{{- if not .Values.disableValidatingWebhook }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-validating-webhook-configuration webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: gatekeeper-webhook-service namespace: '{{ .Release.Namespace }}' path: /v1/admit failurePolicy: {{ .Values.validatingWebhookFailurePolicy }} matchPolicy: Exact name: validation.gatekeeper.sh namespaceSelector: matchExpressions: - key: admission.gatekeeper.sh/ignore operator: DoesNotExist rules: - apiGroups: - '*' apiVersions: - '*' operations: - CREATE - UPDATE {{- if .Values.enableDeleteOperations }} - DELETE {{- end}} resources: - '*' sideEffects: None timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} - admissionReviewVersions: - v1 - v1beta1 clientConfig: service: name: gatekeeper-webhook-service namespace: '{{ .Release.Namespace }}' path: /v1/admitlabel failurePolicy: {{ .Values.validatingWebhookCheckIgnoreFailurePolicy }} matchPolicy: Exact name: check-ignore-label.gatekeeper.sh rules: - apiGroups: - "" apiVersions: - '*' operations: - CREATE - UPDATE resources: - namespaces sideEffects: None timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} {{- end }}