rancher-charts/charts/rancher-gatekeeper/101.1.0+up3.10.0
vardhaman 44fba49dbc make charts 2022-12-07 13:07:58 +05:30
..
templates make charts 2022-12-07 13:07:58 +05:30
.helmignore make charts 2022-12-07 13:07:58 +05:30
CHANGELOG.md make charts 2022-12-07 13:07:58 +05:30
Chart.yaml make charts 2022-12-07 13:07:58 +05:30
README.md make charts 2022-12-07 13:07:58 +05:30
app-readme.md make charts 2022-12-07 13:07:58 +05:30
values.yaml make charts 2022-12-07 13:07:58 +05:30

README.md

Gatekeeper Helm Chart

Get Repo Info

helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update

See helm repo for command documentation.

Install Chart

# Helm install with gatekeeper-system namespace already created
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper

# Helm install and create namespace
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace

See parameters below.

See helm install for command documentation.

Upgrade Chart

Upgrading from < v3.4.0 Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the gatekeeper-system Namespace from within the chart. This follows Helm 3 Best Practices.

Option 1: A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater.

$ helm uninstall gatekeeper
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace

Option 2: Run the helm_migrate.sh script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them.

$ helm_migrate.sh
$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper

Upgrading from >= v3.4.0

$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper

See helm 2 to 3 for Helm 2 migration documentation.

Exempting Namespace

The Helm chart automatically sets the Gatekeeper flag --exempt-namespace={{ .Release.Namespace }} in order to exempt the namespace where the chart is installed, and adds the admission.gatekeeper.sh/ignore label to the namespace during a post-install hook.

See Exempting Namespaces for more information.

Parameters

Parameter Description Default
postInstall.labelNamespace.enabled Add labels to the namespace during post install hooks true
postInstall.labelNamespace.extraNamespaces The extra namespaces that need to have the label during post upgrade hooks []
postInstall.labelNamespace.image.repository Image with kubectl to label the namespace openpolicyagent/gatekeeper-crds
postInstall.labelNamespace.image.tag Image tag Current release version: v3.10.0
postInstall.labelNamespace.image.pullPolicy Image pullPolicy IfNotPresent
postInstall.labelNamespace.image.pullSecrets Image pullSecrets []
postInstall.labelNamespace.extraRules Extra rules for the gatekeeper-update-namespace-label Role []
postInstall.probeWebhook.enabled Probe webhook API post install. When enabled along with postInstall.labelNamespace.enabled, this probe will run as part of postInstall.labelNamespace Job as an initContainer true
postInstall.probeWebhook.image.repository Image with curl to probe the webhook API curlimages/curl
postInstall.probeWebhook.image.tag Image tag 7.83.1
postInstall.probeWebhook.image.pullPolicy Image pullPolicy IfNotPresent
postInstall.probeWebhook.image.pullSecrets Image pullSecrets []
postInstall.probeWebhook.waitTimeout Total time to wait for the webhook API to become available 60
postInstall.probeWebhook.httpTimeout HTTP client timeout 2
postInstall.probeWebhook.insecureHTTPS Ignore server SSL certificate false
postInstall.affinity The affinity to use for pod scheduling in postInstall hook jobs {}
postInstall.tolerations The tolerations to use for pod scheduling in postInstall hook jobs []
postInstall.nodeSelector The node selector to use for pod scheduling in postInstall hook jobs kubernetes.io/os: linux
postInstall.resources The resource request/limits for the container image in postInstall hook jobs {}
postInstall.securityContext Security context applied on the container { "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }
postUpgrade.labelNamespace.enabled Add labels to the namespace during post upgrade hooks false
postUpgrade.labelNamespace.extraNamespaces The extra namespaces that need to have the label during post upgrade hooks []
postUpgrade.labelNamespace.image.repository Image with kubectl to label the namespace openpolicyagent/gatekeeper-crds
postUpgrade.labelNamespace.image.tag Image tag Current release version: v3.10.0
postUpgrade.labelNamespace.image.pullPolicy Image pullPolicy IfNotPresent
postUpgrade.labelNamespace.image.pullSecrets Image pullSecrets []
postUpgrade.affinity The affinity to use for pod scheduling in postUpgrade hook jobs {}
postUpgrade.tolerations The tolerations to use for pod scheduling in postUpgrade hook jobs []
postUpgrade.nodeSelector The node selector to use for pod scheduling in postUpgrade hook jobs kubernetes.io/os: linux
postUpgrade.resources The resource request/limits for the container image in postUpgrade hook jobs {}
postUpgrade.securityContext Security context applied on the container { "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }
preUninstall.deleteWebhooks.enabled Delete webhooks before gatekeeper itself is uninstalled false
preUninstall.deleteWebhooks.image.repository Image with kubectl to delete the webhooks openpolicyagent/gatekeeper-crds
preUninstall.deleteWebhooks.image.tag Image tag Current release version: v3.10.0
preUninstall.deleteWebhooks.image.pullPolicy Image pullPolicy IfNotPresent
preUninstall.deleteWebhooks.image.pullSecrets Image pullSecrets []
preUninstall.deleteWebhooks.extraRules Extra rules for the gatekeeper-delete-webhook-configs Role []
preUninstall.affinity The affinity to use for pod scheduling in preUninstall hook jobs {}
preUninstall.tolerations The tolerations to use for pod scheduling in preUninstall hook jobs []
preUninstall.nodeSelector The node selector to use for pod scheduling in preUninstall hook jobs kubernetes.io/os: linux
preUninstall.resources The resource request/limits for the container image in preUninstall hook jobs {}
preUninstall.securityContext Security context applied on the container { "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }
psp.enabled Enabled PodSecurityPolicy true
upgradeCRDs.enabled Upgrade CRDs using pre-install/pre-upgrade hooks true
upgradeCRDs.extraRules Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole []
crds.affinity The affinity to use for pod scheduling in crds hook jobs {}
crds.tolerations The tolerations to use for pod scheduling in crds hook jobs []
crds.nodeSelector The node selector to use for pod scheduling in crds hook jobs kubernetes.io/os: linux
crds.resources The resource request/limits for the container image in crds hook jobs {}
crds.securityContext Security context applied to the container { "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }
auditInterval The frequency with which audit is run 300
constraintViolationsLimit The maximum # of audit violations reported on a constraint 20
auditFromCache Take the roster of resources to audit from the OPA cache false
auditChunkSize Chunk size for listing cluster resources for audit (alpha feature) 500
auditMatchKindOnly Only check resources of the kinds specified in all constraints defined in the cluster. false
disableValidatingWebhook Disable the validating webhook false
disableMutation Disable mutation false
validatingWebhookTimeoutSeconds The timeout for the validating webhook in seconds 3
validatingWebhookFailurePolicy The failurePolicy for the validating webhook Ignore
validatingWebhookAnnotations The annotations to add to the ValidatingWebhookConfiguration {}
validatingWebhookObjectSelector The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. {}
validatingWebhookCheckIgnoreFailurePolicy The failurePolicy for the check-ignore-label validating webhook Fail
validatingWebhookExemptNamespacesLabels Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. {}
validatingWebhookCustomRules Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with enableDeleteOperations. NOTE: If you change this, ensure all your constraints are still being enforced. {}
enableDeleteOperations Enable validating webhook for delete operations. Does not work with validatingWebhookCustomRules false
enableExternalData Enable external data (alpha feature) false
enableGeneratorResourceExpansion Enable generator resource expansion (alpha feature) false
enableTLSHealthcheck Enable probing webhook API with certificate stored in certDir false
maxServingThreads Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. -1
metricsBackends Metrics exporters to use. Valid exporters are: prometheus, stackdriver, and opencensus ["prometheus"]
mutatingWebhookFailurePolicy The failurePolicy for the mutating webhook Ignore
mutatingWebhookReinvocationPolicy The reinvocationPolicy for the mutating webhook Never
mutatingWebhookAnnotations The annotations to add to the MutatingWebhookConfiguration {}
mutatingWebhookExemptNamespacesLabels Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. {}
mutatingWebhookObjectSelector The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. {}
mutatingWebhookTimeoutSeconds The timeout for the mutating webhook in seconds 3
mutatingWebhookCustomRules Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. {}
emitAdmissionEvents Emit K8s events in gatekeeper namespace for admission violations (alpha feature) false
emitAuditEvents Emit K8s events in gatekeeper namespace for audit violations (alpha feature) false
logDenies Log detailed info on each deny false
logLevel Minimum log level INFO
image.pullPolicy The image pull policy IfNotPresent
image.repository Image repository openpolicyagent/gatekeeper
image.release The image release tag to use Current release version: v3.10.0
image.pullSecrets Specify an array of imagePullSecrets []
resources The resource request/limits for the container image limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi
nodeSelector The node selector to use for pod scheduling kubernetes.io/os: linux
affinity The node affinity to use for pod scheduling {}
topologySpreadConstraints The topology spread constraints to use for pod scheduling []
tolerations The tolerations to use for pod scheduling []
controllerManager.healthPort Health port for controller manager 9090
controllerManager.port Webhook-server port for controller manager 8443
controllerManager.metricsPort Metrics port for controller manager 8888
controllerManager.readinessTimeout Timeout in seconds for the controller manager's readiness probe 1
controllerManager.livenessTimeout Timeout in seconds for the controller manager's liveness probe 1
controllerManager.priorityClassName Priority class name for controller manager system-cluster-critical
controllerManager.podSecurityContext Security context on pod level for controller manager {fsGroup: 999, suplementalGroups: [999]}
controllerManager.exemptNamespaces The exact namespaces to exempt by the admission webhook []
controllerManager.exemptNamespacePrefixes The namespace prefixes to exempt by the admission webhook []
controllerManager.hostNetwork Enables controllerManager to be deployed on hostNetwork false
controllerManager.dnsPolicy Set the dnsPolicy for controllerManager pods ClusterFirst
controllerManager.securityContext Security context applied on the container { "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }
controllerManager.tlsMinVersion Set the minimum supported TLS version for validating and mutating webhook servers 1.3
controllerManager.extraRules Extra rules for the gatekeeper-manager-role Role []
audit.priorityClassName Priority class name for audit controller system-cluster-critical
audit.podSecurityContext Security context for audit on pod level {fsGroup: 999, suplementalGroups: [999]}
audit.hostNetwork Enables audit to be deployed on hostNetwork false
audit.dnsPolicy Set the dnsPolicy for audit pods ClusterFirst
audit.securityContext Security context applied on the container { "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }
audit.healthPort Health port for audit 9090
audit.metricsPort Metrics port for audit 8888
audit.readinessTimeout Timeout in seconds for audit's readiness probe 1
audit.livenessTimeout Timeout in seconds for the audit's liveness probe 1
replicas The number of Gatekeeper replicas to deploy for the webhook 3
podAnnotations The annotations to add to the Gatekeeper pods container.seccomp.security.alpha.kubernetes.io/manager: runtime/default
podLabels The labels to add to the Gatekeeper pods {}
podCountLimit The maximum number of Gatekeeper pods to run 100
secretAnnotations The annotations to add to the Gatekeeper secrets {}
pdb.controllerManager.minAvailable The number of controller manager pods that must still be available after an eviction 1
service.type Service type ClusterIP
service.loadBalancerIP The IP address of LoadBalancer service ``
service.healthzPort Service port to gatekeeper Webhook health port 9090
rbac.create Enable the creation of RBAC resources true
externalCertInjection.enabled Enable the injection of an external certificate. This disables automatic certificate generation and rotation false
externalCertInjection.secretName Name of secret for injected certificate gatekeeper-webhook-server-cert

Contributing Changes

Please refer to Contributing to Helm Chart for modifying the Helm chart.