit | The maximum number of Gatekeeper pods to run | `100` |
| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` |
| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` |
| service.type | Service type | `ClusterIP` |
| service.loadBalancerIP | The IP address of LoadBalancer service | `` |
| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` |
| rbac.create | Enable the creation of RBAC resources | `true` |
| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` |
| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` |
## Contributing Changes
Please refer to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) for modifying the Helm chart.

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore → charts/rancher-gatekeeper/103.1.0+up3.13.0/.helmignore
View File

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md → charts/rancher-gatekeeper/103.1.0+up3.13.0/CHANGELOG.md
View File

6
charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/Chart.yaml
View File

@ -2,7 +2,7 @@ annotations:
catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: OPA Gatekeeper
catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.28.0-0'
catalog.cattle.io/kube-version: '>= 1.20.0-0'
catalog.cattle.io/namespace: cattle-gatekeeper-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux,windows
@ -12,7 +12,7 @@ annotations:
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/ui-component: gatekeeper
apiVersion: v2
appVersion: v3.12.0
appVersion: v3.13.0
description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
policy-based control for cloud native environments
home: https://github.com/open-policy-agent/gatekeeper
@ -23,4 +23,4 @@ keywords:
name: rancher-gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
version: 103.0.1+up3.12.0
version: 103.1.0+up3.13.0

