andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2041 from mitulshah-suse/gatekeeper-update-3.9.0 

Gatekeeper update 3.9.0
pull/2098/head
mitulshah-suse 2022-09-21 10:43:10 +05:30 committed by GitHub
parent 597e6de44a d276717738
commit fe3178a9c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
61 changed files with 4463 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-101.0.0+up3.9.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-gatekeeper/rancher-gatekeeper-101.0.0+up3.9.0.tgz Normal file
View File

Binary file not shown.

10
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/Chart.yaml Normal file
View File

@ -0,0 +1,10 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-gatekeeper-system
catalog.cattle.io/release-name: rancher-gatekeeper-crd
apiVersion: v1
description: Installs the CRDs for rancher-gatekeeper.
name: rancher-gatekeeper-crd
type: application
version: 101.0.0+up3.9.0

2
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/README.md Normal file
View File

@ -0,0 +1,2 @@
# rancher-gatekeeper-crd
A Rancher chart that installs the CRDs used by rancher-gatekeeper.

498
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/assign-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,498 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
labels:
gatekeeper.sh/system: "yes"
name: assign.mutations.gatekeeper.sh
spec:
group: mutations.gatekeeper.sh
names:
kind: Assign
listKind: AssignList
plural: assign
singular: assign
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Assign is the Schema for the assign API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
properties:
name:
maxLength: 63
type: string
type: object
spec:
description: AssignSpec defines the desired state of Assign.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
location:
description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.'
type: string
match:
description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
type: object
parameters:
description: Parameters define the behavior of the mutator.
properties:
assign:
description: Assign.value holds the value to be assigned
properties:
externalData:
description: ExternalData describes the external data provider to be used for mutation.
properties:
dataSource:
default: ValueAtLocation
description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
enum:
- ValueAtLocation
- Username
type: string
default:
description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
type: string
failurePolicy:
default: Fail
description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
enum:
- UseDefault
- Ignore
- Fail
type: string
provider:
description: Provider is the name of the external data provider.
type: string
type: object
fromMetadata:
description: FromMetadata assigns a value from the specified metadata field.
properties:
field:
description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
type: string
type: object
value:
description: Value is a constant value that will be assigned to `location`
x-kubernetes-preserve-unknown-fields: true
type: object
pathTests:
items:
description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
properties:
condition:
description: Condition describes whether the path either MustExist or MustNotExist in the original object
enum:
- MustExist
- MustNotExist
type: string
subPath:
type: string
type: object
type: array
type: object
type: object
status:
description: AssignStatus defines the observed state of Assign.
properties:
byPod:
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: false
subresources:
status: {}
- name: v1beta1
schema:
openAPIV3Schema:
description: Assign is the Schema for the assign API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AssignSpec defines the desired state of Assign.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
location:
description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.'
type: string
match:
description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
type: object
parameters:
description: Parameters define the behavior of the mutator.
properties:
assign:
description: Assign.value holds the value to be assigned
properties:
externalData:
description: ExternalData describes the external data provider to be used for mutation.
properties:
dataSource:
default: ValueAtLocation
description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
enum:
- ValueAtLocation
- Username
type: string
default:
description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
type: string
failurePolicy:
default: Fail
description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
enum:
- UseDefault
- Ignore
- Fail
type: string
provider:
description: Provider is the name of the external data provider.
type: string
type: object
fromMetadata:
description: FromMetadata assigns a value from the specified metadata field.
properties:
field:
description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
type: string
type: object
value:
description: Value is a constant value that will be assigned to `location`
x-kubernetes-preserve-unknown-fields: true
type: object
pathTests:
items:
description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
properties:
condition:
description: Condition describes whether the path either MustExist or MustNotExist in the original object
enum:
- MustExist
- MustNotExist
type: string
subPath:
type: string
type: object
type: array
type: object
type: object
status:
description: AssignStatus defines the observed state of Assign.
properties:
byPod:
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}

430
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/assignmetadata-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,430 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
labels:
gatekeeper.sh/system: "yes"
name: assignmetadata.mutations.gatekeeper.sh
spec:
group: mutations.gatekeeper.sh
names:
kind: AssignMetadata
listKind: AssignMetadataList
plural: assignmetadata
singular: assignmetadata
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: AssignMetadata is the Schema for the assignmetadata API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
properties:
name:
maxLength: 63
type: string
type: object
spec:
description: AssignMetadataSpec defines the desired state of AssignMetadata.
properties:
location:
type: string
match:
description: Match selects objects to apply mutations to.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
type: object
parameters:
properties:
assign:
description: Assign.value holds the value to be assigned
properties:
externalData:
description: ExternalData describes the external data provider to be used for mutation.
properties:
dataSource:
default: ValueAtLocation
description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
enum:
- ValueAtLocation
- Username
type: string
default:
description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
type: string
failurePolicy:
default: Fail
description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
enum:
- UseDefault
- Ignore
- Fail
type: string
provider:
description: Provider is the name of the external data provider.
type: string
type: object
fromMetadata:
description: FromMetadata assigns a value from the specified metadata field.
properties:
field:
description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
type: string
type: object
value:
description: Value is a constant value that will be assigned to `location`
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
status:
description: AssignMetadataStatus defines the observed state of AssignMetadata.
properties:
byPod:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: false
subresources:
status: {}
- name: v1beta1
schema:
openAPIV3Schema:
description: AssignMetadata is the Schema for the assignmetadata API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AssignMetadataSpec defines the desired state of AssignMetadata.
properties:
location:
type: string
match:
description: Match selects objects to apply mutations to.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
type: object
parameters:
properties:
assign:
description: Assign.value holds the value to be assigned
properties:
externalData:
description: ExternalData describes the external data provider to be used for mutation.
properties:
dataSource:
default: ValueAtLocation
description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
enum:
- ValueAtLocation
- Username
type: string
default:
description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
type: string
failurePolicy:
default: Fail
description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
enum:
- UseDefault
- Ignore
- Fail
type: string
provider:
description: Provider is the name of the external data provider.
type: string
type: object
fromMetadata:
description: FromMetadata assigns a value from the specified metadata field.
properties:
field:
description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
type: string
type: object
value:
description: Value is a constant value that will be assigned to `location`
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
status:
description: AssignMetadataStatus defines the observed state of AssignMetadata.
properties:
byPod:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}

105
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/config-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,105 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
labels:
gatekeeper.sh/system: "yes"
name: configs.config.gatekeeper.sh
spec:
group: config.gatekeeper.sh
names:
kind: Config
listKind: ConfigList
plural: configs
singular: config
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Config is the Schema for the configs API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConfigSpec defines the desired state of Config.
properties:
match:
description: Configuration for namespace exclusion
items:
properties:
excludedNamespaces:
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
processes:
items:
type: string
type: array
type: object
type: array
readiness:
description: Configuration for readiness tracker
properties:
statsEnabled:
type: boolean
type: object
sync:
description: Configuration for syncing k8s objects
properties:
syncOnly:
description: If non-empty, only entries on this list will be replicated into OPA
items:
properties:
group:
type: string
kind:
type: string
version:
type: string
type: object
type: array
type: object
validation:
description: Configuration for validation
properties:
traces:
description: List of requests to trace. Both "user" and "kinds" must be specified
items:
properties:
dump:
description: Also dump the state of OPA with the trace. Set to `All` to dump everything.
type: string
kind:
description: Only trace requests of the following GroupVersionKind
properties:
group:
type: string
kind:
type: string
version:
type: string
type: object
user:
description: Only trace requests from the specified user
type: string
type: object
type: array
type: object
type: object
status:
description: ConfigStatus defines the observed state of Config.
type: object
type: object
served: true
storage: true

67
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,67 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
labels:
gatekeeper.sh/system: "yes"
name: constraintpodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: ConstraintPodStatus
listKind: ConstraintPodStatusList
plural: constraintpodstatuses
singular: constraintpodstatus
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: ConstraintPodStatus is the Schema for the constraintpodstatuses API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus.
properties:
constraintUID:
description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
enforced:
type: boolean
errors:
items:
description: Error represents a single error caught while adding a constraint to OPA.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: object
served: true
storage: true

