49 KiB
Gatekeeper Helm Chart
Get Repo Info
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update
See helm repo for command documentation.
Install Chart
# Helm install with gatekeeper-system namespace already created
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
# Helm install and create namespace
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
See parameters below.
See helm install for command documentation.
Upgrade Chart
Upgrading from < v3.4.0
Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the gatekeeper-system
Namespace from within the chart. This follows Helm 3 Best Practices.
Option 1: A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater.
$ helm uninstall gatekeeper
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
Option 2:
Run the helm_migrate.sh
script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them.
$ helm_migrate.sh
$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper
Upgrading from >= v3.4.0
$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
See helm 2 to 3 for Helm 2 migration documentation.
Exempting Namespace
The Helm chart automatically sets the Gatekeeper flag --exempt-namespace={{ .Release.Namespace }}
in order to exempt the namespace where the chart is installed, and adds the admission.gatekeeper.sh/ignore
label to the namespace during a post-install hook.
See Exempting Namespaces for more information.
Parameters
Parameter | Description | Default |
---|---|---|
postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | true |
postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | [] |
postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | openpolicyagent/gatekeeper-crds |
postInstall.labelNamespace.image.tag | Image tag | Current release version: v3.10.0 |
postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | IfNotPresent |
postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | [] |
postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | [] |
postInstall.probeWebhook.enabled | Probe webhook API post install. When enabled along with postInstall.labelNamespace.enabled , this probe will run as part of postInstall.labelNamespace Job as an initContainer |
true |
postInstall.probeWebhook.image.repository | Image with curl to probe the webhook API | curlimages/curl |
postInstall.probeWebhook.image.tag | Image tag | 7.83.1 |
postInstall.probeWebhook.image.pullPolicy | Image pullPolicy | IfNotPresent |
postInstall.probeWebhook.image.pullSecrets | Image pullSecrets | [] |
postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | 60 |
postInstall.probeWebhook.httpTimeout | HTTP client timeout | 2 |
postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | false |
postInstall.affinity | The affinity to use for pod scheduling in postInstall hook jobs | {} |
postInstall.tolerations | The tolerations to use for pod scheduling in postInstall hook jobs | [] |
postInstall.nodeSelector | The node selector to use for pod scheduling in postInstall hook jobs | kubernetes.io/os: linux |
postInstall.resources | The resource request/limits for the container image in postInstall hook jobs | {} |
postInstall.securityContext | Security context applied on the container | { "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 } |
postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | false |
postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | [] |
postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | openpolicyagent/gatekeeper-crds |
postUpgrade.labelNamespace.image.tag | Image tag | Current release version: v3.10.0 |
postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | IfNotPresent |
postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | [] |
postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | {} |
postUpgrade.tolerations | The tolerations to use for pod scheduling in postUpgrade hook jobs | [] |
postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | kubernetes.io/os: linux |
postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | {} |
postUpgrade.securityContext | Security context applied on the container | { "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 } |
preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | false |
preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | openpolicyagent/gatekeeper-crds |
preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: v3.10.0 |
preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | IfNotPresent |
preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | [] |
preUninstall.deleteWebhooks.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | [] |
preUninstall.affinity | The affinity to use for pod scheduling in preUninstall hook jobs | {} |
preUninstall.tolerations | The tolerations to use for pod scheduling in preUninstall hook jobs | [] |
preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | kubernetes.io/os: linux |
preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | {} |
preUninstall.securityContext | Security context applied on the container | { "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 } |
psp.enabled | Enabled PodSecurityPolicy | true |
upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | true |
upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | [] |
crds.affinity | The affinity to use for pod scheduling in crds hook jobs | {} |
crds.tolerations | The tolerations to use for pod scheduling in crds hook jobs | [] |
crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | kubernetes.io/os: linux |
crds.resources | The resource request/limits for the container image in crds hook jobs | {} |
crds.securityContext | Security context applied to the container | { "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 } |
auditInterval | The frequency with which audit is run | 300 |
constraintViolationsLimit | The maximum # of audit violations reported on a constraint | 20 |
auditFromCache | Take the roster of resources to audit from the OPA cache | false |
auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | 500 |
auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | false |
disableValidatingWebhook | Disable the validating webhook | false |
disableMutation | Disable mutation | false |
validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | 3 |
validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | Ignore |
validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | {} |
validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | {} |
validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | Fail |
validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | {} |
validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with enableDeleteOperations . NOTE: If you change this, ensure all your constraints are still being enforced. |
{} |
enableDeleteOperations | Enable validating webhook for delete operations. Does not work with validatingWebhookCustomRules |
false |
enableExternalData | Enable external data (alpha feature) | false |
enableGeneratorResourceExpansion | Enable generator resource expansion (alpha feature) | false |
enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | false |
maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | -1 |
metricsBackends | Metrics exporters to use. Valid exporters are: prometheus , stackdriver , and opencensus |
["prometheus"] |
mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | Ignore |
mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | Never |
mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | {} |
mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | {} |
mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | {} |
mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | 3 |
mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | {} |
emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | false |
emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | false |
logDenies | Log detailed info on each deny | false |
logLevel | Minimum log level | INFO |
image.pullPolicy | The image pull policy | IfNotPresent |
image.repository | Image repository | openpolicyagent/gatekeeper |
image.release | The image release tag to use | Current release version: v3.10.0 |
image.pullSecrets | Specify an array of imagePullSecrets | [] |
resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
nodeSelector | The node selector to use for pod scheduling | kubernetes.io/os: linux |
affinity | The node affinity to use for pod scheduling | {} |
topologySpreadConstraints | The topology spread constraints to use for pod scheduling | [] |
tolerations | The tolerations to use for pod scheduling | [] |
controllerManager.healthPort | Health port for controller manager | 9090 |
controllerManager.port | Webhook-server port for controller manager | 8443 |
controllerManager.metricsPort | Metrics port for controller manager | 8888 |
controllerManager.readinessTimeout | Timeout in seconds for the controller manager's readiness probe | 1 |
controllerManager.livenessTimeout | Timeout in seconds for the controller manager's liveness probe | 1 |
controllerManager.priorityClassName | Priority class name for controller manager | system-cluster-critical |
controllerManager.podSecurityContext | Security context on pod level for controller manager | {fsGroup: 999, suplementalGroups: [999]} |
controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | [] |
controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | [] |
controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | false |
controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | ClusterFirst |
controllerManager.securityContext | Security context applied on the container | { "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 } |
controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | 1.3 |
controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | [] |
audit.priorityClassName | Priority class name for audit controller | system-cluster-critical |
audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} |
audit.hostNetwork | Enables audit to be deployed on hostNetwork | false |
audit.dnsPolicy | Set the dnsPolicy for audit pods | ClusterFirst |
audit.securityContext | Security context applied on the container | { "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 } |
audit.healthPort | Health port for audit | 9090 |
audit.metricsPort | Metrics port for audit | 8888 |
audit.readinessTimeout | Timeout in seconds for audit's readiness probe | 1 |
audit.livenessTimeout | Timeout in seconds for the audit's liveness probe | 1 |
replicas | The number of Gatekeeper replicas to deploy for the webhook | 3 |
podAnnotations | The annotations to add to the Gatekeeper pods | container.seccomp.security.alpha.kubernetes.io/manager: runtime/default |
podLabels | The labels to add to the Gatekeeper pods | {} |
podCountLimit | The maximum number of Gatekeeper pods to run | 100 |
secretAnnotations | The annotations to add to the Gatekeeper secrets | {} |
pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | 1 |
service.type | Service type | ClusterIP |
service.loadBalancerIP | The IP address of LoadBalancer service | `` |
service.healthzPort | Service port to gatekeeper Webhook health port | 9090 |
rbac.create | Enable the creation of RBAC resources | true |
externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | false |
externalCertInjection.secretName | Name of secret for injected certificate | gatekeeper-webhook-server-cert |
Contributing Changes
Please refer to Contributing to Helm Chart for modifying the Helm chart.