apiVersion: apps/v1 kind: Deployment metadata: labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' control-plane: audit-controller gatekeeper.sh/operation: audit gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-audit namespace: '{{ .Release.Namespace }}' spec: replicas: 1 selector: matchLabels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' control-plane: audit-controller gatekeeper.sh/operation: audit gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' template: metadata: annotations: {{- toYaml .Values.podAnnotations | trim | nindent 8 }} labels: {{- include "gatekeeper.podLabels" . }} app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' control-plane: audit-controller gatekeeper.sh/operation: audit gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' spec: affinity: {{- toYaml .Values.audit.affinity | nindent 8 }} automountServiceAccountToken: true containers: - args: - --audit-interval={{ .Values.auditInterval }} - --log-level={{ .Values.logLevel }} - --constraint-violations-limit={{ .Values.constraintViolationsLimit }} - --audit-from-cache={{ .Values.auditFromCache }} - --audit-chunk-size={{ .Values.auditChunkSize }} - --audit-match-kind-only={{ .Values.auditMatchKindOnly }} - --emit-audit-events={{ .Values.emitAuditEvents }} - --operation=audit - --operation=status - --logtostderr command: - /manager env: - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}' imagePullPolicy: '{{ .Values.image.pullPolicy }}' livenessProbe: httpGet: path: /healthz port: 9090 name: manager ports: - containerPort: 8888 name: metrics protocol: TCP - containerPort: 9090 name: healthz protocol: TCP readinessProbe: httpGet: path: /readyz port: 9090 resources: {{- toYaml .Values.audit.resources | nindent 10 }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true runAsUser: 1000 hostNetwork: {{ .Values.audit.hostNetwork }} imagePullSecrets: {{- toYaml .Values.image.pullSecrets | nindent 8 }} nodeSelector: {{- toYaml .Values.audit.nodeSelector | nindent 8 }} priorityClassName: {{ .Values.audit.priorityClassName }} serviceAccountName: gatekeeper-admin terminationGracePeriodSeconds: 60 tolerations: {{- toYaml .Values.audit.tolerations | nindent 8 }}