apiVersion: apps/v1 kind: Deployment metadata: labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' control-plane: audit-controller gatekeeper.sh/operation: audit gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-audit namespace: '{{ .Release.Namespace }}' spec: replicas: 1 selector: matchLabels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' control-plane: audit-controller gatekeeper.sh/operation: audit gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' template: metadata: annotations: {{- if .Values.podAnnotations }} {{- toYaml .Values.podAnnotations | trim | nindent 8 }} {{- end }} {{- if .Values.auditPodAnnotations }} {{- toYaml .Values.auditPodAnnotations | trim | nindent 8 }} {{- end }} labels: {{- include "gatekeeper.podLabels" . }} app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' control-plane: audit-controller gatekeeper.sh/operation: audit gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' spec: affinity: {{- toYaml .Values.audit.affinity | nindent 8 }} automountServiceAccountToken: true containers: - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' args: - --audit-interval={{ .Values.auditInterval }} - --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }} - --constraint-violations-limit={{ .Values.constraintViolationsLimit }} - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - --audit-from-cache={{ .Values.auditFromCache }} - --audit-chunk-size={{ .Values.auditChunkSize }} - --audit-match-kind-only={{ .Values.auditMatchKindOnly }} - --emit-audit-events={{ .Values.emitAuditEvents }} - --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }} - --operation=audit - --operation=status {{ if .Values.audit.enablePubsub}} - --enable-pub-sub={{ .Values.audit.enablePubsub }} - --audit-connection={{ .Values.audit.connection }} - --audit-channel={{ .Values.audit.channel }} {{- end }} {{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }} - --logtostderr - --health-addr=:{{ .Values.audit.healthPort }} - --prometheus-port={{ .Values.audit.metricsPort }} - --enable-external-data={{ .Values.enableExternalData }} - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }} {{- range .Values.metricsBackends}} - --metrics-backend={{ . }} {{- end }} {{- if .Values.audit.logFile}} - --log-file={{ .Values.audit.logFile }} {{- end }} - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }} command: - /manager env: - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager imagePullPolicy: '{{ .Values.images.pullPolicy }}' livenessProbe: httpGet: path: /healthz port: {{ .Values.audit.healthPort }} timeoutSeconds: {{ .Values.audit.livenessTimeout }} name: manager ports: - containerPort: {{ .Values.audit.metricsPort }} name: metrics protocol: TCP - containerPort: {{ .Values.audit.healthPort }} name: healthz protocol: TCP readinessProbe: httpGet: path: /readyz port: {{ .Values.audit.healthPort }} timeoutSeconds: {{ .Values.audit.readinessTimeout }} resources: {{- toYaml .Values.audit.resources | nindent 10 }} securityContext: {{- if .Values.enableRuntimeDefaultSeccompProfile }} seccompProfile: type: RuntimeDefault {{- end }} {{- toYaml .Values.audit.securityContext | nindent 10}} volumeMounts: - mountPath: /certs name: cert readOnly: true - mountPath: /tmp/audit name: tmp-volume dnsPolicy: {{ .Values.audit.dnsPolicy }} hostNetwork: {{ .Values.audit.hostNetwork }} imagePullSecrets: {{- toYaml .Values.images.pullSecrets | nindent 8 }} nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} {{- if .Values.audit.nodeSelector }} {{ toYaml .Values.audit.nodeSelector | indent 8 }} {{- end }} {{- if .Values.audit.priorityClassName }} priorityClassName: {{ .Values.audit.priorityClassName }} {{- end }} securityContext: {{- toYaml .Values.audit.podSecurityContext | nindent 8 }} serviceAccountName: gatekeeper-admin terminationGracePeriodSeconds: 60 tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} {{- if .Values.audit.tolerations }} {{ toYaml .Values.audit.tolerations | indent 8 }} {{- end }} volumes: - name: cert secret: defaultMode: 420 secretName: gatekeeper-webhook-server-cert {{- if .Values.audit.writeToRAMDisk }} - emptyDir: medium: Memory {{ else }} - emptyDir: {} {{- end }} name: tmp-volume