mirror of https://git.rancher.io/charts
109 lines
3.7 KiB
YAML
109 lines
3.7 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app: '{{ template "gatekeeper.name" . }}'
|
|
chart: '{{ template "gatekeeper.name" . }}'
|
|
control-plane: audit-controller
|
|
gatekeeper.sh/operation: audit
|
|
gatekeeper.sh/system: "yes"
|
|
heritage: '{{ .Release.Service }}'
|
|
release: '{{ .Release.Name }}'
|
|
name: gatekeeper-audit
|
|
namespace: '{{ .Release.Namespace }}'
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: '{{ template "gatekeeper.name" . }}'
|
|
chart: '{{ template "gatekeeper.name" . }}'
|
|
control-plane: audit-controller
|
|
gatekeeper.sh/operation: audit
|
|
gatekeeper.sh/system: "yes"
|
|
heritage: '{{ .Release.Service }}'
|
|
release: '{{ .Release.Name }}'
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
|
|
labels:
|
|
{{- include "gatekeeper.podLabels" . }}
|
|
app: '{{ template "gatekeeper.name" . }}'
|
|
chart: '{{ template "gatekeeper.name" . }}'
|
|
control-plane: audit-controller
|
|
gatekeeper.sh/operation: audit
|
|
gatekeeper.sh/system: "yes"
|
|
heritage: '{{ .Release.Service }}'
|
|
release: '{{ .Release.Name }}'
|
|
spec:
|
|
affinity:
|
|
{{- toYaml .Values.audit.affinity | nindent 8 }}
|
|
automountServiceAccountToken: true
|
|
containers:
|
|
- args:
|
|
- --audit-interval={{ .Values.auditInterval }}
|
|
- --log-level={{ .Values.logLevel }}
|
|
- --constraint-violations-limit={{ .Values.constraintViolationsLimit }}
|
|
- --audit-from-cache={{ .Values.auditFromCache }}
|
|
- --audit-chunk-size={{ .Values.auditChunkSize }}
|
|
- --audit-match-kind-only={{ .Values.auditMatchKindOnly }}
|
|
- --emit-audit-events={{ .Values.emitAuditEvents }}
|
|
- --operation=audit
|
|
- --operation=status
|
|
- --logtostderr
|
|
- --health-addr=:{{ .Values.audit.healthPort }}
|
|
- --prometheus-port={{ .Values.audit.metricsPort }}
|
|
command:
|
|
- /manager
|
|
env:
|
|
- name: POD_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
apiVersion: v1
|
|
fieldPath: metadata.namespace
|
|
- name: POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
|
|
imagePullPolicy: '{{ .Values.images.pullPolicy }}'
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: {{ .Values.audit.healthPort }}
|
|
name: manager
|
|
ports:
|
|
- containerPort: {{ .Values.audit.metricsPort }}
|
|
name: metrics
|
|
protocol: TCP
|
|
- containerPort: {{ .Values.audit.healthPort }}
|
|
name: healthz
|
|
protocol: TCP
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /readyz
|
|
port: {{ .Values.audit.healthPort }}
|
|
resources:
|
|
{{- toYaml .Values.audit.resources | nindent 10 }}
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- all
|
|
readOnlyRootFilesystem: true
|
|
runAsGroup: 999
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
hostNetwork: {{ .Values.audit.hostNetwork }}
|
|
imagePullSecrets:
|
|
{{- toYaml .Values.images.pullSecrets | nindent 8 }}
|
|
nodeSelector:
|
|
{{- toYaml .Values.audit.nodeSelector | nindent 8 }}
|
|
{{- if .Values.audit.priorityClassName }}
|
|
priorityClassName: {{ .Values.audit.priorityClassName }}
|
|
{{- end }}
|
|
serviceAccountName: gatekeeper-admin
|
|
terminationGracePeriodSeconds: 60
|
|
tolerations:
|
|
{{- toYaml .Values.audit.tolerations | nindent 8 }}
|