andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[dev-v2.10] Remove OPA Gatekeeper from Rancher catalog (#4500)

pull/4524/head
Sakala Venkata Krishna Rohit 2024-10-01 10:41:13 -07:00 committed by GitHub
parent 68dd54d2c5
commit c67cf74b7e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
27 changed files with 0 additions and 946 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
packages/rancher-gatekeeper/generated-changes/overlay/CHANGELOG.md
View File

@ -1,15 +0,0 @@
# Changelog
All notable changes from the upstream OPA Gatekeeper chart will be added to this file
## [Package Version 00] - 2020-09-10
### Added
- Enabled the CRD chart generator in `package.yaml`
### Modified
- Updated namespace to `cattle-gatekeeper-system`
- Updated for Helm 3 compatibility
- Moved crds to `crds` directory
- Removed `crd-install` hooks and templates from crds
### Removed
- Removed `gatekeeper-system-namespace.yaml` as Rancher handles namespaces for chart installation

32
packages/rancher-gatekeeper/generated-changes/overlay/app-readme.md
View File

@ -1,32 +0,0 @@
# Rancher OPA Gatekeeper
This chart is based off of the upstream [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper/tree/master/charts/gatekeeper) chart.
For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/opa-gatekeper/).
The chart installs the following components:
- OPA Gatekeeper Controller-Manager - OPA Gatekeeper is a policy engine for providing policy based governance for Kubernetes clusters. The controller installs as a [validating admission controller webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) on the cluster and intercepts all admission requests that create, update or delete a resource in the cluster.
- [Audit](https://github.com/open-policy-agent/gatekeeper#audit) - A periodic audit of the cluster resources against the enforced policies. Any existing resource that violates a policy will be recorded as violations.
- [Constraint Template](https://github.com/open-policy-agent/gatekeeper#constraint-templates) - A template is a CRD (`ConstraintTemplate`) that defines the schema and Rego logic of a policy to be applied to the cluster by Gatekeeper's admission controller webhook. This chart installs a few default `ConstraintTemplate` custom resources.
- [Constraint](https://github.com/open-policy-agent/gatekeeper#constraints) - A constraint is a custom resource that defines the scope of resources which a specific constraint template should apply to. The complete policy is defined by a combination of `ConstraintTemplates` (i.e. what the policy is) and `Constraints` (i.e. what resource to apply the policy to).
For more information on how to configure the Helm chart, refer to the Helm README.
## Upgrading to Kubernetes v1.25+
Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
> **Note:**
> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
> **Note:**
> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
>
> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.

35
packages/rancher-gatekeeper/generated-changes/overlay/templates/allowedrepos.yaml
View File

@ -1,35 +0,0 @@
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sallowedrepos
spec:
crd:
spec:
names:
kind: K8sAllowedRepos
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
repos:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sallowedrepos
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}
violation[{"msg": msg}] {
container := input.review.object.spec.initContainers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}

57
packages/rancher-gatekeeper/generated-changes/overlay/templates/requiredlabels.yaml
View File

@ -1,57 +0,0 @@
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
message:
type: string
labels:
type: array
items:
type: object
properties:
key:
type: string
allowedRegex:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
get_message(parameters, _default) = msg {
not parameters.message
msg := _default
}
get_message(parameters, _default) = msg {
msg := parameters.message
}
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_].key}
missing := required - provided
count(missing) > 0
def_msg := sprintf("you must provide labels: %v", [missing])
msg := get_message(input.parameters, def_msg)
}
violation[{"msg": msg}] {
value := input.review.object.metadata.labels[key]
expected := input.parameters.labels[_]
expected.key == key
# do not match if allowedRegex is not defined, or is an empty string
expected.allowedRegex != ""
not re_match(expected.allowedRegex, value)
def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])
msg := get_message(input.parameters, def_msg)
}

7
packages/rancher-gatekeeper/generated-changes/overlay/templates/validate-psp-install.yaml
View File

@ -1,7 +0,0 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
#{{- if .Values.global.cattle.psp.enabled }}
#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
#{{- end }}
#{{- end }}
#{{- end }}