226
charts/rancher-gatekeeper/103.1.0+up3.13.0/README.md Normal file
View File

@ -0,0 +1,226 @@
# Gatekeeper Helm Chart
## Get Repo Info
```console
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update
```
_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
## Install Chart
```console
# Helm install with gatekeeper-system namespace already created
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
# Helm install and create namespace
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
```
_See [parameters](#parameters) below._
_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
## Upgrade Chart
**Upgrading from < v3.4.0**
Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within
the chart. This follows Helm 3 Best Practices.
Option 1:
A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater.
```console
$ helm uninstall gatekeeper
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
```
Option 2:
Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the
original release, while keeping all of the resources. It then updates the annotations of the resources so that the new
chart can import and manage them.
```console
$ helm_migrate.sh
$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper
```
**Upgrading from >= v3.4.0**
```console
$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
```
_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._
## Exempting Namespace
The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt
the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during
a post-install hook.
_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more
information._
## Parameters
| Parameter | Description | Default |
|:-----------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` |
| postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` |
| postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` |
| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` |
| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.13.0` |
| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` |
| postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` |
| postInstall.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label Job | `` |
| postInstall.probeWebhook.enabled | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer | `true` |
| postInstall.probeWebhook.image.repository | Image with curl to probe the webhook API | `curlimages/curl` |
| postInstall.probeWebhook.image.tag | Image tag | `7.83.1` |
| postInstall.probeWebhook.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postInstall.probeWebhook.image.pullSecrets | Image pullSecrets | `[]` |
| postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | `60` |
| postInstall.probeWebhook.httpTimeout | HTTP client timeout | `2` |
| postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | `false` |
| postInstall.probeWebhook.priorityClassName | Priority class name for gatekeeper-probe-webhook-post-install Job | `` |
| postInstall.affinity | The affinity to use for pod scheduling in postInstall hook jobs | `{}` |
| postInstall.tolerations | The tolerations to use for pod scheduling in postInstall hook jobs | `[]` |
| postInstall.nodeSelector | The node selector to use for pod scheduling in postInstall hook jobs | `kubernetes.io/os: linux` |
| postInstall.resources | The resource request/limits for the container image in postInstall hook jobs | `{}` |
| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | `false` |
| postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` |
| postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` |
| postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` |
| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.13.0` |
| postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` |
| postUpgrade.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label-post-upgrade Job | `` |
| postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` |
| postUpgrade.tolerations | The tolerations to use for pod scheduling in postUpgrade hook jobs | `[]` |
| postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` |
| postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` |
| postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` |
| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.13.0` |
| preUninstall.deleteWebhookConfigurations.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` |
| preUninstall.deleteWebhookConfigurations.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` |
| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.13.0` |
| preUninstall.deleteWebhookConfigurations.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| preUninstall.deleteWebhookConfigurations.image.pullSecrets | Image pullSecrets | `[]` |
| preUninstall.deleteWebhookConfigurations.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` |
| preUninstall.deleteWebhookConfigurations.priorityClassName | Priority class name for gatekeeper-delete-webhook-configs Job | `` |
| preUninstall.affinity | The affinity to use for pod scheduling in preUninstall hook jobs | `{}` |
| preUninstall.tolerations | The tolerations to use for pod scheduling in preUninstall hook jobs | `[]` |
| preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` |
| preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` |
| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| psp.enabled | Enabled PodSecurityPolicy | `true` |
| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` |
| upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` |
| upgradeCRDs.priorityClassName | Priority class name for gatekeeper-update-crds-hook Job | `` |
| crds.affinity | The affinity to use for pod scheduling in crds hook jobs | `{}` |
| crds.tolerations | The tolerations to use for pod scheduling in crds hook jobs | `[]` |
| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` |
| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` |
| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` |
| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the audit cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` |
| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` |
| disableValidatingWebhook | Disable the validating webhook | `false` |
| disableMutation | Disable mutation | `false` |
| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` |
| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` |
| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` |
| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` |
| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` |
| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| validatingWebhookURL | Custom URL for Kubernetes API server to use to reach the validating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
| enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` |
| enableExternalData | Enable external data | `true` |
| enableGeneratorResourceExpansion | Enable generator resource expansion (beta feature) | `true` |
| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` |
| maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` |
| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` |
| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` |
| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` |
| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` |
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` |
| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` |
| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| logDenies | Log detailed info on each deny | `false` |
| logLevel | Minimum log level | `INFO` |
| image.pullPolicy | The image pull policy | `IfNotPresent` |
| image.repository | Image repository | `openpolicyagent/gatekeeper` |
| image.release | The image release tag to use | Current release version: `v3.13.0` |
| image.pullSecrets | Specify an array of imagePullSecrets | `[]` |
| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` |
| controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` |
| controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` |
| controllerManager.healthPort | Health port for controller manager | `9090` |
| controllerManager.port | Webhook-server port for controller manager | `8443` |
| controllerManager.metricsPort | Metrics port for controller manager | `8888` |
| controllerManager.readinessTimeout | Timeout in seconds for the controller manager's readiness probe | `1` |
| controllerManager.livenessTimeout | Timeout in seconds for the controller manager's liveness probe | `1` |
| controllerManager.logLevel | The minimum log level for the controller manager, takes precedence over `logLevel` when specified | `null` |
| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` |
| controllerManager.podSecurityContext | Security context on pod level for controller manager | {fsGroup: 999, suplementalGroups: [999]} |
| controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` |
| controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` |
| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` |
| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` |
| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` |
| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` |
| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` |
| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` |
| controllerManager.strategyType | The strategy type to use for Controller Manager deployment | `RollingUpdate` |
| audit.affinity | The node affinity to use for audit pod scheduling | `{}` |
| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` |
| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` |
| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` |
| audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} |
| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` |
| audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` |
| audit.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| audit.healthPort | Health port for audit | `9090` |
| audit.metricsPort | Metrics port for audit | `8888` |
| audit.readinessTimeout | Timeout in seconds for audit's readiness probe | `1` |
| audit.livenessTimeout | Timeout in seconds for the audit's liveness probe | `1` |
| audit.logLevel | The minimum log level for audit, takes precedence over `logLevel` when specified | `null` |
| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` |
| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |
| podLabels | The labels to add to the Gatekeeper pods | `{}` |
| podCountLimit | The maximum number of Gatekeeper pods to run | `100` |
| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` |
| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` |
| service.type | Service type | `ClusterIP` |
| service.loadBalancerIP | The IP address of LoadBalancer service | `` |
| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` |
| rbac.create | Enable the creation of RBAC resources | `true` |
| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` |
| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` |
## Contributing Changes
Please refer
to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart)
for modifying the Helm chart.