303
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,303 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
labels:
gatekeeper.sh/system: "yes"
name: constrainttemplates.templates.gatekeeper.sh
spec:
group: templates.gatekeeper.sh
names:
kind: ConstraintTemplate
listKind: ConstraintTemplateList
plural: constrainttemplates
singular: constrainttemplate
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate.
properties:
crd:
properties:
spec:
properties:
names:
properties:
kind:
type: string
shortNames:
items:
type: string
type: array
type: object
validation:
default:
legacySchema: false
properties:
legacySchema:
default: false
type: boolean
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
targets:
items:
properties:
libs:
items:
type: string
type: array
rego:
type: string
target:
type: string
type: object
type: array
type: object
status:
description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate.
properties:
byPod:
items:
description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: a unique identifier for the pod that wrote the status
type: string
observedGeneration:
format: int64
type: integer
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
created:
type: boolean
type: object
type: object
served: true
storage: true
subresources:
status: {}
- name: v1alpha1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate.
properties:
crd:
properties:
spec:
properties:
names:
properties:
kind:
type: string
shortNames:
items:
type: string
type: array
type: object
validation:
default:
legacySchema: true
properties:
legacySchema:
default: true
type: boolean
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
targets:
items:
properties:
libs:
items:
type: string
type: array
rego:
type: string
target:
type: string
type: object
type: array
type: object
status:
description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate.
properties:
byPod:
items:
description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: a unique identifier for the pod that wrote the status
type: string
observedGeneration:
format: int64
type: integer
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
created:
type: boolean
type: object
type: object
served: true
storage: false
subresources:
status: {}
- name: v1beta1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate.
properties:
crd:
properties:
spec:
properties:
names:
properties:
kind:
type: string
shortNames:
items:
type: string
type: array
type: object
validation:
default:
legacySchema: true
properties:
legacySchema:
default: true
type: boolean
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
targets:
items:
properties:
libs:
items:
type: string
type: array
rego:
type: string
target:
type: string
type: object
type: array
type: object
status:
description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate.
properties:
byPod:
items:
description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: a unique identifier for the pod that wrote the status
type: string
observedGeneration:
format: int64
type: integer
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
created:
type: boolean
type: object
type: object
served: true
storage: false
subresources:
status: {}

66
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,66 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
labels:
gatekeeper.sh/system: "yes"
name: constrainttemplatepodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: ConstraintTemplatePodStatus
listKind: ConstraintTemplatePodStatusList
plural: constrainttemplatepodstatuses
singular: constrainttemplatepodstatus
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus.
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: 'Important: Run "make" to regenerate code after modifying this file'
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
templateUID:
description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated.
type: string
type: object
type: object
served: true
storage: true

450
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/modifyset-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,450 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
labels:
gatekeeper.sh/system: "yes"
name: modifyset.mutations.gatekeeper.sh
spec:
group: mutations.gatekeeper.sh
names:
kind: ModifySet
listKind: ModifySetList
plural: modifyset
singular: modifyset
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
properties:
name:
maxLength: 63
type: string
type: object
spec:
description: ModifySetSpec defines the desired state of ModifySet.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
location:
description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.'
type: string
match:
description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
type: object
parameters:
description: Parameters define the behavior of the mutator.
properties:
operation:
default: merge
description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge"
enum:
- merge
- prune
type: string
pathTests:
description: PathTests are a series of existence tests that can be checked before a mutation is applied
items:
description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
properties:
condition:
description: Condition describes whether the path either MustExist or MustNotExist in the original object
enum:
- MustExist
- MustNotExist
type: string
subPath:
type: string
type: object
type: array
values:
description: Values describes the values provided to the operation as `values.fromList`.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
status:
description: ModifySetStatus defines the observed state of ModifySet.
properties:
byPod:
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: false
subresources:
status: {}
- name: v1beta1
schema:
openAPIV3Schema:
description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ModifySetSpec defines the desired state of ModifySet.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
location:
description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.'
type: string
match:
description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
type: object
parameters:
description: Parameters define the behavior of the mutator.
properties:
operation:
default: merge
description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge"
enum:
- merge
- prune
type: string
pathTests:
description: PathTests are a series of existence tests that can be checked before a mutation is applied
items:
description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
properties:
condition:
description: Condition describes whether the path either MustExist or MustNotExist in the original object
enum:
- MustExist
- MustNotExist
type: string
subPath:
type: string
type: object
type: array
values:
description: Values describes the values provided to the operation as `values.fromList`.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
status:
description: ModifySetStatus defines the observed state of ModifySet.
properties:
byPod:
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

65
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,65 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
labels:
gatekeeper.sh/system: "yes"
name: mutatorpodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: MutatorPodStatus
listKind: MutatorPodStatusList
plural: mutatorpodstatuses
singular: mutatorpodstatus
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: MutatorPodStatus is the Schema for the mutationpodstatuses API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: object
served: true
storage: true

50
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/crd-manifest/provider-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,50 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
labels:
gatekeeper.sh/system: "yes"
name: providers.externaldata.gatekeeper.sh
spec:
group: externaldata.gatekeeper.sh
names:
kind: Provider
listKind: ProviderList
plural: providers
singular: provider
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Provider is the Schema for the Provider API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the Provider specifications.
properties:
caBundle:
description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate.
type: string
insecureTLSSkipVerify:
description: InsecureTLSSkipVerify skips the verification of Provider's certificate if enabled.
type: boolean
timeout:
description: Timeout is the timeout when querying the provider.
type: integer
url:
description: URL is the url for the provider. URL is prefixed with http:// or https://.
type: string
type: object
type: object
served: true
storage: true

22
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,22 @@
# Rancher
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- end -}}
{{- end -}}
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
kubernetes.io/os: linux
{{- end -}}

108
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/jobs.yaml Normal file
View File

@ -0,0 +1,108 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Chart.Name }}-create
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}
annotations:
"helm.sh/hook": post-install, post-upgrade, post-rollback
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
name: {{ .Chart.Name }}-create
labels:
app: {{ .Chart.Name }}
spec:
serviceAccountName: {{ .Chart.Name }}-manager
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: create-crds
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: IfNotPresent
command:
- /bin/kubectl
- apply
- -f
- /etc/config/crd-manifest.yaml
volumeMounts:
- name: crd-manifest
readOnly: true
mountPath: /etc/config
restartPolicy: OnFailure
volumes:
- name: crd-manifest
configMap:
name: {{ .Chart.Name }}-manifest
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Chart.Name }}-delete
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
name: {{ .Chart.Name }}-delete
labels:
app: {{ .Chart.Name }}
spec:
serviceAccountName: {{ .Chart.Name }}-manager
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
initContainers:
- name: remove-finalizers
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: IfNotPresent
command:
- /bin/kubectl
- apply
- -f
- /etc/config/crd-manifest.yaml
volumeMounts:
- name: crd-manifest
readOnly: true
mountPath: /etc/config
containers:
- name: delete-crds
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: IfNotPresent
command:
- /bin/kubectl
- delete
- -f
- /etc/config/crd-manifest.yaml
volumeMounts:
- name: crd-manifest
readOnly: true
mountPath: /etc/config
restartPolicy: OnFailure
volumes:
- name: crd-manifest
configMap:
name: {{ .Chart.Name }}-manifest

14
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/manifest.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-manifest
namespace: {{ .Release.Namespace }}
data:
crd-manifest.yaml: |
{{- $currentScope := . -}}
{{- $crds := (.Files.Glob "crd-manifest/**.yaml") -}}
{{- range $path, $_ := $crds -}}
{{- with $currentScope -}}
{{ .Files.Get $path | nindent 4 }}
---
{{- end -}}{{- end -}}

72
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/templates/rbac.yaml Normal file
View File

@ -0,0 +1,72 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Chart.Name }}-manager
labels:
app: {{ .Chart.Name }}-manager
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs: ['create', 'get', 'patch', 'delete']
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ .Chart.Name }}-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Chart.Name }}-manager
labels:
app: {{ .Chart.Name }}-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Chart.Name }}-manager
subjects:
- kind: ServiceAccount
name: {{ .Chart.Name }}-manager
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Chart.Name }}-manager
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}-manager
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ .Chart.Name }}-manager
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}-manager
spec:
privileged: false
allowPrivilegeEscalation: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
volumes:
- 'configMap'
- 'secret'

11
charts/rancher-gatekeeper-crd/101.0.0+up3.9.0/values.yaml Normal file
View File

@ -0,0 +1,11 @@
# Default values for rancher-gatekeeper-crd.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
cattle:
systemDefaultRegistry: ""
image:
repository: rancher/kubectl
tag: v1.20.2

21
charts/rancher-gatekeeper/101.0.0+up3.9.0/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

15
charts/rancher-gatekeeper/101.0.0+up3.9.0/CHANGELOG.md Normal file
View File

@ -0,0 +1,15 @@
# Changelog
All notable changes from the upstream OPA Gatekeeper chart will be added to this file
## [Package Version 00] - 2020-09-10
### Added
- Enabled the CRD chart generator in `package.yaml`
### Modified
- Updated namespace to `cattle-gatekeeper-system`
- Updated for Helm 3 compatibility
- Moved crds to `crds` directory
- Removed `crd-install` hooks and templates from crds
### Removed
- Removed `gatekeeper-system-namespace.yaml` as Rancher handles namespaces for chart installation

