mirror of https://git.rancher.io/charts
165 lines
6.1 KiB
YAML
165 lines
6.1 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app: '{{ template "gatekeeper.name" . }}'
|
|
chart: '{{ template "gatekeeper.name" . }}'
|
|
control-plane: audit-controller
|
|
gatekeeper.sh/operation: audit
|
|
gatekeeper.sh/system: "yes"
|
|
heritage: '{{ .Release.Service }}'
|
|
release: '{{ .Release.Name }}'
|
|
name: gatekeeper-audit
|
|
namespace: '{{ .Release.Namespace }}'
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: '{{ template "gatekeeper.name" . }}'
|
|
chart: '{{ template "gatekeeper.name" . }}'
|
|
control-plane: audit-controller
|
|
gatekeeper.sh/operation: audit
|
|
gatekeeper.sh/system: "yes"
|
|
heritage: '{{ .Release.Service }}'
|
|
release: '{{ .Release.Name }}'
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
{{- if .Values.podAnnotations }}
|
|
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.auditPodAnnotations }}
|
|
{{- toYaml .Values.auditPodAnnotations | trim | nindent 8 }}
|
|
{{- end }}
|
|
labels:
|
|
{{- include "gatekeeper.podLabels" . }}
|
|
app: '{{ template "gatekeeper.name" . }}'
|
|
chart: '{{ template "gatekeeper.name" . }}'
|
|
control-plane: audit-controller
|
|
gatekeeper.sh/operation: audit
|
|
gatekeeper.sh/system: "yes"
|
|
heritage: '{{ .Release.Service }}'
|
|
release: '{{ .Release.Name }}'
|
|
spec:
|
|
affinity:
|
|
{{- toYaml .Values.audit.affinity | nindent 8 }}
|
|
automountServiceAccountToken: true
|
|
containers:
|
|
- image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
|
|
args:
|
|
- --audit-interval={{ .Values.auditInterval }}
|
|
- --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }}
|
|
- --constraint-violations-limit={{ .Values.constraintViolationsLimit }}
|
|
- --validating-webhook-configuration-name={{ .Values.validatingWebhookName }}
|
|
- --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }}
|
|
- --audit-from-cache={{ .Values.auditFromCache }}
|
|
- --audit-chunk-size={{ .Values.auditChunkSize }}
|
|
- --audit-match-kind-only={{ .Values.auditMatchKindOnly }}
|
|
- --emit-audit-events={{ .Values.emitAuditEvents }}
|
|
- --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }}
|
|
- --operation=audit
|
|
- --operation=status
|
|
{{ if .Values.audit.enablePubsub}}
|
|
- --enable-pub-sub={{ .Values.audit.enablePubsub }}
|
|
- --audit-connection={{ .Values.audit.connection }}
|
|
- --audit-channel={{ .Values.audit.channel }}
|
|
{{- end }}
|
|
{{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }}
|
|
- --logtostderr
|
|
- --health-addr=:{{ .Values.audit.healthPort }}
|
|
- --prometheus-port={{ .Values.audit.metricsPort }}
|
|
- --enable-external-data={{ .Values.enableExternalData }}
|
|
- --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }}
|
|
|
|
{{- range .Values.metricsBackends}}
|
|
- --metrics-backend={{ . }}
|
|
{{- end }}
|
|
|
|
{{- if .Values.audit.logFile}}
|
|
- --log-file={{ .Values.audit.logFile }}
|
|
{{- end }}
|
|
- --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }}
|
|
command:
|
|
- /manager
|
|
env:
|
|
- name: POD_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
apiVersion: v1
|
|
fieldPath: metadata.namespace
|
|
- name: POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
apiVersion: v1
|
|
fieldPath: metadata.namespace
|
|
- name: CONTAINER_NAME
|
|
value: manager
|
|
imagePullPolicy: '{{ .Values.images.pullPolicy }}'
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: {{ .Values.audit.healthPort }}
|
|
timeoutSeconds: {{ .Values.audit.livenessTimeout }}
|
|
name: manager
|
|
ports:
|
|
- containerPort: {{ .Values.audit.metricsPort }}
|
|
name: metrics
|
|
protocol: TCP
|
|
- containerPort: {{ .Values.audit.healthPort }}
|
|
name: healthz
|
|
protocol: TCP
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /readyz
|
|
port: {{ .Values.audit.healthPort }}
|
|
timeoutSeconds: {{ .Values.audit.readinessTimeout }}
|
|
resources:
|
|
{{- toYaml .Values.audit.resources | nindent 10 }}
|
|
securityContext:
|
|
{{- if .Values.enableRuntimeDefaultSeccompProfile }}
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
{{- end }}
|
|
{{- toYaml .Values.audit.securityContext | nindent 10}}
|
|
volumeMounts:
|
|
- mountPath: /certs
|
|
name: cert
|
|
readOnly: true
|
|
- mountPath: /tmp/audit
|
|
name: tmp-volume
|
|
dnsPolicy: {{ .Values.audit.dnsPolicy }}
|
|
hostNetwork: {{ .Values.audit.hostNetwork }}
|
|
imagePullSecrets:
|
|
{{- toYaml .Values.images.pullSecrets | nindent 8 }}
|
|
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
|
|
{{- if .Values.audit.nodeSelector }}
|
|
{{ toYaml .Values.audit.nodeSelector | indent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.audit.priorityClassName }}
|
|
priorityClassName: {{ .Values.audit.priorityClassName }}
|
|
{{- end }}
|
|
securityContext:
|
|
{{- toYaml .Values.audit.podSecurityContext | nindent 8 }}
|
|
serviceAccountName: gatekeeper-admin
|
|
terminationGracePeriodSeconds: 60
|
|
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
|
|
{{- if .Values.audit.tolerations }}
|
|
{{ toYaml .Values.audit.tolerations | indent 8 }}
|
|
{{- end }}
|
|
volumes:
|
|
- name: cert
|
|
secret:
|
|
defaultMode: 420
|
|
secretName: gatekeeper-webhook-server-cert
|
|
{{- if .Values.audit.writeToRAMDisk }}
|
|
- emptyDir:
|
|
medium: Memory
|
|
{{ else }}
|
|
- emptyDir: {}
|
|
{{- end }}
|
|
name: tmp-volume
|