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md → charts/rancher-gatekeeper/103.1.0+up3.13.0/app-readme.md
View File

1
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/_helpers.tpl
View File

@ -75,6 +75,7 @@ Output post install webhook probe container entry
args:
- "--retry"
- "99999"
- "--retry-connrefused"
- "--retry-max-time"
- "{{ .Values.postInstall.probeWebhook.waitTimeout }}"
- "--retry-delay"

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/allowedrepos.yaml
View File

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-podsecuritypolicy.yaml
View File

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-serviceaccount.yaml
View File

8
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-audit-deployment.yaml
View File

@ -28,6 +28,9 @@ spec:
{{- if .Values.podAnnotations }}
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
{{- end }}
{{- if .Values.auditPodAnnotations }}
{{- toYaml .Values.auditPodAnnotations | trim | nindent 8 }}
{{- end }}
labels:
{{- include "gatekeeper.podLabels" . }}
app: '{{ template "gatekeeper.name" . }}'
@ -56,6 +59,11 @@ spec:
- --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }}
- --operation=audit
- --operation=status
{{ if .Values.audit.enablePubsub}}
- --enable-pub-sub={{ .Values.audit.enablePubsub }}
- --audit-connection={{ .Values.audit.connection }}
- --audit-channel={{ .Values.audit.channel }}
{{- end }}
{{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }}
- --logtostderr
- --health-addr=:{{ .Values.audit.healthPort }}

2
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-deployment.yaml
View File

@ -22,6 +22,8 @@ spec:
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
strategy:
type: {{ .Values.controllerManager.strategyType }}
template:
metadata:
annotations:

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-network-policy.yaml
View File

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml
View File

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-critical-pods-resourcequota.yaml
View File

12
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-role-clusterrole.yaml
View File

@ -82,6 +82,18 @@ rules:
- patch
- update
- watch
- apiGroups:
- expansion.gatekeeper.sh
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- externaldata.gatekeeper.sh
resources:

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-role-role.yaml
View File

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml
View File

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml
View File

4
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
View File

@ -15,10 +15,14 @@ webhooks:
- v1
- v1beta1
clientConfig:
{{- if .Values.mutatingWebhookURL }}
url: https://{{ .Values.mutatingWebhookURL }}/v1/mutate
{{- else }}
service:
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
path: /v1/mutate
{{- end }}
failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }}
matchPolicy: Exact
name: mutation.gatekeeper.sh

4
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
View File

@ -15,10 +15,14 @@ webhooks:
- v1
- v1beta1
clientConfig:
{{- if .Values.validatingWebhookURL }}
url: https://{{ .Values.validatingWebhookURL }}/v1/admit
{{- else }}
service:
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
path: /v1/admit
{{- end }}
failurePolicy: {{ .Values.validatingWebhookFailurePolicy }}
matchPolicy: Exact
name: validation.gatekeeper.sh

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-webhook-server-cert-secret.yaml
View File

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-webhook-service-service.yaml
View File

3
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-install.yaml
View File

@ -31,6 +31,9 @@ spec:
release: '{{ .Release.Name }}'
spec:
restartPolicy: OnFailure
{{- if .Values.postInstall.labelNamespace.priorityClassName }}
priorityClassName: {{ .Values.postInstall.labelNamespace.priorityClassName }}
{{- end }}
{{- if .Values.postInstall.labelNamespace.image.pullSecrets }}
imagePullSecrets:
{{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}

3
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-upgrade.yaml
View File

@ -34,6 +34,9 @@ spec:
{{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
{{- end }}
serviceAccount: gatekeeper-update-namespace-label-post-upgrade
{{- if .Values.postUpgrade.labelNamespace.priorityClassName }}
priorityClassName: {{ .Values.postUpgrade.labelNamespace.priorityClassName }}
{{- end }}
containers:
- name: kubectl-label
image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}'

4
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/probe-webhook-post-install.yaml
View File

@ -28,6 +28,9 @@ spec:
release: '{{ .Release.Name }}'
spec:
restartPolicy: Never
{{- if .Values.postInstall.probeWebhook.priorityClassName }}
priorityClassName: {{ .Values.postInstall.probeWebhook.priorityClassName }}
{{- end }}
{{- if .Values.postInstall.probeWebhook.image.pullSecrets }}
imagePullSecrets:
{{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }}
@ -42,5 +45,6 @@ spec:
affinity:
{{- toYaml .affinity | nindent 8 }}
{{- end }}
backoffLimit: 3
{{- end }}
{{- end }}

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/requiredlabels.yaml
View File

7
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/upgrade-crds-hook.yaml
View File

