andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1232 from cmurphy/gatekeeper-3.4.0 

Update gatekeeper to 3.5.1
pull/1379/head
Caleb Bron 2021-07-28 08:39:44 -07:00 committed by GitHub
parent b3b66db4b6 2f0d2e3864
commit 9b44cc986f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
70 changed files with 1496 additions and 827 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/rancher-gatekeeper/rancher-gatekeeper-100.0.0+up3.3.0.tgz
View File

Binary file not shown.

BIN
assets/rancher-gatekeeper/rancher-gatekeeper-100.0.0+up3.5.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-gatekeeper/rancher-gatekeeper-crd-100.0.0+up3.3.0.tgz
View File

Binary file not shown.

BIN
assets/rancher-gatekeeper/rancher-gatekeeper-crd-100.0.0+up3.5.1.tgz Normal file
View File

Binary file not shown.

106
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.3.0/crd-manifest/config-customresourcedefinition.yaml
View File

@ -1,106 +0,0 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
labels:
gatekeeper.sh/system: "yes"
name: configs.config.gatekeeper.sh
spec:
group: config.gatekeeper.sh
names:
kind: Config
listKind: ConfigList
plural: configs
shortNames:
- config
singular: config
scope: Namespaced
validation:
openAPIV3Schema:
description: Config is the Schema for the configs API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConfigSpec defines the desired state of Config
properties:
match:
description: Configuration for namespace exclusion
items:
properties:
excludedNamespaces:
items:
type: string
type: array
processes:
items:
type: string
type: array
type: object
type: array
readiness:
description: Configuration for readiness tracker
properties:
statsEnabled:
type: boolean
type: object
sync:
description: Configuration for syncing k8s objects
properties:
syncOnly:
description: If non-empty, only entries on this list will be replicated into OPA
items:
properties:
group:
type: string
kind:
type: string
version:
type: string
type: object
type: array
type: object
validation:
description: Configuration for validation
properties:
traces:
description: List of requests to trace. Both "user" and "kinds" must be specified
items:
properties:
dump:
description: Also dump the state of OPA with the trace. Set to `All` to dump everything.
type: string
kind:
description: Only trace requests of the following GroupVersionKind
properties:
group:
type: string
kind:
type: string
version:
type: string
type: object
user:
description: Only trace requests from the specified user
type: string
type: object
type: array
type: object
type: object
status:
description: ConfigStatus defines the observed state of Config
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true

68
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.3.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml
View File

@ -1,68 +0,0 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
labels:
gatekeeper.sh/system: "yes"
name: constraintpodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: ConstraintPodStatus
listKind: ConstraintPodStatusList
plural: constraintpodstatuses
singular: constraintpodstatus
scope: Namespaced
validation:
openAPIV3Schema:
description: ConstraintPodStatus is the Schema for the constraintpodstatuses API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus
properties:
constraintUID:
description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
enforced:
type: boolean
errors:
items:
description: Error represents a single error caught while adding a constraint to OPA
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: object
version: v1beta1
versions:
- name: v1beta1
served: true
storage: true

97
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.3.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml
View File

@ -1,97 +0,0 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
labels:
gatekeeper.sh/system: "yes"
name: constrainttemplates.templates.gatekeeper.sh
spec:
group: templates.gatekeeper.sh
names:
kind: ConstraintTemplate
plural: constrainttemplates
scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
crd:
properties:
spec:
properties:
names:
properties:
kind:
type: string
shortNames:
items:
type: string
type: array
type: object
validation:
type: object
type: object
type: object
targets:
items:
properties:
libs:
items:
type: string
type: array
rego:
type: string
target:
type: string
type: object
type: array
type: object
status:
properties:
byPod:
items:
properties:
errors:
items:
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: a unique identifier for the pod that wrote the status
type: string
observedGeneration:
format: int64
type: integer
type: object
type: array
created:
type: boolean
type: object
version: v1beta1
versions:
- name: v1beta1
served: true
storage: true
- name: v1alpha1
served: true
storage: false

67
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.3.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml
View File

@ -1,67 +0,0 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
labels:
gatekeeper.sh/system: "yes"
name: constrainttemplatepodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: ConstraintTemplatePodStatus
listKind: ConstraintTemplatePodStatusList
plural: constrainttemplatepodstatuses
singular: constrainttemplatepodstatus
scope: Namespaced
validation:
openAPIV3Schema:
description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: 'Important: Run "make" to regenerate code after modifying this file'
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
templateUID:
description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated.
type: string
type: object
type: object
version: v1beta1
versions:
- name: v1beta1
served: true
storage: true

2
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.3.0/Chart.yaml → charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.5.1/Chart.yaml
View File

@ -7,4 +7,4 @@ apiVersion: v1
description: Installs the CRDs for rancher-gatekeeper.
name: rancher-gatekeeper-crd
type: application
version: 100.0.0+up3.3.0
version: 100.0.0+up3.5.1

0
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.3.0/README.md → charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.5.1/README.md
View File

208
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.5.1/crd-manifest/assign-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,208 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
labels:
gatekeeper.sh/system: "yes"
name: assign.mutations.gatekeeper.sh
spec:
group: mutations.gatekeeper.sh
names:
kind: Assign
listKind: AssignList
plural: assign
singular: assign
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Assign is the Schema for the assign API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AssignSpec defines the desired state of Assign
properties:
applyTo:
description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster Important: Run "make" to regenerate code after modifying this file'
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
location:
type: string
match:
description: Match selects objects to apply mutations to.
properties:
excludedNamespaces:
items:
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaceSelector:
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
items:
type: string
type: array
scope:
description: ResourceScope is an enum defining the different scopes available to a custom resource
type: string
type: object
parameters:
properties:
assign:
description: Assign.value holds the value to be assigned
type: object
x-kubernetes-preserve-unknown-fields: true
assignIf:
description: once https://github.com/kubernetes-sigs/controller-tools/pull/528 is merged, we can use an actual object
type: object
pathTests:
items:
description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate"
properties:
condition:
description: Condition describes whether the path either MustExist or MustNotExist in the original object
enum:
- MustExist
- MustNotExist
type: string
subPath:
type: string
type: object
type: array
type: object
type: object
status:
description: AssignStatus defines the observed state of Assign
properties:
byPod:
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system
properties:
message:
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}

173
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.5.1/crd-manifest/assignmetadata-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,173 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
labels:
gatekeeper.sh/system: "yes"
name: assignmetadata.mutations.gatekeeper.sh
spec:
group: mutations.gatekeeper.sh
names:
kind: AssignMetadata
listKind: AssignMetadataList
plural: assignmetadata
singular: assignmetadata
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: AssignMetadata is the Schema for the assignmetadata API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AssignMetadataSpec defines the desired state of AssignMetadata
properties:
location:
type: string
match:
description: Match selects objects to apply mutations to.
properties:
excludedNamespaces:
items:
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaceSelector:
description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
items:
type: string
type: array
scope:
description: ResourceScope is an enum defining the different scopes available to a custom resource
type: string
type: object
parameters:
properties:
assign:
description: Assign.value holds the value to be assigned
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
status:
description: AssignMetadataStatus defines the observed state of AssignMetadata
properties:
byPod:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system
properties:
message:
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}

102
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.5.1/crd-manifest/config-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,102 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
labels:
gatekeeper.sh/system: "yes"
name: configs.config.gatekeeper.sh
spec:
group: config.gatekeeper.sh
names:
kind: Config
listKind: ConfigList
plural: configs
singular: config
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Config is the Schema for the configs API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConfigSpec defines the desired state of Config
properties:
match:
description: Configuration for namespace exclusion
items:
properties:
excludedNamespaces:
items:
type: string
type: array
processes:
items:
type: string
type: array
type: object
type: array
readiness:
description: Configuration for readiness tracker
properties:
statsEnabled:
type: boolean
type: object
sync:
description: Configuration for syncing k8s objects
properties:
syncOnly:
description: If non-empty, only entries on this list will be replicated into OPA
items:
properties:
group:
type: string
kind:
type: string
version:
type: string
type: object
type: array
type: object
validation:
description: Configuration for validation
properties:
traces:
description: List of requests to trace. Both "user" and "kinds" must be specified
items:
properties:
dump:
description: Also dump the state of OPA with the trace. Set to `All` to dump everything.
type: string
kind:
description: Only trace requests of the following GroupVersionKind
properties:
group:
type: string
kind:
type: string
version:
type: string
type: object
user:
description: Only trace requests from the specified user
type: string
type: object
type: array
type: object
type: object
status:
description: ConfigStatus defines the observed state of Config
type: object
type: object
served: true
storage: true

66
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.5.1/crd-manifest/constraintpodstatus-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,66 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
labels:
gatekeeper.sh/system: "yes"
name: constraintpodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: ConstraintPodStatus
listKind: ConstraintPodStatusList
plural: constraintpodstatuses
singular: constraintpodstatus
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: ConstraintPodStatus is the Schema for the constraintpodstatuses API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus
properties:
constraintUID:
description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
enforced:
type: boolean
errors:
items:
description: Error represents a single error caught while adding a constraint to OPA
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: object
served: true
storage: true

197
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.5.1/crd-manifest/constrainttemplate-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,197 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
labels:
gatekeeper.sh/system: "yes"
name: constrainttemplates.templates.gatekeeper.sh
spec:
group: templates.gatekeeper.sh
names:
kind: ConstraintTemplate
listKind: ConstraintTemplateList
plural: constrainttemplates
singular: constrainttemplate
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate
properties:
crd:
properties:
spec:
properties:
names:
properties:
kind:
type: string
shortNames:
items:
type: string
type: array
type: object
validation:
properties:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
targets:
items:
properties:
libs:
items:
type: string
type: array
rego:
type: string
target:
type: string
type: object
type: array
type: object
status:
description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate
properties:
byPod:
items:
description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: a unique identifier for the pod that wrote the status
type: string
observedGeneration:
format: int64
type: integer
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
created:
type: boolean
type: object
type: object
served: true
storage: false
subresources:
status: {}
- name: v1beta1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate
properties:
crd:
properties:
spec:
properties:
names:
properties:
kind:
type: string
shortNames:
items:
type: string
type: array
type: object
validation:
properties:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
targets:
items:
properties:
libs:
items:
type: string
type: array
rego:
type: string
target:
type: string
type: object
type: array
type: object
status:
description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate
properties:
byPod:
items:
description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: a unique identifier for the pod that wrote the status
type: string
observedGeneration:
format: int64
type: integer
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
created:
type: boolean
type: object
type: object
served: true
storage: true
subresources:
status: {}

65
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.5.1/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,65 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
labels:
gatekeeper.sh/system: "yes"
name: constrainttemplatepodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: ConstraintTemplatePodStatus
listKind: ConstraintTemplatePodStatusList
plural: constrainttemplatepodstatuses
singular: constrainttemplatepodstatus
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: 'Important: Run "make" to regenerate code after modifying this file'
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
templateUID:
description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated.
type: string
type: object
type: object
served: true
storage: true

61
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.5.1/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,61 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
labels:
gatekeeper.sh/system: "yes"
name: mutatorpodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: MutatorPodStatus
listKind: MutatorPodStatusList
plural: mutatorpodstatuses
singular: mutatorpodstatus
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: MutatorPodStatus is the Schema for the mutationpodstatuses API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system
properties:
message:
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: object
served: true
storage: true

0
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.3.0/templates/_helpers.tpl → charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.5.1/templates/_helpers.tpl
View File

0
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.3.0/templates/jobs.yaml → charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.5.1/templates/jobs.yaml
View File

0
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.3.0/templates/manifest.yaml → charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.5.1/templates/manifest.yaml
View File

0
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.3.0/templates/rbac.yaml → charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.5.1/templates/rbac.yaml
View File

0
charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.3.0/values.yaml → charts/rancher-gatekeeper/rancher-gatekeeper-crd/100.0.0+up3.5.1/values.yaml
View File

39
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/README.md
View File

@ -1,39 +0,0 @@
# Gatekeeper Helm Chart
## Parameters
| Parameter | Description | Default |
| :---------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ |
| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` |
| disableValidatingWebhook | Disable the validating webhook | `false` |
| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` |
| enableDeleteOperations | Enable validating webhook for delete operations | `false` |
| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` |
| logLevel | Minimum log level | `INFO` |
| image.pullPolicy | The image pull policy | `IfNotPresent` |
| image.repository | Image repository | `openpolicyagent/gatekeeper` |
| image.release | The image release tag to use | Current release version: `v3.3.0` |
| image.pullSecrets | Specify an array of imagePullSecrets | `[]` |
| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| affinity | The node affinity to use for pod scheduling | `{}` |
| tolerations | The tolerations to use for pod scheduling | `[]` |
| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` |
| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` |
| replicas | The number of Gatekeeper replicas to deploy for the webhook | `1` |
| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |
| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` |
| customResourceDefinitions.create | Whether the release should install CRDs. Regardless of this value, Helm v3+ will install the CRDs if those are not present already. Use --skip-crds with helm install if you want to skip CRD creation | `true` |
## Contributing Changes
This Helm chart is autogenerated from the Gatekeeper static manifest. The
generator code lives under `cmd/build/helmify`. To make modifications to this
template, please edit `kustomization.yaml` and `replacements.go` under that
directory and then run `make manifests`. Your changes will show up in the
`manifest_staging` directory and will be promoted to the root `charts` directory
the next time a Gatekeeper release is cut.

0
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/.helmignore → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/.helmignore
View File

0
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/CHANGELOG.md → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/CHANGELOG.md
View File

6
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/Chart.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/Chart.yaml
View File

@ -7,8 +7,8 @@ annotations:
catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
catalog.cattle.io/release-name: rancher-gatekeeper
catalog.cattle.io/ui-component: gatekeeper
apiVersion: v1
appVersion: v3.3.0
apiVersion: v2
appVersion: v3.5.1
description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
policy-based control for cloud native environments
home: https://github.com/open-policy-agent/gatekeeper
@ -19,4 +19,4 @@ keywords:
name: rancher-gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
version: 100.0.0+up3.3.0
version: 100.0.0+up3.5.1

113
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/README.md Normal file
View File

@ -0,0 +1,113 @@
# Gatekeeper Helm Chart
## Get Repo Info
```console
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update
```
_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
## Install Chart
```console
# Helm install with gatekeeper-system namespace already created
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
# Helm install and create namespace
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
```
_See [parameters](#parameters) below._
_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
## Upgrade Chart
**Upgrading from < v3.4.0**
Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices.
Option 1:
A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater.
```console
$ helm uninstall gatekeeper
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
```
Option 2:
Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them.
```console
$ helm_migrate.sh
$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper
```
**Upgrading from >= v3.4.0**
```console
$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
```
_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._
## Exempting Namespace
The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook.
_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._
## Parameters
| Parameter | Description | Default |
| :--------------------------------------------| :--------------------------------------------------------------------------------------| :-------------------------------------------------------------------------|
| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` |
| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `line/kubectl-kustomize` |
| postInstall.labelNamespace.image.tag | Image tag | `1.20.4-4.0.5` |
| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` |
| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` |
| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` |
| disableValidatingWebhook | Disable the validating webhook | `false` |
| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` |
| enableDeleteOperations | Enable validating webhook for delete operations | `false` |
| experimentalEnableMutation | Enable mutation (alpha feature) | `false` |
| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` |
| logDenies | Log detailed info on each deny | `false` |
| logLevel | Minimum log level | `INFO` |
| image.pullPolicy | The image pull policy | `IfNotPresent` |
| image.repository | Image repository | `openpolicyagent/gatekeeper` |
| image.release | The image release tag to use | Current release version: `v3.5.1` |
| image.pullSecrets | Specify an array of imagePullSecrets | `[]` |
| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| affinity | The node affinity to use for pod scheduling | `{}` |
| tolerations | The tolerations to use for pod scheduling | `[]` |
| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` |
| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` |
| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` |
| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` |
| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` |
| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |
| podLabels | The labels to add to the Gatekeeper pods | `{}` |
| podCountLimit | The maximum number of Gatekeeper pods to run | `100` |
| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` |
| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` |
| service.type | Service type | `ClusterIP` |
| service.loadBalancerIP | The IP address of LoadBalancer service | `` |
## Contributing Changes
This Helm chart is autogenerated from the Gatekeeper static manifest. The
generator code lives under `cmd/build/helmify`. To make modifications to this
template, please edit `kustomization.yaml`, `kustomize-for-helm.yaml` and
`replacements.go` under that directory and then run `make manifests`. Your
changes will show up in the `manifest_staging` directory and will be promoted
to the root `charts` directory the next time a Gatekeeper release is cut.

0
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/app-readme.md → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/app-readme.md
View File

13
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/templates/_helpers.tpl → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/_helpers.tpl
View File

@ -1,3 +1,4 @@
{{/*
Expand the name of the chart.
*/}}
@ -31,16 +32,12 @@ Create chart name and version as used by the chart label.
{{- end -}}
{{/*
Common labels
Adds additional pod labels to the common ones
*/}}
{{- define "gatekeeper.labels" -}}
app.kubernetes.io/name: {{ include "gatekeeper.name" . }}
helm.sh/chart: {{ include "gatekeeper.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- define "gatekeeper.podLabels" -}}
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{- define "system_default_registry" -}}

0
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/templates/allowedrepos.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/allowedrepos.yaml
View File

0
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/templates/gatekeeper-admin-podsecuritypolicy.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/gatekeeper-admin-podsecuritypolicy.yaml
View File

0
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/templates/gatekeeper-admin-serviceaccount.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/gatekeeper-admin-serviceaccount.yaml
View File

27
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/templates/gatekeeper-audit-deployment.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/gatekeeper-audit-deployment.yaml
View File

@ -24,9 +24,10 @@ spec:
release: '{{ .Release.Name }}'
template:
metadata:
annotations:
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
annotations:
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
labels:
{{- include "gatekeeper.podLabels" . }}
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: audit-controller
@ -35,6 +36,8 @@ spec:
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
spec:
affinity:
{{- toYaml .Values.audit.affinity | nindent 8 }}
automountServiceAccountToken: true
containers:
- args:
@ -43,6 +46,7 @@ spec:
- --constraint-violations-limit={{ .Values.constraintViolationsLimit }}
- --audit-from-cache={{ .Values.auditFromCache }}
- --audit-chunk-size={{ .Values.auditChunkSize }}
- --audit-match-kind-only={{ .Values.auditMatchKindOnly }}
- --emit-audit-events={{ .Values.emitAuditEvents }}
- --operation=audit
- --operation=status
@ -77,8 +81,8 @@ spec:
httpGet:
path: /readyz
port: 9090
resources:
{{ toYaml .Values.audit.resources | indent 10 }}
resources:
{{- toYaml .Values.audit.resources | nindent 10 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
@ -88,16 +92,13 @@ spec:
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
nodeSelector:
{{ toYaml .Values.audit.nodeSelector | indent 8 }}
affinity:
{{ toYaml .Values.audit.affinity | indent 8 }}
tolerations:
{{ toYaml .Values.audit.tolerations | indent 8 }}
hostNetwork: {{ .Values.audit.hostNetwork }}
imagePullSecrets:
{{ toYaml .Values.image.pullSecrets | indent 8 }}
{{- if .Values.audit.priorityClassName }}
{{- toYaml .Values.image.pullSecrets | nindent 8 }}
nodeSelector:
{{- toYaml .Values.audit.nodeSelector | nindent 8 }}
priorityClassName: {{ .Values.audit.priorityClassName }}
{{- end }}
serviceAccountName: gatekeeper-admin
terminationGracePeriodSeconds: 60
tolerations:
{{- toYaml .Values.audit.tolerations | nindent 8 }}

44
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/templates/gatekeeper-controller-manager-deployment.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/gatekeeper-controller-manager-deployment.yaml
View File

@ -24,9 +24,10 @@ spec:
release: '{{ .Release.Name }}'
template:
metadata:
annotations:
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
annotations:
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
labels:
{{- include "gatekeeper.podLabels" . }}
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: controller-manager
@ -36,26 +37,22 @@ spec:
release: '{{ .Release.Name }}'
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: gatekeeper.sh/operation
operator: In
values:
- webhook
topologyKey: kubernetes.io/hostname
weight: 100
{{- toYaml .Values.controllerManager.affinity | nindent 8 }}
automountServiceAccountToken: true
containers:
- args:
- --port=8443
- --logtostderr
- --log-denies={{ .Values.logDenies }}
- --emit-admission-events={{ .Values.emitAdmissionEvents }}
- --log-level={{ .Values.logLevel }}
- --exempt-namespace=gatekeeper-system
- --exempt-namespace={{ .Release.Namespace }}
- --operation=webhook
- --enable-mutation={{ .Values.experimentalEnableMutation}}
{{- range .Values.disabledBuiltins}}
- --disable-opa-builtin={{ . }}
{{- end }}
command:
- /manager
env:
@ -89,8 +86,8 @@ spec:
httpGet:
path: /readyz
port: 9090
resources:
{{ toYaml .Values.controllerManager.resources | indent 10 }}
resources:
{{- toYaml .Values.controllerManager.resources | nindent 10 }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
@ -104,19 +101,16 @@ spec:
- mountPath: /certs
name: cert
readOnly: true
nodeSelector:
{{ toYaml .Values.controllerManager.nodeSelector | indent 8 }}
affinity:
{{ toYaml .Values.controllerManager.affinity | indent 8 }}
tolerations:
{{ toYaml .Values.controllerManager.tolerations | indent 8 }}
hostNetwork: {{ .Values.controllerManager.hostNetwork }}
imagePullSecrets:
{{ toYaml .Values.image.pullSecrets | indent 8 }}
{{- if .Values.controllerManager.priorityClassName }}
{{- toYaml .Values.image.pullSecrets | nindent 8 }}
nodeSelector:
{{- toYaml .Values.controllerManager.nodeSelector | nindent 8 }}
priorityClassName: {{ .Values.controllerManager.priorityClassName }}
{{- end }}
serviceAccountName: gatekeeper-admin
terminationGracePeriodSeconds: 60
tolerations:
{{- toYaml .Values.controllerManager.tolerations | nindent 8 }}
volumes:
- name: cert
secret:

22
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-controller-manager
namespace: '{{ .Release.Namespace }}'
spec:
minAvailable: {{ .Values.pdb.controllerManager.minAvailable }}
selector:
matchLabels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: controller-manager
gatekeeper.sh/operation: webhook
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'

21
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/gatekeeper-critical-pods-resourcequota.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: v1
kind: ResourceQuota
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-critical-pods
namespace: '{{ .Release.Namespace }}'
spec:
hard:
pods: {{ .Values.podCountLimit }}
scopeSelector:
matchExpressions:
- operator: In
scopeName: PriorityClass
values:
- {{ .Values.controllerManager.priorityClassName }}
- {{ .Values.audit.priorityClassName }}

14
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/templates/gatekeeper-manager-role-clusterrole.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/gatekeeper-manager-role-clusterrole.yaml
View File

@ -137,3 +137,17 @@ rules:
- patch
- update
- watch
- apiGroups:
- admissionregistration.k8s.io
resourceNames:
- gatekeeper-mutating-webhook-configuration
resources:
- mutatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch

0
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/templates/gatekeeper-manager-role-role.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/gatekeeper-manager-role-role.yaml
View File

0
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml
View File

0
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/gatekeeper-manager-rolebinding-rolebinding.yaml
View File

40
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml Normal file
View File

@ -0,0 +1,40 @@
{{- if .Values.experimentalEnableMutation }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
creationTimestamp: null
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-mutating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
path: /v1/mutate
failurePolicy: Ignore
matchPolicy: Exact
name: mutation.gatekeeper.sh
namespaceSelector:
matchExpressions:
- key: admission.gatekeeper.sh/ignore
operator: DoesNotExist
rules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- '*'
sideEffects: None
timeoutSeconds: 3
{{- end }}

17
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
View File

@ -1,8 +1,7 @@
{{- if not .Values.disableValidatingWebhook }}
apiVersion: admissionregistration.k8s.io/v1beta1
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
creationTimestamp: null
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
@ -11,13 +10,16 @@ metadata:
release: '{{ .Release.Name }}'
name: gatekeeper-validating-webhook-configuration
webhooks:
- clientConfig:
caBundle: Cg==
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
path: /v1/admit
failurePolicy: Ignore
matchPolicy: Exact
name: validation.gatekeeper.sh
namespaceSelector:
matchExpressions:
@ -38,13 +40,16 @@ webhooks:
- '*'
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }}
- clientConfig:
caBundle: Cg==
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
path: /v1/admitlabel
failurePolicy: Fail
matchPolicy: Exact
name: check-ignore-label.gatekeeper.sh
rules:
- apiGroups:

3
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/templates/gatekeeper-webhook-server-cert-secret.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/gatekeeper-webhook-server-cert-secret.yaml
View File

@ -1,8 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
annotations:
{{- toYaml .Values.secretAnnotations | trim | nindent 4 }}
annotations: {{- toYaml .Values.secretAnnotations | trim | nindent 4 }}
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'

6
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/templates/gatekeeper-webhook-service-service.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/gatekeeper-webhook-service-service.yaml
View File

@ -10,6 +10,12 @@ metadata:
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
spec:
{{- if .Values.service }}
type: {{ .Values.service.type | default "ClusterIP" }}
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- end }}
ports:
- port: 443
targetPort: 8443

98
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/namespace-post-install.yaml Normal file
View File

@ -0,0 +1,98 @@
{{- if .Values.postInstall.labelNamespace.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: gatekeeper-update-namespace-label
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
spec:
template:
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
release: '{{ .Release.Name }}'
spec:
restartPolicy: OnFailure
{{- if .Values.postInstall.labelNamespace.image.pullSecrets }}
imagePullSecrets:
{{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
{{- end }}
serviceAccount: gatekeeper-update-namespace-label
nodeSelector:
kubernetes.io/os: linux
containers:
- name: kubectl-label
image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}"
imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }}
command:
- kubectl
- label
- ns
- {{ .Release.Namespace }}
- admission.gatekeeper.sh/ignore=no-self-managing
- --overwrite
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gatekeeper-update-namespace-label
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gatekeeper-update-namespace-label
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- update
- patch
resourceNames:
- {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: gatekeeper-update-namespace-label
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: gatekeeper-update-namespace-label
subjects:
- kind: ServiceAccount
name: gatekeeper-update-namespace-label
namespace: {{ .Release.Namespace | quote }}
{{- end }}

0
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/templates/requiredlabels.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/requiredlabels.yaml
View File

5
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/templates/validate-install-crd.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/templates/validate-install-crd.yaml
View File

@ -1,9 +1,12 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
# {{- $found := dict -}}
# {{- set $found "mutations.gatekeeper.sh/v1alpha1/Assign" false -}}
# {{- set $found "mutations.gatekeeper.sh/v1alpha1/AssignMetadata" false -}}
# {{- set $found "config.gatekeeper.sh/v1alpha1/Config" false -}}
# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintPodStatus" false -}}
# {{- set $found "templates.gatekeeper.sh/v1beta1/ConstraintTemplate" false -}}
# {{- set $found "templates.gatekeeper.sh/v1alpha1/ConstraintTemplate" false -}}
# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintTemplatePodStatus" false -}}
# {{- set $found "status.gatekeeper.sh/v1beta1/MutatorPodStatus" false -}}
# {{- range .Capabilities.APIVersions -}}
# {{- if hasKey $found (toString .) -}}
# {{- set $found (toString .) true -}}

22
charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.3.0/values.yaml → charts/rancher-gatekeeper/rancher-gatekeeper/100.0.0+up3.5.1/values.yaml
View File

@ -1,23 +1,37 @@
replicas: 3
auditInterval: 300
auditMatchKindOnly: false
constraintViolationsLimit: 20
auditFromCache: false
disableValidatingWebhook: false
validatingWebhookTimeoutSeconds: 3
enableDeleteOperations: false
experimentalEnableMutation: false
auditChunkSize: 0
logLevel: INFO
logDenies: false
emitAdmissionEvents: false
emitAuditEvents: false
postInstall:
labelNamespace:
enabled: true
image:
repository: rancher/kubectl
tag: v1.20.2
pullPolicy: IfNotPresent
pullSecrets: []
image:
repository: rancher/mirrored-openpolicyagent-gatekeeper
tag: v3.3.0
tag: v3.5.1
pullPolicy: IfNotPresent
pullSecrets: []
podAnnotations:
{ container.seccomp.security.alpha.kubernetes.io/manager: runtime/default }
podLabels: {}
podCountLimit: 100
secretAnnotations: {}
controllerManager:
hostNetwork: false
priorityClassName: system-cluster-critical
affinity:
podAntiAffinity:
@ -41,6 +55,7 @@ controllerManager:
cpu: 100m
memory: 256Mi
audit:
hostNetwork: false
priorityClassName: system-cluster-critical
affinity: {}
tolerations: []
@ -52,9 +67,14 @@ audit:
requests:
cpu: 100m
memory: 256Mi
pdb:
controllerManager:
minAvailable: 1
global:
cattle:
systemDefaultRegistry: ""
kubectl:
repository: rancher/kubectl
tag: v1.20.2
service: {}
disabledBuiltins:

378
index.yaml
View File

File diff suppressed because it is too large Load Diff

6
packages/rancher-gatekeeper/generated-changes/exclude/templates/crds.yaml
View File

@ -1,6 +0,0 @@
{{- if .Values.customResourceDefinitions.create }}
{{- range $path, $bytes := .Files.Glob "crds/*.yaml" }}
{{ $.Files.Get $path }}
---
{{- end }}
{{- end }}

14
packages/rancher-gatekeeper/generated-changes/exclude/templates/gatekeeper-system-namespace.yaml
View File

@ -1,14 +0,0 @@
{{- if .Values.createNamespace }}
apiVersion: v1
kind: Namespace
metadata:
labels:
admission.gatekeeper.sh/ignore: no-self-managing
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: controller-manager
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-system
{{- end }}

6
packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch
View File

@ -1,8 +1,8 @@
--- charts-original/Chart.yaml
+++ charts/Chart.yaml
@@ -1,10 +1,21 @@
apiVersion: v1
appVersion: v3.3.0
apiVersion: v2
appVersion: v3.5.1
-description: A Helm chart for Gatekeeper
+description: Modifies Open Policy Agent's upstream gatekeeper chart that provides policy-based control for cloud native environments
home: https://github.com/open-policy-agent/gatekeeper
@ -13,7 +13,7 @@
+name: rancher-gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
version: 3.3.0
version: 3.5.1
+icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
+annotations:
+ catalog.cattle.io/certified: rancher

18
packages/rancher-gatekeeper/generated-changes/patch/README.md.patch
View File

@ -1,11 +1,11 @@
--- charts-original/README.md
+++ charts/README.md
@@ -4,7 +4,7 @@
| Parameter | Description | Default |
| :---------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ |
-| auditInterval | The frequency with which audit is run | `60` |
+| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` |
@@ -69,7 +69,7 @@
| postInstall.labelNamespace.image.tag | Image tag | `1.20.4-4.0.5` |
| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` |
-| auditInterval | The frequency with which audit is run | `60` |
+| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` |

11
packages/rancher-gatekeeper/generated-changes/patch/crds/config-customresourcedefinition.yaml.patch
View File

@ -1,11 +0,0 @@
--- charts-original/crds/config-customresourcedefinition.yaml
+++ charts/crds/config-customresourcedefinition.yaml
@@ -3,8 +3,6 @@
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
- helm.sh/hook: crd-install
- helm.sh/hook-delete-policy: before-hook-creation
creationTimestamp: null
labels:
gatekeeper.sh/system: "yes"

11
packages/rancher-gatekeeper/generated-changes/patch/crds/constraintpodstatus-customresourcedefinition.yaml.patch
View File

@ -1,11 +0,0 @@
--- charts-original/crds/constraintpodstatus-customresourcedefinition.yaml
+++ charts/crds/constraintpodstatus-customresourcedefinition.yaml
@@ -3,8 +3,6 @@
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
- helm.sh/hook: crd-install
- helm.sh/hook-delete-policy: before-hook-creation
creationTimestamp: null
labels:
gatekeeper.sh/system: "yes"

12
packages/rancher-gatekeeper/generated-changes/patch/crds/constrainttemplate-customresourcedefinition.yaml.patch
View File

@ -1,12 +0,0 @@
--- charts-original/crds/constrainttemplate-customresourcedefinition.yaml
+++ charts/crds/constrainttemplate-customresourcedefinition.yaml
@@ -1,9 +1,6 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
- annotations:
- helm.sh/hook: crd-install
- helm.sh/hook-delete-policy: before-hook-creation
creationTimestamp: null
labels:
gatekeeper.sh/system: "yes"

11
packages/rancher-gatekeeper/generated-changes/patch/crds/constrainttemplatepodstatus-customresourcedefinition.yaml.patch
View File

@ -1,11 +0,0 @@
--- charts-original/crds/constrainttemplatepodstatus-customresourcedefinition.yaml
+++ charts/crds/constrainttemplatepodstatus-customresourcedefinition.yaml
@@ -3,8 +3,6 @@
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
- helm.sh/hook: crd-install
- helm.sh/hook-delete-policy: before-hook-creation
creationTimestamp: null
labels:
gatekeeper.sh/system: "yes"

9
packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch
View File

@ -1,9 +1,12 @@
--- charts-original/templates/_helpers.tpl
+++ charts/templates/_helpers.tpl
@@ -42,3 +42,11 @@
@@ -38,4 +38,12 @@
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
-{{- end -}}
\ No newline at end of file
+{{- end -}}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}

8
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-admin-serviceaccount.yaml.patch
View File

@ -1,8 +0,0 @@
--- charts-original/templates/gatekeeper-admin-serviceaccount.yaml
+++ charts/templates/gatekeeper-admin-serviceaccount.yaml
@@ -8,4 +8,4 @@
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-admin
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'

11
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch
View File

@ -1,15 +1,6 @@
--- charts-original/templates/gatekeeper-audit-deployment.yaml
+++ charts/templates/gatekeeper-audit-deployment.yaml
@@ -10,7 +10,7 @@
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-audit
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
spec:
replicas: 1
selector:
@@ -59,7 +59,7 @@
@@ -63,7 +63,7 @@
valueFrom:
fieldRef:
fieldPath: metadata.name

11
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch
View File

@ -1,15 +1,6 @@
--- charts-original/templates/gatekeeper-controller-manager-deployment.yaml
+++ charts/templates/gatekeeper-controller-manager-deployment.yaml
@@ -10,7 +10,7 @@
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-controller-manager
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
spec:
replicas: {{ .Values.replicas }}
selector:
@@ -68,7 +68,7 @@
@@ -65,7 +65,7 @@
valueFrom:
fieldRef:
fieldPath: metadata.name

11
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-role.yaml.patch
View File

@ -1,11 +0,0 @@
--- charts-original/templates/gatekeeper-manager-role-role.yaml
+++ charts/templates/gatekeeper-manager-role-role.yaml
@@ -9,7 +9,7 @@
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-manager-role
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
rules:
- apiGroups:
- ""

8
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml.patch
View File

@ -1,8 +0,0 @@
--- charts-original/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml
+++ charts/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml
@@ -15,4 +15,4 @@
subjects:
- kind: ServiceAccount
name: gatekeeper-admin
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'

17
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-rolebinding-rolebinding.yaml.patch
View File

@ -1,17 +0,0 @@
--- charts-original/templates/gatekeeper-manager-rolebinding-rolebinding.yaml
+++ charts/templates/gatekeeper-manager-rolebinding-rolebinding.yaml
@@ -8,7 +8,7 @@
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-manager-rolebinding
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -16,4 +16,4 @@
subjects:
- kind: ServiceAccount
name: gatekeeper-admin
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'

20
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml.patch
View File

@ -1,20 +0,0 @@
--- charts-original/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
+++ charts/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
@@ -15,7 +15,7 @@
caBundle: Cg==
service:
name: gatekeeper-webhook-service
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
path: /v1/admit
failurePolicy: Ignore
name: validation.gatekeeper.sh
@@ -42,7 +42,7 @@
caBundle: Cg==
service:
name: gatekeeper-webhook-service
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
path: /v1/admitlabel
failurePolicy: Fail
name: check-ignore-label.gatekeeper.sh

8
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-webhook-server-cert-secret.yaml.patch
View File

@ -1,8 +0,0 @@
--- charts-original/templates/gatekeeper-webhook-server-cert-secret.yaml
+++ charts/templates/gatekeeper-webhook-server-cert-secret.yaml
@@ -10,4 +10,4 @@
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-webhook-server-cert
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'

11
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-webhook-service-service.yaml.patch
View File

@ -1,11 +0,0 @@
--- charts-original/templates/gatekeeper-webhook-service-service.yaml
+++ charts/templates/gatekeeper-webhook-service-service.yaml
@@ -8,7 +8,7 @@
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-webhook-service
- namespace: gatekeeper-system
+ namespace: '{{ .Release.Namespace }}'
spec:
ports:
- port: 443

36
packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch
View File

@ -1,35 +1,39 @@
--- charts-original/values.yaml
+++ charts/values.yaml
@@ -1,8 +1,7 @@
@@ -1,5 +1,5 @@
replicas: 3
-auditInterval: 60
+auditInterval: 300
auditMatchKindOnly: false
constraintViolationsLimit: 20
auditFromCache: false
-createNamespace: true
disableValidatingWebhook: false
validatingWebhookTimeoutSeconds: 3
enableDeleteOperations: false
@@ -11,8 +10,8 @@
emitAdmissionEvents: false
emitAuditEvents: false
@@ -16,13 +16,13 @@
labelNamespace:
enabled: true
image:
- repository: line/kubectl-kustomize
- tag: 1.20.4-4.0.5
+ repository: rancher/kubectl
+ tag: v1.20.2
pullPolicy: IfNotPresent
pullSecrets: []
image:
- repository: openpolicyagent/gatekeeper
- release: v3.3.0
- release: v3.5.1
+ repository: rancher/mirrored-openpolicyagent-gatekeeper
+ tag: v3.3.0
+ tag: v3.5.1
pullPolicy: IfNotPresent
pullSecrets: []
podAnnotations:
@@ -53,5 +52,9 @@
requests:
cpu: 100m
memory: 256Mi
-customResourceDefinitions:
- create: true
@@ -70,5 +70,11 @@
pdb:
controllerManager:
minAvailable: 1
+global:
+ cattle:
+ systemDefaultRegistry: ""
+ kubectl:
+ repository: rancher/kubectl
+ tag: v1.20.2
service: {}
disabledBuiltins:

2
packages/rancher-gatekeeper/package.yaml
View File

@ -1,4 +1,4 @@
url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.3.0.tgz
url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.5.1.tgz
version: 100.0.0
additionalCharts:
- workingDir: charts-crd

2
packages/rancher-gatekeeper/templates/crd-template/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v1
version: 3.3.0
version: 3.5.1
description: Installs the CRDs for rancher-gatekeeper.
name: rancher-gatekeeper-crd
type: application