26
charts/rancher-gatekeeper/101.0.0+up3.9.0/Chart.yaml Normal file
View File

@ -0,0 +1,26 @@
annotations:
catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: OPA Gatekeeper
catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.25.0-0'
catalog.cattle.io/namespace: cattle-gatekeeper-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
catalog.cattle.io/release-name: rancher-gatekeeper
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/ui-component: gatekeeper
apiVersion: v2
appVersion: v3.9.0
description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
policy-based control for cloud native environments
home: https://github.com/open-policy-agent/gatekeeper
icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
keywords:
- open policy agent
- security
name: rancher-gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
version: 101.0.0+up3.9.0

167
charts/rancher-gatekeeper/101.0.0+up3.9.0/README.md Normal file
View File

@ -0,0 +1,167 @@
# Gatekeeper Helm Chart
## Get Repo Info
```console
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update
```
_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
## Install Chart
```console
# Helm install with gatekeeper-system namespace already created
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
# Helm install and create namespace
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
```
_See [parameters](#parameters) below._
_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
## Upgrade Chart
**Upgrading from < v3.4.0**
Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices.
Option 1:
A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater.
```console
$ helm uninstall gatekeeper
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
```
Option 2:
Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them.
```console
$ helm_migrate.sh
$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper
```
**Upgrading from >= v3.4.0**
```console
$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
```
_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._
## Exempting Namespace
The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook.
_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._
## Parameters
| Parameter | Description | Default |
| :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ |
| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` |
| postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` |
| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` |
| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.9.0` |
| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` |
| postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` |
| postInstall.probeWebhook.enabled | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer | `true` |
| postInstall.probeWebhook.image.repository | Image with curl to probe the webhook API | `curlimages/curl` |
| postInstall.probeWebhook.image.tag | Image tag | `7.83.1` |
| postInstall.probeWebhook.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postInstall.probeWebhook.image.pullSecrets | Image pullSecrets | `[]` |
| postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | `60` |
| postInstall.probeWebhook.httpTimeout | HTTP client timeout | `2` |
| postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | `false` |
| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | `false` |
| postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` |
| postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` |
| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.9.0` |
| postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]`
| postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` |
| preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` |
| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.9.0` |
| preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` |
| preUninstall.deleteWebhooks.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` |
| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| psp.enabled | Enabled PodSecurityPolicy | `true` |
| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` |
| upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` |
| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` |
| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` |
| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` |
| disableValidatingWebhook | Disable the validating webhook | `false` |
| disableMutation | Disable mutation | `false` |
| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` |
| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` |
| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` |
| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` |
| enableExternalData | Enable external data (alpha feature) | `false` |
| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` |
| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` |
| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` |
| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` |
| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` |
| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` |
| logDenies | Log detailed info on each deny | `false` |
| logLevel | Minimum log level | `INFO` |
| image.pullPolicy | The image pull policy | `IfNotPresent` |
| image.repository | Image repository | `openpolicyagent/gatekeeper` |
| image.release | The image release tag to use | Current release version: `v3.9.0` |
| image.pullSecrets | Specify an array of imagePullSecrets | `[]` |
| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| affinity | The node affinity to use for pod scheduling | `{}` |
| tolerations | The tolerations to use for pod scheduling | `[]` |
| controllerManager.healthPort | Health port for controller manager | `9090` |
| controllerManager.port | Webhook-server port for controller manager | `8443` |
| controllerManager.metricsPort | Metrics port for controller manager | `8888` |
| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` |
| controllerManager.podSecurityContext | Security context on pod level for controller manager | {fsGroup: 999, suplementalGroups: [999]} |
| controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` |
| controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` |
| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` |
| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` |
| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` |
| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` |
| audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} |
| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` |
| audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` |
| audit.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| audit.healthPort | Health port for audit | `9090` |
| audit.metricsPort | Metrics port for audit | `8888` |
| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` |
| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |
| podLabels | The labels to add to the Gatekeeper pods | `{}` |
| podCountLimit | The maximum number of Gatekeeper pods to run | `100` |
| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` |
| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` |
| service.type | Service type | `ClusterIP` |
| service.loadBalancerIP | The IP address of LoadBalancer service | `` |
| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` |
| rbac.create | Enable the creation of RBAC resources | `true` |
## Contributing Changes
Please refer to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) for modifying the Helm chart.

14
charts/rancher-gatekeeper/101.0.0+up3.9.0/app-readme.md Normal file
View File

@ -0,0 +1,14 @@
# Rancher OPA Gatekeeper
This chart is based off of the upstream [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper/tree/master/charts/gatekeeper) chart.
For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/opa-gatekeper/).
The chart installs the following components:
- OPA Gatekeeper Controller-Manager - OPA Gatekeeper is a policy engine for providing policy based governance for Kubernetes clusters. The controller installs as a [validating admission controller webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) on the cluster and intercepts all admission requests that create, update or delete a resource in the cluster.
- [Audit](https://github.com/open-policy-agent/gatekeeper#audit) - A periodic audit of the cluster resources against the enforced policies. Any existing resource that violates a policy will be recorded as violations.
- [Constraint Template](https://github.com/open-policy-agent/gatekeeper#constraint-templates) - A template is a CRD (`ConstraintTemplate`) that defines the schema and Rego logic of a policy to be applied to the cluster by Gatekeeper's admission controller webhook. This chart installs a few default `ConstraintTemplate` custom resources.
- [Constraint](https://github.com/open-policy-agent/gatekeeper#constraints) - A constraint is a custom resource that defines the scope of resources which a specific constraint template should apply to. The complete policy is defined by a combination of `ConstraintTemplates` (i.e. what the policy is) and `Constraints` (i.e. what resource to apply the policy to).
For more information on how to configure the Helm chart, refer to the Helm README.

105
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,105 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "gatekeeper.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "gatekeeper.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "gatekeeper.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Adds additional pod labels to the common ones
*/}}
{{- define "gatekeeper.podLabels" -}}
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
kubernetes.io/os: linux
{{- end -}}
{{/*
Output post install webhook probe container entry
*/}}
{{- define "gatekeeper.postInstallWebhookProbeContainer" -}}
- name: webhook-probe-post
image: "{{ template "system_default_registry" . }}{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}"
imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }}
args:
- "--retry"
- "99999"
- "--retry-max-time"
- "{{ .Values.postInstall.probeWebhook.waitTimeout }}"
- "--retry-delay"
- "1"
- "--max-time"
- "{{ .Values.postInstall.probeWebhook.httpTimeout }}"
{{- if .Values.postInstall.probeWebhook.insecureHTTPS }}
- "--insecure"
{{- else }}
- "--cacert"
- /certs/ca.crt
{{- end }}
- "-v"
- "https://gatekeeper-webhook-service.{{ .Release.Namespace }}.svc/v1/admitlabel?timeout=2s"
securityContext:
{{- toYaml .Values.postInstall.securityContext | nindent 4 }}
volumeMounts:
- mountPath: /certs
name: cert
readOnly: true
{{- end -}}
{{/*
Output post install webhook probe volume entry
*/}}
{{- define "gatekeeper.postInstallWebhookProbeVolume" -}}
- name: cert
secret:
secretName: gatekeeper-webhook-server-cert
{{- end -}}

35
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/allowedrepos.yaml Normal file
View File

@ -0,0 +1,35 @@
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sallowedrepos
spec:
crd:
spec:
names:
kind: K8sAllowedRepos
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
repos:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sallowedrepos
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}
violation[{"msg": msg}] {
container := input.review.object.spec.initContainers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}

38
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-admin-podsecuritypolicy.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- if .Values.psp.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-admin
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- projected
- secret
- downwardAPI
- emptyDir
{{- end }}

11
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-admin-serviceaccount.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-admin
namespace: '{{ .Release.Namespace }}'

146
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-audit-deployment.yaml Normal file
View File

@ -0,0 +1,146 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: audit-controller
gatekeeper.sh/operation: audit
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-audit
namespace: '{{ .Release.Namespace }}'
spec:
replicas: 1
selector:
matchLabels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: audit-controller
gatekeeper.sh/operation: audit
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
template:
metadata:
annotations:
{{- if .Values.podAnnotations }}
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
{{- end }}
labels:
{{- include "gatekeeper.podLabels" . }}
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: audit-controller
gatekeeper.sh/operation: audit
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
spec:
affinity:
{{- toYaml .Values.audit.affinity | nindent 8 }}
automountServiceAccountToken: true
containers:
- image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
args:
- --audit-interval={{ .Values.auditInterval }}
- --log-level={{ .Values.logLevel }}
- --constraint-violations-limit={{ .Values.constraintViolationsLimit }}
- --audit-from-cache={{ .Values.auditFromCache }}
- --audit-chunk-size={{ .Values.auditChunkSize }}
- --audit-match-kind-only={{ .Values.auditMatchKindOnly }}
- --emit-audit-events={{ .Values.emitAuditEvents }}
- --operation=audit
- --operation=status
{{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }}
- --logtostderr
- --health-addr=:{{ .Values.audit.healthPort }}
- --prometheus-port={{ .Values.audit.metricsPort }}
- --enable-external-data={{ .Values.enableExternalData }}
{{- range .Values.metricsBackends}}
- --metrics-backend={{ . }}
{{- end }}
- --disable-cert-rotation={{ .Values.audit.disableCertRotation }}
command:
- /manager
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTAINER_NAME
value: manager
imagePullPolicy: '{{ .Values.images.pullPolicy }}'
livenessProbe:
httpGet:
path: /healthz
port: {{ .Values.audit.healthPort }}
name: manager
ports:
- containerPort: {{ .Values.audit.metricsPort }}
name: metrics
protocol: TCP
- containerPort: {{ .Values.audit.healthPort }}
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: {{ .Values.audit.healthPort }}
resources:
{{- toYaml .Values.audit.resources | nindent 10 }}
securityContext:
{{- if .Values.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- toYaml .Values.audit.securityContext | nindent 10}}
volumeMounts:
- mountPath: /certs
name: cert
readOnly: true
- mountPath: /tmp/audit
name: tmp-volume
dnsPolicy: {{ .Values.audit.dnsPolicy }}
hostNetwork: {{ .Values.audit.hostNetwork }}
imagePullSecrets:
{{- toYaml .Values.images.pullSecrets | nindent 8 }}
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.audit.nodeSelector }}
{{ toYaml .Values.audit.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.audit.priorityClassName }}
priorityClassName: {{ .Values.audit.priorityClassName }}
{{- end }}
securityContext:
{{- toYaml .Values.audit.podSecurityContext | nindent 8 }}
serviceAccountName: gatekeeper-admin
terminationGracePeriodSeconds: 60
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.audit.tolerations }}
{{ toYaml .Values.audit.tolerations | indent 8 }}
{{- end }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: gatekeeper-webhook-server-cert
{{- if .Values.audit.writeToRAMDisk }}
- emptyDir:
medium: Memory
{{ else }}
- emptyDir: {}
{{- end }}
name: tmp-volume

152
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-controller-manager-deployment.yaml Normal file
View File

@ -0,0 +1,152 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: controller-manager
gatekeeper.sh/operation: webhook
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-controller-manager
namespace: '{{ .Release.Namespace }}'
spec:
replicas: {{ .Values.replicas }}
selector:
matchLabels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: controller-manager
gatekeeper.sh/operation: webhook
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
template:
metadata:
annotations:
{{- if .Values.podAnnotations }}
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
{{- end }}
labels:
{{- include "gatekeeper.podLabels" . }}
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: controller-manager
gatekeeper.sh/operation: webhook
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
spec:
affinity:
{{- toYaml .Values.controllerManager.affinity | nindent 8 }}
automountServiceAccountToken: true
containers:
- image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
imagePullPolicy: '{{ .Values.images.pullPolicy }}'
args:
- --port={{ .Values.controllerManager.port }}
- --health-addr=:{{ .Values.controllerManager.healthPort }}
- --prometheus-port={{ .Values.controllerManager.metricsPort }}
- --logtostderr
- --log-denies={{ .Values.logDenies }}
- --emit-admission-events={{ .Values.emitAdmissionEvents }}
- --log-level={{ .Values.logLevel }}
- --exempt-namespace={{ .Release.Namespace }}
- --operation=webhook
- --enable-external-data={{ .Values.enableExternalData }}
- --log-mutations={{ .Values.logMutations }}
- --mutation-annotations={{ .Values.mutationAnnotations }}
- --disable-cert-rotation={{ .Values.controllerManager.disableCertRotation }}
{{- range .Values.metricsBackends}}
- --metrics-backend={{ . }}
{{- end }}
{{ if .Values.enableTLSHealthcheck}}- --enable-tls-healthcheck{{- end }}
{{ if not .Values.disableMutation}}- --operation=mutation-webhook{{- end }}
{{- range .Values.disabledBuiltins}}
- --disable-opa-builtin={{ . }}
{{- end }}
{{- range .Values.controllerManager.exemptNamespaces}}
- --exempt-namespace={{ . }}
{{- end }}
{{- range .Values.controllerManager.exemptNamespacePrefixes}}
- --exempt-namespace-prefix={{ . }}
{{- end }}
command:
- /manager
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTAINER_NAME
value: manager
livenessProbe:
httpGet:
path: /healthz
port: {{ .Values.controllerManager.healthPort }}
name: manager
ports:
- containerPort: {{ .Values.controllerManager.port }}
name: webhook-server
protocol: TCP
- containerPort: {{ .Values.controllerManager.metricsPort }}
name: metrics
protocol: TCP
- containerPort: {{ .Values.controllerManager.healthPort }}
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: {{ .Values.controllerManager.healthPort }}
resources:
{{- toYaml .Values.controllerManager.resources | nindent 10 }}
securityContext:
{{- if .Values.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- toYaml .Values.controllerManager.securityContext | nindent 10}}
volumeMounts:
- mountPath: /certs
name: cert
readOnly: true
dnsPolicy: {{ .Values.controllerManager.dnsPolicy }}
hostNetwork: {{ .Values.controllerManager.hostNetwork }}
imagePullSecrets:
{{- toYaml .Values.images.pullSecrets | nindent 8 }}
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.controllerManager.nodeSelector }}
{{ toYaml .Values.controllerManager.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.controllerManager.priorityClassName }}
priorityClassName: {{ .Values.controllerManager.priorityClassName }}
{{- end }}
securityContext:
{{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }}
serviceAccountName: gatekeeper-admin
terminationGracePeriodSeconds: 60
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.controllerManager.tolerations }}
{{ toYaml .Values.controllerManager.tolerations | indent 8 }}
{{- end }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: gatekeeper-webhook-server-cert

26
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
apiVersion: policy/v1
{{ else }}
apiVersion: policy/v1beta1
{{ end -}}
kind: PodDisruptionBudget
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-controller-manager
namespace: '{{ .Release.Namespace }}'
spec:
minAvailable: {{ .Values.pdb.controllerManager.minAvailable }}
selector:
matchLabels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: controller-manager
gatekeeper.sh/operation: webhook
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'

23
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-critical-pods-resourcequota.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if .Values.resourceQuota }}
apiVersion: v1
kind: ResourceQuota
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-critical-pods
namespace: '{{ .Release.Namespace }}'
spec:
hard:
pods: {{ .Values.podCountLimit }}
scopeSelector:
matchExpressions:
- operator: In
scopeName: PriorityClass
values:
- {{ .Values.controllerManager.priorityClassName }}
- {{ .Values.audit.priorityClassName }}
{{- end }}

165
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-role-clusterrole.yaml Normal file
View File

@ -0,0 +1,165 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-manager-role
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resourceNames:
- gatekeeper-mutating-webhook-configuration
resources:
- mutatingwebhookconfigurations
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- config.gatekeeper.sh
resources:
- configs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- config.gatekeeper.sh
resources:
- configs/status
verbs:
- get
- patch
- update
- apiGroups:
- constraints.gatekeeper.sh
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- externaldata.gatekeeper.sh
resources:
- providers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- mutations.gatekeeper.sh
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- policy
resourceNames:
- gatekeeper-admin
resources:
- podsecuritypolicies
verbs:
- use
- apiGroups:
- status.gatekeeper.sh
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- templates.gatekeeper.sh
resources:
- constrainttemplates
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- templates.gatekeeper.sh
resources:
- constrainttemplates/finalizers
verbs:
- delete
- get
- patch
- update
- apiGroups:
- templates.gatekeeper.sh
resources:
- constrainttemplates/status
verbs:
- get
- patch
- update
- apiGroups:
- admissionregistration.k8s.io
resourceNames:
- gatekeeper-validating-webhook-configuration
resources:
- validatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
{{- end }}

37
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-role-role.yaml Normal file
View File

@ -0,0 +1,37 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-manager-role
namespace: '{{ .Release.Namespace }}'
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
{{- with .Values.controllerManager.extraRules }}
{{- toYaml . | nindent 0 }}
{{- end }}
{{- end }}

20
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gatekeeper-manager-role
subjects:
- kind: ServiceAccount
name: gatekeeper-admin
namespace: '{{ .Release.Namespace }}'
{{- end }}

21
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-manager-rolebinding
namespace: '{{ .Release.Namespace }}'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: gatekeeper-manager-role
subjects:
- kind: ServiceAccount
name: gatekeeper-admin
namespace: '{{ .Release.Namespace }}'
{{- end }}

55
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml Normal file
View File

@ -0,0 +1,55 @@
{{- if not .Values.disableMutation }}
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-mutating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
path: /v1/mutate
failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }}
matchPolicy: Exact
name: mutation.gatekeeper.sh
namespaceSelector:
matchExpressions:
- key: admission.gatekeeper.sh/ignore
operator: DoesNotExist
{{- range $key, $value := .Values.mutatingWebhookExemptNamespacesLabels}}
- key: {{ $key }}
operator: NotIn
values:
{{- range $value }}
- {{ . }}
{{- end }}
{{- end }}
objectSelector: {{ toYaml .Values.mutatingWebhookObjectSelector }}
reinvocationPolicy: {{ .Values.mutatingWebhookReinvocationPolicy }}
rules:
{{- if .Values.mutatingWebhookCustomRules }}
{{- toYaml .Values.mutatingWebhookCustomRules | nindent 2 }}
{{- else }}
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- '*'
{{- end }}
sideEffects: None
timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }}
{{- end }}

98
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml Normal file
View File

@ -0,0 +1,98 @@
{{- if not .Values.disableValidatingWebhook }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-validating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
path: /v1/admit
failurePolicy: {{ .Values.validatingWebhookFailurePolicy }}
matchPolicy: Exact
name: validation.gatekeeper.sh
namespaceSelector:
matchExpressions:
- key: admission.gatekeeper.sh/ignore
operator: DoesNotExist
{{- range $key, $value := .Values.validatingWebhookExemptNamespacesLabels}}
- key: {{ $key }}
operator: NotIn
values:
{{- range $value }}
- {{ . }}
{{- end }}
{{- end }}
objectSelector: {{ toYaml .Values.validatingWebhookObjectSelector }}
rules:
{{- if .Values.validatingWebhookCustomRules }}
{{- toYaml .Values.validatingWebhookCustomRules | nindent 2 }}
{{- else }}
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
{{- if .Values.enableDeleteOperations }}
- DELETE
{{- end }}
resources:
- '*'
# Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper).
# You can find a rough list of subresources by doing a case-sensitive search in the Kubernetes codebase for 'Subresource("'
- 'pods/ephemeralcontainers'
- 'pods/exec'
- 'pods/log'
- 'pods/eviction'
- 'pods/portforward'
- 'pods/proxy'
- 'pods/attach'
- 'pods/binding'
- 'deployments/scale'
- 'replicasets/scale'
- 'statefulsets/scale'
- 'replicationcontrollers/scale'
- 'services/proxy'
- 'nodes/proxy'
# For constraints that mitigate CVE-2020-8554
- 'services/status'
{{- end }}
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
path: /v1/admitlabel
failurePolicy: {{ .Values.validatingWebhookCheckIgnoreFailurePolicy }}
matchPolicy: Exact
name: check-ignore-label.gatekeeper.sh
rules:
- apiGroups:
- ""
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- namespaces
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }}
{{- end }}

12
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-webhook-server-cert-secret.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Secret
metadata:
annotations: {{- toYaml .Values.secretAnnotations | trim | nindent 4 }}
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-webhook-server-cert
namespace: '{{ .Release.Namespace }}'

38
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/gatekeeper-webhook-service-service.yaml Normal file
View File

@ -0,0 +1,38 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
spec:
ports:
- name: https-webhook-server
port: 443
targetPort: webhook-server
{{- if .Values.service }}
{{- if .Values.service.healthzPort }}
- name: http-webhook-healthz
port: {{ .Values.service.healthzPort }}
targetPort: healthz
{{- end }}
{{- end }}
{{- if .Values.service }}
type: {{ .Values.service.type | default "ClusterIP" }}
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- end }}
selector:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: controller-manager
gatekeeper.sh/operation: webhook
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'

119
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/namespace-post-install.yaml Normal file
View File

@ -0,0 +1,119 @@
{{- if .Values.postInstall.labelNamespace.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: gatekeeper-update-namespace-label
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
spec:
template:
metadata:
annotations:
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
labels:
app: '{{ template "gatekeeper.name" . }}'
release: '{{ .Release.Name }}'
spec:
restartPolicy: OnFailure
{{- if .Values.postInstall.labelNamespace.image.pullSecrets }}
imagePullSecrets:
{{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
{{- end }}
serviceAccount: gatekeeper-update-namespace-label
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.postInstall.probeWebhook.enabled }}
volumes:
{{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
initContainers:
{{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }}
{{- end }}
containers:
- name: kubectl-label
image: '{{ template "system_default_registry" . }}{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}'
imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }}
args:
- label
- ns
- {{ .Release.Namespace }}
{{- range .Values.postInstall.labelNamespace.extraNamespaces }}
- {{ . }}
{{- end }}
- admission.gatekeeper.sh/ignore=no-self-managing
- --overwrite
securityContext:
{{- toYaml .Values.postInstall.securityContext | nindent 12 }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gatekeeper-update-namespace-label
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
---
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gatekeeper-update-namespace-label
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- update
- patch
resourceNames:
- {{ .Release.Namespace }}
{{- range .Values.postInstall.labelNamespace.extraNamespaces }}
- {{ . }}
{{- end }}
{{- with .Values.postInstall.labelNamespace.extraRules }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
---
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: gatekeeper-update-namespace-label
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: gatekeeper-update-namespace-label
subjects:
- kind: ServiceAccount
name: gatekeeper-update-namespace-label
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- end }}

108
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/namespace-post-upgrade.yaml Normal file
View File

@ -0,0 +1,108 @@
{{- if .Values.postUpgrade.labelNamespace.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: gatekeeper-update-namespace-label-post-upgrade
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
annotations:
"helm.sh/hook": post-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
spec:
template:
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
release: '{{ .Release.Name }}'
spec:
restartPolicy: OnFailure
{{- if .Values.postUpgrade.labelNamespace.image.pullSecrets }}
imagePullSecrets:
{{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
{{- end }}
serviceAccount: gatekeeper-update-namespace-label-post-upgrade
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
containers:
- name: kubectl-label
image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}'
imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }}
args:
- label
- ns
- {{ .Release.Namespace }}
{{- range .Values.postUpgrade.labelNamespace.extraNamespaces }}
- {{ . }}
{{- end }}
- admission.gatekeeper.sh/ignore=no-self-managing
- --overwrite
securityContext:
{{- toYaml .Values.postUpgrade.securityContext | nindent 12 }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gatekeeper-update-namespace-label-post-upgrade
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
---
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gatekeeper-update-namespace-label-post-upgrade
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- update
- patch
resourceNames:
- {{ .Release.Namespace }}
{{- range .Values.postUpgrade.labelNamespace.extraNamespaces }}
- {{ . }}
{{- end }}
{{- end }}
---
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: gatekeeper-update-namespace-label-post-upgrade
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: gatekeeper-update-namespace-label-post-upgrade
subjects:
- kind: ServiceAccount
name: gatekeeper-update-namespace-label-post-upgrade
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- end }}

38
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/probe-webhook-post-install.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- if not .Values.disableValidatingWebhook }}
{{- if and (not .Values.postInstall.labelNamespace.enabled) .Values.postInstall.probeWebhook.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: gatekeeper-probe-webhook-post-install
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
annotations:
"helm.sh/hook": post-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
spec:
template:
metadata:
annotations:
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
labels:
app: '{{ template "gatekeeper.name" . }}'
release: '{{ .Release.Name }}'
spec:
restartPolicy: Never
{{- if .Values.postInstall.probeWebhook.image.pullSecrets }}
imagePullSecrets:
{{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }}
{{- end }}
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
volumes:
{{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
containers:
{{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }}
{{- end }}
{{- end }}

57
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/requiredlabels.yaml Normal file
View File

@ -0,0 +1,57 @@
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
message:
type: string
labels:
type: array
items:
type: object
properties:
key:
type: string
allowedRegex:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
get_message(parameters, _default) = msg {
not parameters.message
msg := _default
}
get_message(parameters, _default) = msg {
msg := parameters.message
}
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_].key}
missing := required - provided
count(missing) > 0
def_msg := sprintf("you must provide labels: %v", [missing])
msg := get_message(input.parameters, def_msg)
}
violation[{"msg": msg}] {
value := input.review.object.metadata.labels[key]
expected := input.parameters.labels[_]
expected.key == key
# do not match if allowedRegex is not defined, or is an empty string
expected.allowedRegex != ""
not re_match(expected.allowedRegex, value)
def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])
msg := get_message(input.parameters, def_msg)
}

103
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/upgrade-crds-hook.yaml Normal file
View File

@ -0,0 +1,103 @@
{{- if .Values.upgradeCRDs.enabled }}
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gatekeeper-admin-upgrade-crds
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "1"
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "create", "update", "patch"]
{{- with .Values.upgradeCRDs.extraRules }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
---
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gatekeeper-admin-upgrade-crds
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "1"
subjects:
- kind: ServiceAccount
name: gatekeeper-admin-upgrade-crds
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: gatekeeper-admin-upgrade-crds
apiGroup: rbac.authorization.k8s.io
{{- end }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
name: gatekeeper-admin-upgrade-crds
namespace: '{{ .Release.Namespace }}'
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "1"
---
apiVersion: batch/v1
kind: Job
metadata:
name: gatekeeper-update-crds-hook
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "gatekeeper.name" . }}
chart: {{ template "gatekeeper.name" . }}
gatekeeper.sh/system: "yes"
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-weight: "1"
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
spec:
backoffLimit: 0
template:
metadata:
name: gatekeeper-update-crds-hook
annotations:
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
spec:
serviceAccountName: gatekeeper-admin-upgrade-crds
restartPolicy: Never
{{- if .Values.images.pullSecrets }}
imagePullSecrets:
{{- toYaml .Values.images.pullSecrets | nindent 8 }}
{{- end }}
containers:
- name: crds-upgrade
image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}'
imagePullPolicy: '{{ .Values.images.pullPolicy }}'
args:
- apply
- -f
- crds/
resources:
{{- toYaml .Values.crds.resources | nindent 10 }}
securityContext:
{{- toYaml .Values.crds.securityContext | nindent 10 }}
affinity:
{{- toYaml .Values.upgradeCRDs.affinity | nindent 8 }}
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- end }}

22
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/validate-install-crd.yaml Normal file
View File

@ -0,0 +1,22 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
# {{- $found := dict -}}
# {{- set $found "mutations.gatekeeper.sh/v1alpha1/Assign" false -}}
# {{- set $found "mutations.gatekeeper.sh/v1alpha1/AssignMetadata" false -}}
# {{- set $found "config.gatekeeper.sh/v1alpha1/Config" false -}}
# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintPodStatus" false -}}
# {{- set $found "templates.gatekeeper.sh/v1/ConstraintTemplate" false -}}
# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintTemplatePodStatus" false -}}
# {{- set $found "mutations.gatekeeper.sh/v1alpha1/ModifySet" false -}}
# {{- set $found "status.gatekeeper.sh/v1beta1/MutatorPodStatus" false -}}
# {{- set $found "externaldata.gatekeeper.sh/v1alpha1/Provider" false -}}
# {{- range .Capabilities.APIVersions -}}
# {{- if hasKey $found (toString .) -}}
# {{- set $found (toString .) true -}}
# {{- end -}}
# {{- end -}}
# {{- range $_, $exists := $found -}}
# {{- if (eq $exists false) -}}
# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
# {{- end -}}
# {{- end -}}
#{{- end -}}

119
charts/rancher-gatekeeper/101.0.0+up3.9.0/templates/webhook-configs-pre-delete.yaml Normal file
View File

@ -0,0 +1,119 @@
{{- if and (or (not .Values.disableValidatingWebhook) (not .Values.disableMutation)) .Values.preUninstall.deleteWebhookConfigurations.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: gatekeeper-delete-webhook-configs
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
spec:
template:
metadata:
annotations:
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
labels:
app: '{{ template "gatekeeper.name" . }}'
release: '{{ .Release.Name }}'
spec:
restartPolicy: OnFailure
{{- if .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets }}
imagePullSecrets:
{{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }}
{{- end }}
serviceAccount: gatekeeper-delete-webhook-configs
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
containers:
- name: kubectl-delete
image: '{{ template "system_default_registry" . }}{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}'
imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }}
args:
- delete
{{- if not .Values.disableValidatingWebhook }}
- validatingwebhookconfiguration/gatekeeper-validating-webhook-configuration
{{- end }}
{{- if not .Values.disableMutation }}
- mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration
{{- end }}
securityContext:
{{- toYaml .Values.preUninstall.securityContext | nindent 10 }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gatekeeper-delete-webhook-configs
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
---
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gatekeeper-delete-webhook-configs
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
rules:
{{- if not .Values.disableValidatingWebhook }}
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
resourceNames:
- gatekeeper-validating-webhook-configuration
verbs:
- delete
{{- end }}
{{- if not .Values.disableMutation }}
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
resourceNames:
- gatekeeper-mutating-webhook-configuration
verbs:
- delete
{{- end }}
{{- with .Values.preUninstall.deleteWebhookConfigurations.extraRules }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
---
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gatekeeper-delete-webhook-configs
labels:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gatekeeper-delete-webhook-configs
subjects:
- kind: ServiceAccount
name: gatekeeper-delete-webhook-configs
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- end }}

217
charts/rancher-gatekeeper/101.0.0+up3.9.0/values.yaml Normal file
View File

@ -0,0 +1,217 @@
replicas: 3
auditInterval: 60
metricsBackends: ["prometheus"]
auditMatchKindOnly: false
constraintViolationsLimit: 20
auditFromCache: false
disableMutation: false
disableValidatingWebhook: false
validatingWebhookTimeoutSeconds: 3
validatingWebhookFailurePolicy: Ignore
validatingWebhookExemptNamespacesLabels: {}
validatingWebhookObjectSelector: {}
validatingWebhookCheckIgnoreFailurePolicy: Fail
validatingWebhookCustomRules: {}
enableDeleteOperations: false
enableExternalData: false
enableTLSHealthcheck: false
mutatingWebhookFailurePolicy: Ignore
mutatingWebhookReinvocationPolicy: Never
mutatingWebhookExemptNamespacesLabels: {}
mutatingWebhookObjectSelector: {}
mutatingWebhookTimeoutSeconds: 1
mutatingWebhookCustomRules: {}
mutationAnnotations: false
auditChunkSize: 500
logLevel: INFO
logDenies: false
logMutations: false
emitAdmissionEvents: false
emitAuditEvents: false
resourceQuota: true
postUpgrade:
labelNamespace:
enabled: false
image:
repository: rancher/kubectl
tag: v1.20.2
pullPolicy: IfNotPresent
pullSecrets: []
extraNamespaces: []
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
postInstall:
labelNamespace:
extraRules: []
enabled: true
image:
repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
tag: v3.9.0
pullPolicy: IfNotPresent
pullSecrets: []
extraNamespaces: []
probeWebhook:
enabled: true
image:
repository: rancher/mirrored-curlimages-curl
tag: 7.83.1
pullPolicy: IfNotPresent
pullSecrets: []
waitTimeout: 60
httpTimeout: 2
insecureHTTPS: false
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
preUninstall:
deleteWebhookConfigurations:
extraRules: []
enabled: false
image:
repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
tag: v3.9.0
pullPolicy: IfNotPresent
pullSecrets: []
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
images:
gatekeeper:
repository: rancher/mirrored-openpolicyagent-gatekeeper
tag: v3.9.0
gatekeepercrd:
repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
tag: v3.9.0
pullPolicy: IfNotPresent
pullSecrets: []
podAnnotations: {}
podLabels: {}
podCountLimit: 100
secretAnnotations: {}
enableRuntimeDefaultSeccompProfile: true
controllerManager:
exemptNamespaces: []
exemptNamespacePrefixes: []
hostNetwork: false
dnsPolicy: ClusterFirst
port: 8443
metricsPort: 8888
healthPort: 9090
priorityClassName: system-cluster-critical
disableCertRotation: false
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: gatekeeper.sh/operation
operator: In
values:
- webhook
topologyKey: kubernetes.io/hostname
weight: 100
tolerations: []
nodeSelector: {}
resources:
limits:
cpu: 1000m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
podSecurityContext:
fsGroup: 999
supplementalGroups:
- 999
extraRules: []
audit:
hostNetwork: false
dnsPolicy: ClusterFirst
metricsPort: 8888
healthPort: 9090
priorityClassName: system-cluster-critical
disableCertRotation: true
affinity: {}
tolerations: []
nodeSelector: {}
writeToRAMDisk: false
resources:
limits:
cpu: 1000m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
podSecurityContext:
fsGroup: 999
supplementalGroups:
- 999
extraRules: []
crds:
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
pdb:
controllerManager:
minAvailable: 1
global:
cattle:
systemDefaultRegistry: ""
kubectl:
repository: rancher/kubectl
tag: v1.20.2
service: {}
disabledBuiltins: ["{http.send}"]
psp:
enabled: true
upgradeCRDs:
enabled: true
tolerations: []
extraRules: []
rbac:
create: true

44
index.yaml
View File

@ -3986,6 +3986,36 @@ entries:
- assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz - assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz
version: 0.1.400 version: 0.1.400
rancher-gatekeeper: rancher-gatekeeper:
- annotations:
catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: OPA Gatekeeper
catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.25.0-0'
catalog.cattle.io/namespace: cattle-gatekeeper-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
catalog.cattle.io/release-name: rancher-gatekeeper
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/ui-component: gatekeeper
apiVersion: v2
appVersion: v3.9.0
created: "2022-09-16T11:36:28.417222521+05:30"
description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
policy-based control for cloud native environments
digest: 01b3d1f7b3262ce690848497ddaa3897338d6b186a71cc48d03392972f526e7a
home: https://github.com/open-policy-agent/gatekeeper
icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
keywords:
- open policy agent
- security
name: rancher-gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
urls:
- assets/rancher-gatekeeper/rancher-gatekeeper-101.0.0+up3.9.0.tgz
version: 101.0.0+up3.9.0
- annotations: - annotations:
catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
catalog.cattle.io/certified: rancher catalog.cattle.io/certified: rancher
@ -4239,6 +4269,20 @@ entries:
- assets/rancher-gatekeeper/rancher-gatekeeper-3.1.100.tgz - assets/rancher-gatekeeper/rancher-gatekeeper-3.1.100.tgz
version: 3.1.100 version: 3.1.100
rancher-gatekeeper-crd: rancher-gatekeeper-crd:
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-gatekeeper-system
catalog.cattle.io/release-name: rancher-gatekeeper-crd
apiVersion: v1
created: "2022-09-16T11:36:28.422458665+05:30"
description: Installs the CRDs for rancher-gatekeeper.
digest: 3bd634995c5885e7de59558c349bcbaa2e1a324ff0a2bce0a9ac548222623a1f
name: rancher-gatekeeper-crd
type: application
urls:
- assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-101.0.0+up3.9.0.tgz
version: 101.0.0+up3.9.0
- annotations: - annotations:
catalog.cattle.io/certified: rancher catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true" catalog.cattle.io/hidden: "true"

6
packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch
View File

@ -10,12 +10,12 @@
+ catalog.cattle.io/os: linux + catalog.cattle.io/os: linux
+ catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/permits-os: linux,windows
+ catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 + catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
+ catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0' + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
+ catalog.cattle.io/release-name: rancher-gatekeeper + catalog.cattle.io/release-name: rancher-gatekeeper
+ catalog.cattle.io/type: cluster-tool + catalog.cattle.io/type: cluster-tool
+ catalog.cattle.io/ui-component: gatekeeper + catalog.cattle.io/ui-component: gatekeeper
apiVersion: v2 apiVersion: v2
appVersion: v3.8.1 appVersion: v3.9.0
-description: A Helm chart for Gatekeeper -description: A Helm chart for Gatekeeper
+description: Modifies Open Policy Agent's upstream gatekeeper chart that provides +description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
+ policy-based control for cloud native environments + policy-based control for cloud native environments
@ -28,4 +28,4 @@
+name: rancher-gatekeeper +name: rancher-gatekeeper
sources: sources:
- https://github.com/open-policy-agent/gatekeeper.git - https://github.com/open-policy-agent/gatekeeper.git
version: 3.8.1 version: 3.9.0

8
packages/rancher-gatekeeper/generated-changes/patch/README.md.patch
View File

@ -1,11 +1,11 @@
--- charts-original/README.md --- charts-original/README.md
+++ charts/README.md +++ charts/README.md
@@ -79,7 +79,7 @@ @@ -98,7 +98,7 @@
| psp.enabled | Enabled PodSecurityPolicy | `true` |
| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | | upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` |
| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | | upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` |
| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` |
-| auditInterval | The frequency with which audit is run | `60` | -| auditInterval | The frequency with which audit is run | `60` |
+| auditInterval | The frequency with which audit is run | `300` | +| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | | auditFromCache | Take the roster of resources to audit from the OPA cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | | auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` |

22
packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch
View File

@ -1,11 +1,9 @@
--- charts-original/templates/_helpers.tpl --- charts-original/templates/_helpers.tpl
+++ charts/templates/_helpers.tpl +++ charts/templates/_helpers.tpl
@@ -38,4 +38,27 @@ @@ -40,12 +40,35 @@
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }} {{- end }}
+{{- end -}} {{- end -}}
+
+{{- define "system_default_registry" -}} +{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
@ -27,5 +25,15 @@
+ +
+{{- define "linux-node-selector" -}} +{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux +kubernetes.io/os: linux
{{- end -}} +{{- end -}}
\ No newline at end of file +
{{/*
Output post install webhook probe container entry
*/}}
{{- define "gatekeeper.postInstallWebhookProbeContainer" -}}
- name: webhook-probe-post
- image: "{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}"
+ image: "{{ template "system_default_registry" . }}{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}"
imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }}
args:
- "--retry"

18
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch
View File

@ -1,6 +1,6 @@
--- charts-original/templates/gatekeeper-audit-deployment.yaml --- charts-original/templates/gatekeeper-audit-deployment.yaml
+++ charts/templates/gatekeeper-audit-deployment.yaml +++ charts/templates/gatekeeper-audit-deployment.yaml
@@ -40,11 +40,7 @@ @@ -42,11 +42,7 @@
{{- toYaml .Values.audit.affinity | nindent 8 }} {{- toYaml .Values.audit.affinity | nindent 8 }}
automountServiceAccountToken: true automountServiceAccountToken: true
containers: containers:
@ -13,16 +13,16 @@
args: args:
- --audit-interval={{ .Values.auditInterval }} - --audit-interval={{ .Values.auditInterval }}
- --log-level={{ .Values.logLevel }} - --log-level={{ .Values.logLevel }}
@@ -72,7 +68,7 @@ @@ -86,7 +82,7 @@
valueFrom: fieldPath: metadata.namespace
fieldRef: - name: CONTAINER_NAME
fieldPath: metadata.name value: manager
- imagePullPolicy: '{{ .Values.image.pullPolicy }}' - imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+ imagePullPolicy: '{{ .Values.images.pullPolicy }}' + imagePullPolicy: '{{ .Values.images.pullPolicy }}'
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz
@@ -99,16 +95,20 @@ @@ -120,9 +116,11 @@
dnsPolicy: {{ .Values.audit.dnsPolicy }} dnsPolicy: {{ .Values.audit.dnsPolicy }}
hostNetwork: {{ .Values.audit.hostNetwork }} hostNetwork: {{ .Values.audit.hostNetwork }}
imagePullSecrets: imagePullSecrets:
@ -37,6 +37,8 @@
{{- if .Values.audit.priorityClassName }} {{- if .Values.audit.priorityClassName }}
priorityClassName: {{ .Values.audit.priorityClassName }} priorityClassName: {{ .Values.audit.priorityClassName }}
{{- end }} {{- end }}
@@ -130,8 +128,10 @@
{{- toYaml .Values.audit.podSecurityContext | nindent 8 }}
serviceAccountName: gatekeeper-admin serviceAccountName: gatekeeper-admin
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60
- tolerations: - tolerations:
@ -46,5 +48,5 @@
+{{ toYaml .Values.audit.tolerations | indent 8 }} +{{ toYaml .Values.audit.tolerations | indent 8 }}
+{{- end }} +{{- end }}
volumes: volumes:
{{- if .Values.audit.writeToRAMDisk }} - name: cert
- emptyDir: secret:

14
packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch
View File

@ -1,6 +1,6 @@
--- charts-original/templates/gatekeeper-controller-manager-deployment.yaml --- charts-original/templates/gatekeeper-controller-manager-deployment.yaml
+++ charts/templates/gatekeeper-controller-manager-deployment.yaml +++ charts/templates/gatekeeper-controller-manager-deployment.yaml
@@ -40,11 +40,8 @@ @@ -42,11 +42,8 @@
{{- toYaml .Values.controllerManager.affinity | nindent 8 }} {{- toYaml .Values.controllerManager.affinity | nindent 8 }}
automountServiceAccountToken: true automountServiceAccountToken: true
containers: containers:
@ -14,15 +14,15 @@
args: args:
- --port={{ .Values.controllerManager.port }} - --port={{ .Values.controllerManager.port }}
- --health-addr=:{{ .Values.controllerManager.healthPort }} - --health-addr=:{{ .Values.controllerManager.healthPort }}
@@ -84,7 +81,6 @@ @@ -98,7 +95,6 @@
valueFrom: fieldPath: metadata.namespace
fieldRef: - name: CONTAINER_NAME
fieldPath: metadata.name value: manager
- imagePullPolicy: '{{ .Values.image.pullPolicy }}' - imagePullPolicy: '{{ .Values.image.pullPolicy }}'
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz
@@ -115,16 +111,20 @@ @@ -133,9 +129,11 @@
dnsPolicy: {{ .Values.controllerManager.dnsPolicy }} dnsPolicy: {{ .Values.controllerManager.dnsPolicy }}
hostNetwork: {{ .Values.controllerManager.hostNetwork }} hostNetwork: {{ .Values.controllerManager.hostNetwork }}
imagePullSecrets: imagePullSecrets:
@ -37,6 +37,8 @@
{{- if .Values.controllerManager.priorityClassName }} {{- if .Values.controllerManager.priorityClassName }}
priorityClassName: {{ .Values.controllerManager.priorityClassName }} priorityClassName: {{ .Values.controllerManager.priorityClassName }}
{{- end }} {{- end }}
@@ -143,8 +141,10 @@
{{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }}
serviceAccountName: gatekeeper-admin serviceAccountName: gatekeeper-admin
terminationGracePeriodSeconds: 60 terminationGracePeriodSeconds: 60
- tolerations: - tolerations:

7
packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-install.yaml.patch
View File

@ -1,6 +1,6 @@
--- charts-original/templates/namespace-post-install.yaml --- charts-original/templates/namespace-post-install.yaml
+++ charts/templates/namespace-post-install.yaml +++ charts/templates/namespace-post-install.yaml
@@ -26,11 +26,11 @@ @@ -28,8 +28,8 @@
{{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
{{- end }} {{- end }}
serviceAccount: gatekeeper-update-namespace-label serviceAccount: gatekeeper-update-namespace-label
@ -8,6 +8,11 @@
- kubernetes.io/os: linux - kubernetes.io/os: linux
+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.postInstall.probeWebhook.enabled }}
volumes:
{{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
@@ -38,7 +38,7 @@
{{- end }}
containers: containers:
- name: kubectl-label - name: kubectl-label
- image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}" - image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}"

17
packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-upgrade.yaml.patch Normal file
View File

@ -0,0 +1,17 @@
--- charts-original/templates/namespace-post-upgrade.yaml
+++ charts/templates/namespace-post-upgrade.yaml
@@ -26,11 +26,11 @@
{{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
{{- end }}
serviceAccount: gatekeeper-update-namespace-label-post-upgrade
- nodeSelector:
- kubernetes.io/os: linux
+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
containers:
- name: kubectl-label
- image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}"
+ image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}'
imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }}
args:
- label

13
packages/rancher-gatekeeper/generated-changes/patch/templates/probe-webhook-post-install.yaml.patch Normal file
View File

@ -0,0 +1,13 @@
--- charts-original/templates/probe-webhook-post-install.yaml
+++ charts/templates/probe-webhook-post-install.yaml
@@ -28,8 +28,8 @@
imagePullSecrets:
{{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }}
{{- end }}
- nodeSelector:
- kubernetes.io/os: linux
+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
volumes:
{{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }}
containers:

11
packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch
View File

@ -1,6 +1,6 @@
--- charts-original/templates/upgrade-crds-hook.yaml --- charts-original/templates/upgrade-crds-hook.yaml
+++ charts/templates/upgrade-crds-hook.yaml +++ charts/templates/upgrade-crds-hook.yaml
@@ -75,18 +75,14 @@ @@ -80,18 +80,14 @@
spec: spec:
serviceAccountName: gatekeeper-admin-upgrade-crds serviceAccountName: gatekeeper-admin-upgrade-crds
restartPolicy: Never restartPolicy: Never
@ -23,13 +23,14 @@
args: args:
- apply - apply
- -f - -f
@@ -95,7 +91,6 @@ @@ -102,8 +98,6 @@
{{- toYaml .Values.crds.resources | nindent 10 }}
securityContext:
{{- toYaml .Values.crds.securityContext | nindent 10 }} {{- toYaml .Values.crds.securityContext | nindent 10 }}
affinity:
{{- toYaml .Values.upgradeCRDs.affinity | nindent 8 }}
- nodeSelector: - nodeSelector:
- kubernetes.io/os: linux - kubernetes.io/os: linux
- - tolerations:
- {{- toYaml .Values.upgradeCRDs.tolerations | nindent 8 }}
+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- end }} {{- end }}

17
packages/rancher-gatekeeper/generated-changes/patch/templates/webhook-configs-pre-delete.yaml.patch Normal file
View File

@ -0,0 +1,17 @@
--- charts-original/templates/webhook-configs-pre-delete.yaml
+++ charts/templates/webhook-configs-pre-delete.yaml
@@ -28,11 +28,11 @@
{{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }}
{{- end }}
serviceAccount: gatekeeper-delete-webhook-configs
- nodeSelector:
- kubernetes.io/os: linux
+ nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+ tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
containers:
- name: kubectl-delete
- image: "{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}"
+ image: '{{ template "system_default_registry" . }}{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}'
imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }}
args:
- delete

50
packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch
View File

@ -1,44 +1,62 @@
--- charts-original/values.yaml --- charts-original/values.yaml
+++ charts/values.yaml +++ charts/values.yaml
@@ -30,8 +30,8 @@ @@ -33,8 +33,8 @@
labelNamespace: labelNamespace:
enabled: true enabled: false
image: image:
- repository: openpolicyagent/gatekeeper-crds - repository: openpolicyagent/gatekeeper-crds
- tag: v3.8.1 - tag: v3.9.0
+ repository: rancher/kubectl + repository: rancher/kubectl
+ tag: v1.20.2 + tag: v1.20.2
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
pullSecrets: [] pullSecrets: []
securityContext: extraNamespaces: []
@@ -47,7 +47,7 @@ @@ -52,7 +52,7 @@
deleteWebhookConfigurations: extraRules: []
enabled: true
image:
- repository: openpolicyagent/gatekeeper-crds
+ repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
tag: v3.9.0
pullPolicy: IfNotPresent
pullSecrets: []
@@ -60,7 +60,7 @@
probeWebhook:
enabled: true
image:
- repository: curlimages/curl
+ repository: rancher/mirrored-curlimages-curl
tag: 7.83.1
pullPolicy: IfNotPresent
pullSecrets: []
@@ -81,7 +81,7 @@
extraRules: []
enabled: false enabled: false
image: image:
- repository: openpolicyagent/gatekeeper-crds - repository: openpolicyagent/gatekeeper-crds
+ repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
tag: v3.8.1 tag: v3.9.0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
pullSecrets: [] pullSecrets: []
@@ -60,10 +60,13 @@ @@ -94,10 +94,13 @@
runAsGroup: 999 runAsGroup: 999
runAsNonRoot: true runAsNonRoot: true
runAsUser: 1000 runAsUser: 1000
-image: -image:
- repository: openpolicyagent/gatekeeper - repository: openpolicyagent/gatekeeper
- crdRepository: openpolicyagent/gatekeeper-crds - crdRepository: openpolicyagent/gatekeeper-crds
- release: v3.8.1 - release: v3.9.0
+images: +images:
+ gatekeeper: + gatekeeper:
+ repository: rancher/mirrored-openpolicyagent-gatekeeper + repository: rancher/mirrored-openpolicyagent-gatekeeper
+ tag: v3.8.1 + tag: v3.9.0
+ gatekeepercrd: + gatekeepercrd:
+ repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds
+ tag: v3.8.1 + tag: v3.9.0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
pullSecrets: [] pullSecrets: []
podAnnotations: podAnnotations: {}
@@ -93,7 +96,7 @@ @@ -128,7 +131,7 @@
topologyKey: kubernetes.io/hostname topologyKey: kubernetes.io/hostname
weight: 100 weight: 100
tolerations: [] tolerations: []
@ -47,8 +65,8 @@
resources: resources:
limits: limits:
cpu: 1000m cpu: 1000m
@@ -118,7 +121,7 @@ @@ -159,7 +162,7 @@
priorityClassName: system-cluster-critical disableCertRotation: true
affinity: {} affinity: {}
tolerations: [] tolerations: []
- nodeSelector: {kubernetes.io/os: linux} - nodeSelector: {kubernetes.io/os: linux}
@ -56,7 +74,7 @@
writeToRAMDisk: false writeToRAMDisk: false
resources: resources:
limits: limits:
@@ -150,6 +153,12 @@ @@ -196,6 +199,12 @@
pdb: pdb:
controllerManager: controllerManager:
minAvailable: 1 minAvailable: 1

3
packages/rancher-gatekeeper/package.yaml
View File

@ -1,6 +1,5 @@
url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.8.1.tgz url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.9.0.tgz
version: 101.0.0 version: 101.0.0
doNotRelease: true
additionalCharts: additionalCharts:
- workingDir: charts-crd - workingDir: charts-crd
crdOptions: crdOptions:

5
release.yaml
View File

@ -4,4 +4,7 @@ rancher-cis-benchmark-crd:
- 3.0.0-rc1 - 3.0.0-rc1
rancher-csp-adapter: rancher-csp-adapter:
- 1.0.1 - 1.0.1
rancher-gatekeeper:
- 101.0.0+up3.9.0
rancher-gatekeeper-crd:
- 101.0.0+up3.9.0