@ -71,7 +71,7 @@ metadata:
helm.sh/hook-weight: "1"
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
spec:
backoffLimit: 0
backoffLimit: 3
template:
metadata:
name: gatekeeper-update-crds-hook
@ -89,7 +89,10 @@ spec:
restartPolicy: Never
{{- if .Values.images.pullSecrets }}
imagePullSecrets:
{{- toYaml .Values.images.pullSecrets | nindent 8 }}
{{- toYaml .Values.image.pullSecrets | nindent 8 }}
{{- end }}
{{- if .Values.upgradeCRDs.priorityClassName }}
priorityClassName: {{ .Values.upgradeCRDs.priorityClassName }}
{{- end }}
containers:
- name: crds-upgrade

1
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/validate-install-crd.yaml
View File

@ -8,6 +8,7 @@
# {{- set $found "templates.gatekeeper.sh/v1/ConstraintTemplate" false -}}
# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintTemplatePodStatus" false -}}
# {{- set $found "expansion.gatekeeper.sh/v1alpha1/ExpansionTemplate" false -}}
# {{- set $found "status.gatekeeper.sh/v1beta1/ExpansionTemplatePodStatus" false -}}
# {{- set $found "mutations.gatekeeper.sh/v1/ModifySet" false -}}
# {{- set $found "status.gatekeeper.sh/v1beta1/MutatorPodStatus" false -}}
# {{- set $found "externaldata.gatekeeper.sh/v1alpha1/Provider" false -}}

0
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/validate-psp-install.yaml
View File

5
charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/webhook-configs-pre-delete.yaml
View File

@ -33,6 +33,9 @@ spec:
{{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }}
{{- end }}
serviceAccount: gatekeeper-delete-webhook-configs
{{- if .Values.preUninstall.deleteWebhookConfigurations.priorityClassName }}
priorityClassName: {{ .Values.preUninstall.deleteWebhookConfigurations.priorityClassName }}
{{- end }}
containers:
- name: kubectl-delete
image: '{{ template "system_default_registry" . }}{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}'
@ -52,7 +55,7 @@ spec:
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- toYaml .Values.preUninstall.securityContext | nindent 10 }}
{{- toYaml .Values.preUninstall.securityContext | nindent 12 }}
{{- with .Values.preUninstall }}
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .nodeSelector }}

22
charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml → charts/rancher-gatekeeper/103.1.0+up3.13.0/values.yaml
View File

@ -14,9 +14,10 @@ validatingWebhookExemptNamespacesLabels: {}
validatingWebhookObjectSelector: {}
validatingWebhookCheckIgnoreFailurePolicy: Fail
validatingWebhookCustomRules: {}
validatingWebhookURL: null
enableDeleteOperations: false
enableExternalData: true
enableGeneratorResourceExpansion: false
enableGeneratorResourceExpansion: true
enableTLSHealthcheck: false
maxServingThreads: -1
mutatingWebhookName: gatekeeper-mutating-webhook-configuration
@ -27,6 +28,7 @@ mutatingWebhookExemptNamespacesLabels: {}
mutatingWebhookObjectSelector: {}
mutatingWebhookTimeoutSeconds: 1
mutatingWebhookCustomRules: {}
mutatingWebhookURL: null
mutationAnnotations: false
auditChunkSize: 500
logLevel: INFO
@ -40,17 +42,17 @@ resourceQuota: true
images:
gatekeeper:
repository: rancher/mirrored-openpolicyagent-gatekeeper
tag: v3.12.0
tag: v3.13.0
gatekeepercrd:
repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
tag: v3.12.0
tag: v3.13.0
pullPolicy: IfNotPresent
pullSecrets: []
preInstall:
crdRepository:
image:
repository: null
tag: v3.12.0
tag: v3.13.0
postUpgrade:
labelNamespace:
enabled: false
@ -67,6 +69,7 @@ postUpgrade:
"pod-security.kubernetes.io/enforce=restricted",
"pod-security.kubernetes.io/enforce-version=v1.24"]
extraAnnotations: {}
priorityClassName: ""
affinity: {}
tolerations: []
nodeSelector: {kubernetes.io/os: linux}
@ -86,7 +89,7 @@ postInstall:
extraRules: []
image:
repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
tag: v3.12.0
tag: v3.13.0
pullPolicy: IfNotPresent
pullSecrets: []
extraNamespaces: []
@ -97,6 +100,7 @@ postInstall:
"pod-security.kubernetes.io/enforce=restricted",
"pod-security.kubernetes.io/enforce-version=v1.24"]
extraAnnotations: {}
priorityClassName: ""
probeWebhook:
enabled: true
image:
@ -107,6 +111,7 @@ postInstall:
waitTimeout: 60
httpTimeout: 2
insecureHTTPS: false
priorityClassName: ""
affinity: {}
tolerations: []
nodeSelector: {kubernetes.io/os: linux}
@ -125,9 +130,10 @@ preUninstall:
enabled: false
image:
repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
tag: v3.12.0
tag: v3.13.0
pullPolicy: IfNotPresent
pullSecrets: []
priorityClassName: ""
affinity: {}
tolerations: []
nodeSelector: {}
@ -142,6 +148,7 @@ preUninstall:
runAsNonRoot: true
runAsUser: 1000
podAnnotations: {}
auditPodAnnotations: {}
podLabels: {}
podCountLimit: "100"
secretAnnotations: {}
@ -160,6 +167,7 @@ controllerManager:
disableCertRotation: false
tlsMinVersion: 1.3
clientCertName: ""
strategyType: RollingUpdate
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
@ -202,6 +210,7 @@ controllerManager:
# - ipBlock:
# cidr: 0.0.0.0/0
audit:
enablePubsub: false
hostNetwork: false
dnsPolicy: ClusterFirst
metricsPort: 8888
@ -264,6 +273,7 @@ disabledBuiltins: ["{http.send}"]
upgradeCRDs:
enabled: true
extraRules: []
priorityClassName: ""
rbac:
create: true
externalCertInjection:

20
index.yaml
View File

@ -7727,7 +7727,7 @@ entries:
catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: OPA Gatekeeper
catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.28.0-0'
catalog.cattle.io/kube-version: '>= 1.20.0-0'
catalog.cattle.io/namespace: cattle-gatekeeper-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux,windows
@ -7737,11 +7737,11 @@ entries:
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/ui-component: gatekeeper
apiVersion: v2
appVersion: v3.12.0
created: "2023-08-23T17:22:58.94666364-03:00"
appVersion: v3.13.0
created: "2023-08-28T23:10:42.721448901Z"
description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
policy-based control for cloud native environments
digest: ee25ad45beb67bc91aa47dd7c576ba89cd00ade03db94341c463948901a3c0c6
digest: 300e12017c4487cf4c98b437579076b7fc96ab116a81b6e3b188c2a671be1290
home: https://github.com/open-policy-agent/gatekeeper
icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
keywords:
@ -7751,8 +7751,8 @@ entries:
sources:
- https://github.com/open-policy-agent/gatekeeper.git
urls:
- assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz
version: 103.0.1+up3.12.0
- assets/rancher-gatekeeper/rancher-gatekeeper-103.1.0+up3.13.0.tgz
version: 103.1.0+up3.13.0
- annotations:
catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
catalog.cattle.io/certified: rancher
@ -8132,14 +8132,14 @@ entries:
catalog.cattle.io/namespace: cattle-gatekeeper-system
catalog.cattle.io/release-name: rancher-gatekeeper-crd
apiVersion: v1
created: "2023-08-23T17:22:58.953726661-03:00"
created: "2023-08-25T23:58:48.830847335Z"
description: Installs the CRDs for rancher-gatekeeper.
digest: d47fba3bc692cd330ea61d70de4c1fd8e4316cd13cdf7bf6f13b17df132bd74d
digest: 433eb32cfc8233840c67cd97bc236a5199b6e311a9c4c26b681d08b89e317a3b
name: rancher-gatekeeper-crd
type: application
urls:
- assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz
version: 103.0.1+up3.12.0
- assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.1.0+up3.13.0.tgz
version: 103.1.0+up3.13.0
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"

6
packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch
View File

@ -5,7 +5,7 @@
+ catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
+ catalog.cattle.io/certified: rancher
+ catalog.cattle.io/display-name: OPA Gatekeeper
+ catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.28.0-0'
+ catalog.cattle.io/kube-version: '>= 1.20.0-0'
+ catalog.cattle.io/namespace: cattle-gatekeeper-system
+ catalog.cattle.io/os: linux
+ catalog.cattle.io/permits-os: linux,windows
@ -15,7 +15,7 @@
+ catalog.cattle.io/type: cluster-tool
+ catalog.cattle.io/ui-component: gatekeeper
apiVersion: v2
appVersion: v3.12.0
appVersion: v3.13.0
-description: A Helm chart for Gatekeeper
+description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
+ policy-based control for cloud native environments
@ -29,4 +29,4 @@
+name: rancher-gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
version: 3.12.0
version: 3.13.0