32
packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch
View File

@ -1,32 +0,0 @@
--- charts-original/Chart.yaml
+++ charts/Chart.yaml
@@ -1,11 +1,26 @@
+annotations:
+ catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
+ catalog.cattle.io/certified: rancher
+ catalog.cattle.io/display-name: OPA Gatekeeper
+ catalog.cattle.io/kube-version: '>= 1.20.0-0'
+ catalog.cattle.io/namespace: cattle-gatekeeper-system
+ catalog.cattle.io/os: linux
+ catalog.cattle.io/permits-os: linux,windows
+ catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
+ catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0'
+ catalog.cattle.io/release-name: rancher-gatekeeper
+ catalog.cattle.io/type: cluster-tool
+ catalog.cattle.io/ui-component: gatekeeper
apiVersion: v2
appVersion: v3.13.0
-description: A Helm chart for Gatekeeper
+description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
+ policy-based control for cloud native environments
home: https://github.com/open-policy-agent/gatekeeper
-icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg
+icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
keywords:
- open policy agent
-name: gatekeeper
+- security
+name: rancher-gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
version: 3.13.0

11
packages/rancher-gatekeeper/generated-changes/patch/README.md.patch
View File

@ -1,11 +0,0 @@
--- charts-original/README.md
+++ charts/README.md
@@ -129,7 +129,7 @@
| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` |
| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` |
| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` |
-| auditInterval | The frequency with which audit is run | `60` |
+| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the audit cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` |

52
packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch
View File

@ -1,52 +0,0 @@
--- charts-original/templates/_helpers.tpl
+++ charts/templates/_helpers.tpl
@@ -40,12 +40,35 @@
{{- end }}
{{- end -}}
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+ value: "linux"
+ effect: "NoSchedule"
+ operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
+
{{/*
Output post install webhook probe container entry
*/}}
{{- define "gatekeeper.postInstallWebhookProbeContainer" -}}
- name: webhook-probe-post
- image: "{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}"
+ image: "{{ template "system_default_registry" . }}{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}"
imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }}
command:
- "curl"
@@ -70,10 +93,10 @@
resources:
{{- toYaml .Values.postInstall.resources | nindent 4 }}
securityContext:
- {{- if .Values.enableRuntimeDefaultSeccompProfile }}
+ {{- if .Values.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
- {{- end }}
+ {{- end }}
{{- toYaml .Values.postInstall.securityContext | nindent 4 }}
volumeMounts:
- mountPath: /certs

8
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-admin-podsecuritypolicy.yaml.patch
View File

@ -1,8 +0,0 @@
--- charts-original/templates/gatekeeper-admin-podsecuritypolicy.yaml
+++ charts/templates/gatekeeper-admin-podsecuritypolicy.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+{{- if .Values.global.cattle.psp.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:

52
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch
View File

@ -1,52 +0,0 @@
--- charts-original/templates/gatekeeper-audit-deployment.yaml
+++ charts/templates/gatekeeper-audit-deployment.yaml
@@ -45,11 +45,7 @@
{{- toYaml .Values.audit.affinity | nindent 8 }}
automountServiceAccountToken: true
containers:
- - {{- if .Values.image.release }}
- image: {{ .Values.image.repository }}:{{ .Values.image.release }}
- {{- else }}
- image: {{ .Values.image.repository }}
- {{- end }}
+ - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
args:
- --audit-interval={{ .Values.auditInterval }}
- --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }}
@@ -102,7 +98,7 @@
fieldPath: metadata.namespace
- name: CONTAINER_NAME
value: manager
- imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+ imagePullPolicy: '{{ .Values.images.pullPolicy }}'
livenessProbe:
httpGet:
path: /healthz
@@ -138,9 +134,11 @@
dnsPolicy: {{ .Values.audit.dnsPolicy }}
hostNetwork: {{ .Values.audit.hostNetwork }}
imagePullSecrets:
- {{- toYaml .Values.image.pullSecrets | nindent 8 }}
- nodeSelector:
- {{- toYaml .Values.audit.nodeSelector | nindent 8 }}
+ {{- toYaml .Values.images.pullSecrets | nindent 8 }}
+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.audit.nodeSelector }}
+{{ toYaml .Values.audit.nodeSelector | indent 8 }}
+{{- end }}
{{- if .Values.audit.priorityClassName }}
priorityClassName: {{ .Values.audit.priorityClassName }}
{{- end }}
@@ -148,8 +146,10 @@
{{- toYaml .Values.audit.podSecurityContext | nindent 8 }}
serviceAccountName: gatekeeper-admin
terminationGracePeriodSeconds: 60
- tolerations:
- {{- toYaml .Values.audit.tolerations | nindent 8 }}
+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.audit.tolerations }}
+{{ toYaml .Values.audit.tolerations | indent 8 }}
+{{- end }}
volumes:
- name: cert
secret:

52
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch
View File

@ -1,52 +0,0 @@
--- charts-original/templates/gatekeeper-controller-manager-deployment.yaml
+++ charts/templates/gatekeeper-controller-manager-deployment.yaml
@@ -44,11 +44,8 @@
{{- toYaml .Values.controllerManager.affinity | nindent 8 }}
automountServiceAccountToken: true
containers:
- - {{- if .Values.image.release }}
- image: {{ .Values.image.repository }}:{{ .Values.image.release }}
- {{- else }}
- image: {{ .Values.image.repository }}
- {{- end }}
+ - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
+ imagePullPolicy: '{{ .Values.images.pullPolicy }}'
args:
- --port={{ .Values.controllerManager.port }}
- --health-addr=:{{ .Values.controllerManager.healthPort }}
@@ -113,7 +110,6 @@
fieldPath: metadata.namespace
- name: CONTAINER_NAME
value: manager
- imagePullPolicy: '{{ .Values.image.pullPolicy }}'
livenessProbe:
httpGet:
path: /healthz
@@ -150,9 +146,11 @@
dnsPolicy: {{ .Values.controllerManager.dnsPolicy }}
hostNetwork: {{ .Values.controllerManager.hostNetwork }}
imagePullSecrets:
- {{- toYaml .Values.image.pullSecrets | nindent 8 }}
- nodeSelector:
- {{- toYaml .Values.controllerManager.nodeSelector | nindent 8 }}
+ {{- toYaml .Values.images.pullSecrets | nindent 8 }}
+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.controllerManager.nodeSelector }}
+{{ toYaml .Values.controllerManager.nodeSelector | indent 8 }}
+{{- end }}
{{- if .Values.controllerManager.priorityClassName }}
priorityClassName: {{ .Values.controllerManager.priorityClassName }}
{{- end }}
@@ -160,8 +158,10 @@
{{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }}
serviceAccountName: gatekeeper-admin
terminationGracePeriodSeconds: 60
- tolerations:
- {{- toYaml .Values.controllerManager.tolerations | nindent 8 }}
+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.controllerManager.tolerations }}
+{{ toYaml .Values.controllerManager.tolerations | indent 8 }}
+{{- end }}
topologySpreadConstraints:
{{- toYaml .Values.controllerManager.topologySpreadConstraints | nindent 8 }}
volumes:

11
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch
View File

@ -1,11 +0,0 @@
--- charts-original/templates/gatekeeper-manager-role-clusterrole.yaml
+++ charts/templates/gatekeeper-manager-role-clusterrole.yaml
@@ -118,7 +118,7 @@
- patch
- update
- watch
-{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+{{- if .Values.global.cattle.psp.enabled }}
- apiGroups:
- policy
resourceNames:

48
packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-install.yaml.patch
View File

@ -1,48 +0,0 @@
--- charts-original/templates/namespace-post-install.yaml
+++ charts/templates/namespace-post-install.yaml
@@ -47,7 +47,7 @@
{{- end }}
containers:
- name: kubectl-label
- image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}"
+ image: '{{ template "system_default_registry" . }}{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}'
imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }}
args:
- label
@@ -68,7 +68,7 @@
{{- toYaml .Values.postInstall.securityContext | nindent 12 }}
{{- if .Values.postInstall.labelNamespace.extraNamespaces }}
- name: kubectl-label-extra
- image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}"
+ image: '{{ template "system_default_registry" . }}{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}'
imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }}
args:
- label
@@ -88,12 +88,10 @@
{{- toYaml .Values.postInstall.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.postInstall }}
- nodeSelector:
- {{- toYaml .nodeSelector | nindent 8 }}
+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
affinity:
{{- toYaml .affinity | nindent 8 }}
- tolerations:
- {{- toYaml .tolerations | nindent 8 }}
{{- end }}
---
apiVersion: v1
@@ -135,6 +133,12 @@
{{- range .Values.postInstall.labelNamespace.extraNamespaces }}
- {{ . }}
{{- end }}
+ - apiGroups:
+ - management.cattle.io
+ resources:
+ - projects
+ verbs:
+ - updatepsa
{{- with .Values.postInstall.labelNamespace.extraRules }}
{{- toYaml . | nindent 2 }}
{{- end }}

48
packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-upgrade.yaml.patch
View File

@ -1,48 +0,0 @@
--- charts-original/templates/namespace-post-upgrade.yaml
+++ charts/templates/namespace-post-upgrade.yaml
@@ -39,7 +39,7 @@
{{- end }}
containers:
- name: kubectl-label
- image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}"
+ image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}'
imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }}
args:
- label
@@ -60,7 +60,7 @@
{{- toYaml .Values.postUpgrade.securityContext | nindent 12 }}
{{- if .Values.postUpgrade.labelNamespace.extraNamespaces }}
- name: kubectl-label-extra
- image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}"
+ image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}'
imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }}
args:
- label
@@ -80,12 +80,10 @@
{{- toYaml .Values.postUpgrade.securityContext | nindent 12 }}
{{- end }}
{{- with .Values.postUpgrade }}
+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
affinity:
{{- toYaml .affinity | nindent 8 }}
- tolerations:
- {{- toYaml .tolerations | nindent 8 }}
- nodeSelector:
- {{- toYaml .nodeSelector | nindent 8 }}
{{- end }}
---
apiVersion: v1
@@ -126,6 +124,12 @@
{{- range .Values.postUpgrade.labelNamespace.extraNamespaces }}
- {{ . }}
{{- end }}
+ - apiGroups:
+ - management.cattle.io
+ resources:
+ - projects
+ verbs:
+ - updatepsa
{{- end }}
---
{{- if .Values.rbac.create }}

17
packages/rancher-gatekeeper/generated-changes/patch/templates/probe-webhook-post-install.yaml.patch
View File

@ -1,17 +0,0 @@
--- charts-original/templates/probe-webhook-post-install.yaml
+++ charts/templates/probe-webhook-post-install.yaml
@@ -40,12 +40,10 @@
containers:
{{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }}
{{- with .Values.postInstall }}
+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
affinity:
{{- toYaml .affinity | nindent 8 }}
- tolerations:
- {{- toYaml .tolerations | nindent 8 }}
- nodeSelector:
- {{- toYaml .nodeSelector | nindent 8 }}
{{- end }}
backoffLimit: 3
{{- end }}

48
packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch
View File

@ -1,48 +0,0 @@
--- charts-original/templates/upgrade-crds-hook.yaml
+++ charts/templates/upgrade-crds-hook.yaml
@@ -87,7 +87,7 @@
spec:
serviceAccountName: gatekeeper-admin-upgrade-crds
restartPolicy: Never
- {{- if .Values.image.pullSecrets }}
+ {{- if .Values.images.pullSecrets }}
imagePullSecrets:
{{- toYaml .Values.image.pullSecrets | nindent 8 }}
{{- end }}
@@ -96,20 +96,8 @@
{{- end }}
containers:
- name: crds-upgrade
- {{- if .Values.preInstall.crdRepository.image.repository }}
- {{- if not .Values.preInstall.crdRepository.image.tag }}
- image: '{{ .Values.preInstall.crdRepository.image.repository }}'
- {{- else }}
- image: '{{ .Values.preInstall.crdRepository.image.repository }}:{{ .Values.preInstall.crdRepository.image.tag }}'
- {{- end }}
- {{- else }}
- {{- if not .Values.image.release }}
- image: '{{ .Values.image.crdRepository }}'
- {{- else }}
- image: '{{ .Values.image.crdRepository }}:{{ .Values.image.release }}'
- {{- end }}
- {{- end }}
- imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+ image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}'
+ imagePullPolicy: '{{ .Values.images.pullPolicy }}'
args:
- apply
- -f
@@ -123,11 +111,9 @@
{{- end }}
{{- toYaml .Values.crds.securityContext | nindent 10 }}
{{- with .Values.crds }}
+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
affinity:
{{- toYaml .affinity | nindent 8 }}
- tolerations:
- {{- toYaml .tolerations | nindent 8 }}
- nodeSelector:
- {{- toYaml .nodeSelector | nindent 8 }}
{{- end }}
{{- end }}

32
packages/rancher-gatekeeper/generated-changes/patch/templates/webhook-configs-pre-delete.yaml.patch
View File

@ -1,32 +0,0 @@
--- charts-original/templates/webhook-configs-pre-delete.yaml
+++ charts/templates/webhook-configs-pre-delete.yaml
@@ -38,7 +38,7 @@
{{- end }}
containers:
- name: kubectl-delete
- image: "{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}"
+ image: '{{ template "system_default_registry" . }}{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}'
imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }}
args:
- delete
@@ -57,12 +57,16 @@
{{- end }}
{{- toYaml .Values.preUninstall.securityContext | nindent 12 }}
{{- with .Values.preUninstall }}
- nodeSelector:
- {{- toYaml .nodeSelector | nindent 8 }}
+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .nodeSelector }}
+{{ toYaml .nodeSelector | indent 8 }}
+{{- end }}
+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .tolerations }}
+{{ toYaml .tolerations | indent 8 }}
+{{- end }}
affinity:
{{- toYaml .affinity | nindent 8 }}
- tolerations:
- {{- toYaml .tolerations | nindent 8 }}
{{- end }}
---
apiVersion: v1

103
packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch
View File

@ -1,103 +0,0 @@
--- charts-original/values.yaml
+++ charts/values.yaml
@@ -39,10 +39,13 @@
admissionEventsInvolvedNamespace: false
auditEventsInvolvedNamespace: false
resourceQuota: true
-image:
- repository: openpolicyagent/gatekeeper
- crdRepository: openpolicyagent/gatekeeper-crds
- release: v3.13.0
+images:
+ gatekeeper:
+ repository: rancher/mirrored-openpolicyagent-gatekeeper
+ tag: v3.13.0
+ gatekeepercrd:
+ repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
+ tag: v3.13.0
pullPolicy: IfNotPresent
pullSecrets: []
preInstall:
@@ -54,8 +57,8 @@
labelNamespace:
enabled: false
image:
- repository: openpolicyagent/gatekeeper-crds
- tag: v3.13.0
+ repository: rancher/kubectl
+ tag: v1.20.2
pullPolicy: IfNotPresent
pullSecrets: []
extraNamespaces: []
@@ -85,7 +88,7 @@
enabled: true
extraRules: []
image:
- repository: openpolicyagent/gatekeeper-crds
+ repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
tag: v3.13.0
pullPolicy: IfNotPresent
pullSecrets: []
@@ -101,7 +104,7 @@
probeWebhook:
enabled: true
image:
- repository: curlimages/curl
+ repository: rancher/mirrored-curlimages-curl
tag: 7.83.1
pullPolicy: IfNotPresent
pullSecrets: []
@@ -126,14 +129,14 @@
extraRules: []
enabled: false
image:
- repository: openpolicyagent/gatekeeper-crds
+ repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
tag: v3.13.0
pullPolicy: IfNotPresent
pullSecrets: []
priorityClassName: ""
affinity: {}
tolerations: []
- nodeSelector: {kubernetes.io/os: linux}
+ nodeSelector: {}
resources: {}
securityContext:
allowPrivilegeEscalation: false
@@ -179,7 +182,7 @@
weight: 100
topologySpreadConstraints: []
tolerations: []
- nodeSelector: {kubernetes.io/os: linux}
+ nodeSelector: {}
resources:
limits:
memory: 512Mi
@@ -218,7 +221,7 @@
disableCertRotation: true
affinity: {}
tolerations: []
- nodeSelector: {kubernetes.io/os: linux}
+ nodeSelector: {}
resources:
limits:
memory: 512Mi
@@ -257,10 +260,16 @@
pdb:
controllerManager:
minAvailable: 1
+global:
+ cattle:
+ systemDefaultRegistry: ""
+ psp:
+ enabled: false
+ kubectl:
+ repository: rancher/kubectl
+ tag: v1.20.2
service: {}
disabledBuiltins: ["{http.send}"]
-psp:
- enabled: true
upgradeCRDs:
enabled: true
extraRules: []

8
packages/rancher-gatekeeper/package.yaml
View File

@ -1,8 +0,0 @@
url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.13.0.tgz
version: 104.0.0
additionalCharts:
- workingDir: charts-crd
crdOptions:
templateDirectory: crd-template
crdDirectory: crd-manifest
addCRDValidationToMainChart: true

10
packages/rancher-gatekeeper/templates/crd-template/Chart.yaml
View File

@ -1,10 +0,0 @@
apiVersion: v1
version: 3.6.0
description: Installs the CRDs for rancher-gatekeeper.
name: rancher-gatekeeper-crd
type: application
annotations:
catalog.cattle.io/hidden: "true"
catalog.cattle.io/release-name: rancher-gatekeeper-crd
catalog.cattle.io/certified: rancher
catalog.cattle.io/namespace: cattle-gatekeeper-system

2
packages/rancher-gatekeeper/templates/crd-template/README.md
View File

@ -1,2 +0,0 @@
# rancher-gatekeeper-crd
A Rancher chart that installs the CRDs used by rancher-gatekeeper.

22
packages/rancher-gatekeeper/templates/crd-template/templates/_helpers.tpl
View File

@ -1,22 +0,0 @@
# Rancher
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- end -}}
{{- end -}}
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
kubernetes.io/os: linux
{{- end -}}

126
packages/rancher-gatekeeper/templates/crd-template/templates/jobs.yaml
View File

@ -1,126 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Chart.Name }}-create
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}
annotations:
"helm.sh/hook": post-install, post-upgrade, post-rollback
"helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
spec:
template:
metadata:
name: {{ .Chart.Name }}-create
labels:
app: {{ .Chart.Name }}
spec:
serviceAccountName: {{ .Chart.Name }}-manager
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: create-crds
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: IfNotPresent
command:
- /bin/kubectl
- apply
- -f
- /etc/config/crd-manifest.yaml
volumeMounts:
- name: crd-manifest
readOnly: true
mountPath: /etc/config
securityContext:
{{- if .Values.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- toYaml .Values.securityContext | nindent 12 }}
restartPolicy: OnFailure
volumes:
- name: crd-manifest
configMap:
name: {{ .Chart.Name }}-manifest
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Chart.Name }}-delete
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
name: {{ .Chart.Name }}-delete
labels:
app: {{ .Chart.Name }}
spec:
serviceAccountName: {{ .Chart.Name }}-manager
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
initContainers:
- name: remove-finalizers
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: IfNotPresent
command:
- /bin/kubectl
- apply
- -f
- /etc/config/crd-manifest.yaml
volumeMounts:
- name: crd-manifest
readOnly: true
mountPath: /etc/config
securityContext:
{{- if .Values.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- toYaml .Values.securityContext | nindent 12 }}
containers:
- name: delete-crds
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: IfNotPresent
command:
- /bin/kubectl
- delete
- -f
- /etc/config/crd-manifest.yaml
volumeMounts:
- name: crd-manifest
readOnly: true
mountPath: /etc/config
securityContext:
{{- if .Values.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- toYaml .Values.securityContext | nindent 12 }}
restartPolicy: OnFailure
volumes:
- name: crd-manifest
configMap:
name: {{ .Chart.Name }}-manifest

14
packages/rancher-gatekeeper/templates/crd-template/templates/manifest.yaml
View File

@ -1,14 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-manifest
namespace: {{ .Release.Namespace }}
data:
crd-manifest.yaml: |
{{- $currentScope := . -}}
{{- $crds := (.Files.Glob "crd-manifest/**.yaml") -}}
{{- range $path, $_ := $crds -}}
{{- with $currentScope -}}
{{ .Files.Get $path | nindent 4 }}
---
{{- end -}}{{- end -}}

76
packages/rancher-gatekeeper/templates/crd-template/templates/rbac.yaml
View File

@ -1,76 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Chart.Name }}-manager
labels:
app: {{ .Chart.Name }}-manager
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs: ['create', 'get', 'patch', 'delete']
{{- if .Values.global.cattle.psp.enabled }}
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ .Chart.Name }}-manager
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Chart.Name }}-manager
labels:
app: {{ .Chart.Name }}-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Chart.Name }}-manager
subjects:
- kind: ServiceAccount
name: {{ .Chart.Name }}-manager
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Chart.Name }}-manager
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}-manager
---
{{- if .Values.global.cattle.psp.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ .Chart.Name }}-manager
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}-manager
spec:
privileged: false
allowPrivilegeEscalation: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
volumes:
- 'configMap'
- 'secret'
{{- end }}

7
packages/rancher-gatekeeper/templates/crd-template/templates/validate-psp-install.yaml
View File

@ -1,7 +0,0 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
#{{- if .Values.global.cattle.psp.enabled }}
#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
#{{- end }}
#{{- end }}
#{{- end }}

21
packages/rancher-gatekeeper/templates/crd-template/values.yaml
View File

@ -1,21 +0,0 @@
# Default values for rancher-gatekeeper-crd.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
cattle:
systemDefaultRegistry: ""
psp:
enabled: false
image:
repository: rancher/kubectl
tag: v1.20.2
enableRuntimeDefaultSeccompProfile: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL