rancher-charts/charts/rancher-gatekeeper/101.0.0+up3.9.0

Gatekeeper Helm Chart

Get Repo Info

helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update

See helm repo for command documentation.

Install Chart

# Helm install with gatekeeper-system namespace already created
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper

# Helm install and create namespace
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace

See parameters below.

See helm install for command documentation.

Upgrade Chart

Upgrading from < v3.4.0 Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the gatekeeper-system Namespace from within the chart. This follows Helm 3 Best Practices.

Option 1: A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater.

$ helm uninstall gatekeeper
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace

Option 2: Run the helm_migrate.sh script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them.

$ helm_migrate.sh
$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper

Upgrading from >= v3.4.0

$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper

See helm 2 to 3 for Helm 2 migration documentation.

Exempting Namespace

The Helm chart automatically sets the Gatekeeper flag --exempt-namespace={{ .Release.Namespace }} in order to exempt the namespace where the chart is installed, and adds the admission.gatekeeper.sh/ignore label to the namespace during a post-install hook.

See Exempting Namespaces for more information.

Parameters

Parameter	Description	Default
postInstall.labelNamespace.enabled	Add labels to the namespace during post install hooks	true
postInstall.labelNamespace.extraNamespaces	The extra namespaces that need to have the label during post upgrade hooks	[]
postInstall.labelNamespace.image.repository	Image with kubectl to label the namespace	openpolicyagent/gatekeeper-crds
postInstall.labelNamespace.image.tag	Image tag	Current release version: v3.9.0
postInstall.labelNamespace.image.pullPolicy	Image pullPolicy	IfNotPresent
postInstall.labelNamespace.image.pullSecrets	Image pullSecrets	[]
postInstall.labelNamespace.extraRules	Extra rules for the gatekeeper-update-namespace-label Role	[]
postInstall.probeWebhook.enabled	Probe webhook API post install. When enabled along with postInstall.labelNamespace.enabled, this probe will run as part of postInstall.labelNamespace Job as an initContainer	true
postInstall.probeWebhook.image.repository	Image with curl to probe the webhook API	curlimages/curl
postInstall.probeWebhook.image.tag	Image tag	7.83.1
postInstall.probeWebhook.image.pullPolicy	Image pullPolicy	IfNotPresent
postInstall.probeWebhook.image.pullSecrets	Image pullSecrets	[]
postInstall.probeWebhook.waitTimeout	Total time to wait for the webhook API to become available	60
postInstall.probeWebhook.httpTimeout	HTTP client timeout	2
postInstall.probeWebhook.insecureHTTPS	Ignore server SSL certificate	false
postInstall.securityContext	Security context applied on the container	{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }
postUpgrade.labelNamespace.enabled	Add labels to the namespace during post upgrade hooks	false
postUpgrade.labelNamespace.extraNamespaces	The extra namespaces that need to have the label during post upgrade hooks	[]
postUpgrade.labelNamespace.image.repository	Image with kubectl to label the namespace	openpolicyagent/gatekeeper-crds
postUpgrade.labelNamespace.image.tag	Image tag	Current release version: v3.9.0
postUpgrade.labelNamespace.image.pullPolicy	Image pullPolicy	IfNotPresent
postUpgrade.labelNamespace.image.pullSecrets	Image pullSecrets	[]
postUpgrade.securityContext	Security context applied on the container	{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }
preUninstall.deleteWebhooks.enabled	Delete webhooks before gatekeeper itself is uninstalled	false
preUninstall.deleteWebhooks.image.repository	Image with kubectl to delete the webhooks	openpolicyagent/gatekeeper-crds
preUninstall.deleteWebhooks.image.tag	Image tag	Current release version: v3.9.0
preUninstall.deleteWebhooks.image.pullPolicy	Image pullPolicy	IfNotPresent
preUninstall.deleteWebhooks.image.pullSecrets	Image pullSecrets	[]
preUninstall.deleteWebhooks.extraRules	Extra rules for the gatekeeper-delete-webhook-configs Role	[]
preUninstall.securityContext	Security context applied on the container	{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }
psp.enabled	Enabled PodSecurityPolicy	true
upgradeCRDs.enabled	Upgrade CRDs using pre-install/pre-upgrade hooks	true
upgradeCRDs.extraRules	Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole	[]
crds.securityContext	Security context applied to the container	{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }
auditInterval	The frequency with which audit is run	300
constraintViolationsLimit	The maximum # of audit violations reported on a constraint	20
auditFromCache	Take the roster of resources to audit from the OPA cache	false
auditChunkSize	Chunk size for listing cluster resources for audit (alpha feature)	0
auditMatchKindOnly	Only check resources of the kinds specified in all constraints defined in the cluster.	false
disableValidatingWebhook	Disable the validating webhook	false
disableMutation	Disable mutation	false
validatingWebhookTimeoutSeconds	The timeout for the validating webhook in seconds	3
validatingWebhookFailurePolicy	The failurePolicy for the validating webhook	Ignore
validatingWebhookObjectSelector	The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set.	{}
validatingWebhookCheckIgnoreFailurePolicy	The failurePolicy for the check-ignore-label validating webhook	Fail
validatingWebhookExemptNamespacesLabels	Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace.	{}
validatingWebhookCustomRules	Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with enableDeleteOperations. NOTE: If you change this, ensure all your constraints are still being enforced.	{}
enableDeleteOperations	Enable validating webhook for delete operations. Does not work with validatingWebhookCustomRules	false
enableExternalData	Enable external data (alpha feature)	false
enableTLSHealthcheck	Enable probing webhook API with certificate stored in certDir	false
metricsBackends	Metrics exporters to use. Valid exporters are: prometheus, stackdriver, and opencensus	["prometheus"]
mutatingWebhookFailurePolicy	The failurePolicy for the mutating webhook	Ignore
mutatingWebhookReinvocationPolicy	The reinvocationPolicy for the mutating webhook	Never
mutatingWebhookExemptNamespacesLabels	Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace.	{}
mutatingWebhookObjectSelector	The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set.	{}
mutatingWebhookTimeoutSeconds	The timeout for the mutating webhook in seconds	3
mutatingWebhookCustomRules	Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced.	{}
emitAdmissionEvents	Emit K8s events in gatekeeper namespace for admission violations (alpha feature)	false
emitAuditEvents	Emit K8s events in gatekeeper namespace for audit violations (alpha feature)	false
logDenies	Log detailed info on each deny	false
logLevel	Minimum log level	INFO
image.pullPolicy	The image pull policy	IfNotPresent
image.repository	Image repository	openpolicyagent/gatekeeper
image.release	The image release tag to use	Current release version: v3.9.0
image.pullSecrets	Specify an array of imagePullSecrets	[]
resources	The resource request/limits for the container image	limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi
nodeSelector	The node selector to use for pod scheduling	kubernetes.io/os: linux
affinity	The node affinity to use for pod scheduling	{}
tolerations	The tolerations to use for pod scheduling	[]
controllerManager.healthPort	Health port for controller manager	9090
controllerManager.port	Webhook-server port for controller manager	8443
controllerManager.metricsPort	Metrics port for controller manager	8888
controllerManager.priorityClassName	Priority class name for controller manager	system-cluster-critical
controllerManager.podSecurityContext	Security context on pod level for controller manager	{fsGroup: 999, suplementalGroups: [999]}
controllerManager.exemptNamespaces	The exact namespaces to exempt by the admission webhook	[]
controllerManager.exemptNamespacePrefixes	The namespace prefixes to exempt by the admission webhook	[]
controllerManager.hostNetwork	Enables controllerManager to be deployed on hostNetwork	false
controllerManager.dnsPolicy	Set the dnsPolicy for controllerManager pods	ClusterFirst
controllerManager.securityContext	Security context applied on the container	{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }
controllerManager.extraRules	Extra rules for the gatekeeper-manager-role Role	[]
audit.priorityClassName	Priority class name for audit controller	system-cluster-critical
audit.podSecurityContext	Security context for audit on pod level	{fsGroup: 999, suplementalGroups: [999]}
audit.hostNetwork	Enables audit to be deployed on hostNetwork	false
audit.dnsPolicy	Set the dnsPolicy for audit pods	ClusterFirst
audit.securityContext	Security context applied on the container	{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }
audit.healthPort	Health port for audit	9090
audit.metricsPort	Metrics port for audit	8888
replicas	The number of Gatekeeper replicas to deploy for the webhook	3
podAnnotations	The annotations to add to the Gatekeeper pods	container.seccomp.security.alpha.kubernetes.io/manager: runtime/default
podLabels	The labels to add to the Gatekeeper pods	{}
podCountLimit	The maximum number of Gatekeeper pods to run	100
secretAnnotations	The annotations to add to the Gatekeeper secrets	{}
pdb.controllerManager.minAvailable	The number of controller manager pods that must still be available after an eviction	1
service.type	Service type	ClusterIP
service.loadBalancerIP	The IP address of LoadBalancer service	``
service.healthzPort	Service port to gatekeeper Webhook health port	9090
rbac.create	Enable the creation of RBAC resources	true

Contributing Changes

Please refer to Contributing to Helm Chart for modifying the Helm chart.