18
packages/rancher-gatekeeper/generated-changes/patch/README.md.patch
View File

@ -1,11 +1,11 @@
--- charts-original/README.md
+++ charts/README.md
@@ -118,7 +118,7 @@
| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` |
| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` |
| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` |
-| auditInterval | The frequency with which audit is run | `60` |
+| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the audit cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` |
@@ -129,7 +129,7 @@
| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` |
| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` |
| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` |
-| auditInterval | The frequency with which audit is run | `60` |
+| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the audit cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` |

2
packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch
View File

@ -37,7 +37,7 @@
imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }}
command:
- "curl"
@@ -69,10 +92,10 @@
@@ -70,10 +93,10 @@
resources:
{{- toYaml .Values.postInstall.resources | nindent 4 }}
securityContext:

8
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch
View File

@ -1,6 +1,6 @@
--- charts-original/templates/gatekeeper-audit-deployment.yaml
+++ charts/templates/gatekeeper-audit-deployment.yaml
@@ -42,11 +42,7 @@
@@ -45,11 +45,7 @@
{{- toYaml .Values.audit.affinity | nindent 8 }}
automountServiceAccountToken: true
containers:
@ -13,7 +13,7 @@
args:
- --audit-interval={{ .Values.auditInterval }}
- --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }}
@@ -94,7 +90,7 @@
@@ -102,7 +98,7 @@
fieldPath: metadata.namespace
- name: CONTAINER_NAME
value: manager
@ -22,7 +22,7 @@
livenessProbe:
httpGet:
path: /healthz
@@ -130,9 +126,11 @@
@@ -138,9 +134,11 @@
dnsPolicy: {{ .Values.audit.dnsPolicy }}
hostNetwork: {{ .Values.audit.hostNetwork }}
imagePullSecrets:
@ -37,7 +37,7 @@
{{- if .Values.audit.priorityClassName }}
priorityClassName: {{ .Values.audit.priorityClassName }}
{{- end }}
@@ -140,8 +138,10 @@
@@ -148,8 +146,10 @@
{{- toYaml .Values.audit.podSecurityContext | nindent 8 }}
serviceAccountName: gatekeeper-admin
terminationGracePeriodSeconds: 60

8
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch
View File

@ -1,6 +1,6 @@
--- charts-original/templates/gatekeeper-controller-manager-deployment.yaml
+++ charts/templates/gatekeeper-controller-manager-deployment.yaml
@@ -42,11 +42,8 @@
@@ -44,11 +44,8 @@
{{- toYaml .Values.controllerManager.affinity | nindent 8 }}
automountServiceAccountToken: true
containers:
@ -14,7 +14,7 @@
args:
- --port={{ .Values.controllerManager.port }}
- --health-addr=:{{ .Values.controllerManager.healthPort }}
@@ -111,7 +108,6 @@
@@ -113,7 +110,6 @@
fieldPath: metadata.namespace
- name: CONTAINER_NAME
value: manager
@ -22,7 +22,7 @@
livenessProbe:
httpGet:
path: /healthz
@@ -148,9 +144,11 @@
@@ -150,9 +146,11 @@
dnsPolicy: {{ .Values.controllerManager.dnsPolicy }}
hostNetwork: {{ .Values.controllerManager.hostNetwork }}
imagePullSecrets:
@ -37,7 +37,7 @@
{{- if .Values.controllerManager.priorityClassName }}
priorityClassName: {{ .Values.controllerManager.priorityClassName }}
{{- end }}
@@ -158,8 +156,10 @@
@@ -160,8 +158,10 @@
{{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }}
serviceAccountName: gatekeeper-admin
terminationGracePeriodSeconds: 60

2
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch
View File

@ -1,6 +1,6 @@
--- charts-original/templates/gatekeeper-manager-role-clusterrole.yaml
+++ charts/templates/gatekeeper-manager-role-clusterrole.yaml
@@ -106,7 +106,7 @@
@@ -118,7 +118,7 @@
- patch
- update
- watch

6
packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-install.yaml.patch
View File

@ -1,6 +1,6 @@
--- charts-original/templates/namespace-post-install.yaml
+++ charts/templates/namespace-post-install.yaml
@@ -44,7 +44,7 @@
@@ -47,7 +47,7 @@
{{- end }}
containers:
- name: kubectl-label
@ -9,7 +9,7 @@
imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }}
args:
- label
@@ -85,12 +85,10 @@
@@ -88,12 +88,10 @@
{{- toYaml .Values.postInstall.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.postInstall }}
@ -24,7 +24,7 @@
{{- end }}
---
apiVersion: v1
@@ -132,6 +130,12 @@
@@ -135,6 +133,12 @@
{{- range .Values.postInstall.labelNamespace.extraNamespaces }}
- {{ . }}
{{- end }}

8
packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-upgrade.yaml.patch
View File

@ -1,7 +1,7 @@
--- charts-original/templates/namespace-post-upgrade.yaml
+++ charts/templates/namespace-post-upgrade.yaml
@@ -36,7 +36,7 @@
serviceAccount: gatekeeper-update-namespace-label-post-upgrade
@@ -39,7 +39,7 @@
{{- end }}
containers:
- name: kubectl-label
- image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}"
@ -9,7 +9,7 @@
imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }}
args:
- label
@@ -77,12 +77,10 @@
@@ -80,12 +80,10 @@
{{- toYaml .Values.postUpgrade.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.postUpgrade }}
@ -24,7 +24,7 @@
{{- end }}
---
apiVersion: v1
@@ -123,6 +121,12 @@
@@ -126,6 +124,12 @@
{{- range .Values.postUpgrade.labelNamespace.extraNamespaces }}
- {{ . }}
{{- end }}

4
packages/rancher-gatekeeper/generated-changes/patch/templates/probe-webhook-post-install.yaml.patch
View File

@ -1,6 +1,6 @@
--- charts-original/templates/probe-webhook-post-install.yaml
+++ charts/templates/probe-webhook-post-install.yaml
@@ -37,12 +37,10 @@
@@ -40,12 +40,10 @@
containers:
{{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }}
{{- with .Values.postInstall }}
@ -13,5 +13,5 @@
- nodeSelector:
- {{- toYaml .nodeSelector | nindent 8 }}
{{- end }}
{{- end }}
backoffLimit: 3
{{- end }}

9
packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch
View File

@ -1,14 +1,15 @@
--- charts-original/templates/upgrade-crds-hook.yaml
+++ charts/templates/upgrade-crds-hook.yaml
@@ -87,26 +87,14 @@
@@ -87,7 +87,7 @@
spec:
serviceAccountName: gatekeeper-admin-upgrade-crds
restartPolicy: Never
- {{- if .Values.image.pullSecrets }}
+ {{- if .Values.images.pullSecrets }}
imagePullSecrets:
- {{- toYaml .Values.image.pullSecrets | nindent 8 }}
+ {{- toYaml .Values.images.pullSecrets | nindent 8 }}
{{- toYaml .Values.image.pullSecrets | nindent 8 }}
{{- end }}
@@ -96,20 +96,8 @@
{{- end }}
containers:
- name: crds-upgrade
@ -31,7 +32,7 @@
args:
- apply
- -f
@@ -120,11 +108,9 @@
@@ -123,11 +111,9 @@
{{- end }}
{{- toYaml .Values.crds.securityContext | nindent 10 }}
{{- with .Values.crds }}

17
packages/rancher-gatekeeper/generated-changes/patch/templates/webhook-configs-pre-delete.yaml.patch
View File

@ -1,7 +1,7 @@
--- charts-original/templates/webhook-configs-pre-delete.yaml
+++ charts/templates/webhook-configs-pre-delete.yaml
@@ -35,7 +35,7 @@
serviceAccount: gatekeeper-delete-webhook-configs
@@ -38,7 +38,7 @@
{{- end }}
containers:
- name: kubectl-delete
- image: "{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}"
@ -9,18 +9,9 @@
imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }}
args:
- delete
@@ -46,7 +46,7 @@
- mutatingwebhookconfiguration/{{ .Values.mutatingWebhookName }}
@@ -57,12 +57,16 @@
{{- end }}
resources:
- {{- toYaml .Values.preUninstall.resources | nindent 10 }}
+ {{- toYaml .Values.preUninstall.resources | nindent 12 }}
securityContext:
{{- if .Values.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
@@ -54,12 +54,16 @@
{{- end }}
{{- toYaml .Values.preUninstall.securityContext | nindent 10 }}
{{- toYaml .Values.preUninstall.securityContext | nindent 12 }}
{{- with .Values.preUninstall }}
- nodeSelector:
- {{- toYaml .nodeSelector | nindent 8 }}

29
packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch
View File

@ -1,44 +1,44 @@
--- charts-original/values.yaml
+++ charts/values.yaml
@@ -37,10 +37,13 @@
@@ -39,10 +39,13 @@
admissionEventsInvolvedNamespace: false
auditEventsInvolvedNamespace: false
resourceQuota: true
-image:
- repository: openpolicyagent/gatekeeper
- crdRepository: openpolicyagent/gatekeeper-crds
- release: v3.12.0
- release: v3.13.0
+images:
+ gatekeeper:
+ repository: rancher/mirrored-openpolicyagent-gatekeeper
+ tag: v3.12.0
+ tag: v3.13.0
+ gatekeepercrd:
+ repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
+ tag: v3.12.0
+ tag: v3.13.0
pullPolicy: IfNotPresent
pullSecrets: []
preInstall:
@@ -52,8 +55,8 @@
@@ -54,8 +57,8 @@
labelNamespace:
enabled: false
image:
- repository: openpolicyagent/gatekeeper-crds
- tag: v3.12.0
- tag: v3.13.0
+ repository: rancher/kubectl
+ tag: v1.20.2
pullPolicy: IfNotPresent
pullSecrets: []
extraNamespaces: []
@@ -82,7 +85,7 @@
@@ -85,7 +88,7 @@
enabled: true
extraRules: []
image:
- repository: openpolicyagent/gatekeeper-crds
+ repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
tag: v3.12.0
tag: v3.13.0
pullPolicy: IfNotPresent
pullSecrets: []
@@ -97,7 +100,7 @@
@@ -101,7 +104,7 @@
probeWebhook:
enabled: true
image:
@ -47,15 +47,16 @@
tag: 7.83.1
pullPolicy: IfNotPresent
pullSecrets: []
@@ -121,13 +124,13 @@
@@ -126,14 +129,14 @@
extraRules: []
enabled: false
image:
- repository: openpolicyagent/gatekeeper-crds
+ repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
tag: v3.12.0
tag: v3.13.0
pullPolicy: IfNotPresent
pullSecrets: []
priorityClassName: ""
affinity: {}
tolerations: []
- nodeSelector: {kubernetes.io/os: linux}
@ -63,7 +64,7 @@
resources: {}
securityContext:
allowPrivilegeEscalation: false
@@ -171,7 +174,7 @@
@@ -179,7 +182,7 @@
weight: 100
topologySpreadConstraints: []
tolerations: []
@ -72,7 +73,7 @@
resources:
limits:
memory: 512Mi
@@ -209,7 +212,7 @@
@@ -218,7 +221,7 @@
disableCertRotation: true
affinity: {}
tolerations: []
@ -81,7 +82,7 @@
resources:
limits:
memory: 512Mi
@@ -248,10 +251,16 @@
@@ -257,10 +260,16 @@
pdb:
controllerManager:
minAvailable: 1

4
packages/rancher-gatekeeper/package.yaml
View File

@ -1,5 +1,5 @@
url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.12.0.tgz
version: 103.0.1
url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.13.0.tgz
version: 103.1.0
additionalCharts:
- workingDir: charts-crd
crdOptions:

4
release.yaml
View File

@ -23,9 +23,9 @@ rancher-eks-operator:
rancher-eks-operator-crd:
- 103.0.0+up1.3.0-rc1
rancher-gatekeeper:
- 103.0.1+up3.12.0
- 103.1.0+up3.13.0
rancher-gatekeeper-crd:
- 103.0.1+up3.12.0
- 103.1.0+up3.13.0
ui-plugin-operator:
- 103.0.1+up0.2.1
ui-plugin-operator-crd: