feat(gatekeeper): upgrade to 3.5.1

a10c3feb · Michael McLeroy · runyontr · 9aee625d · a10c3feb · a10c3feb
Commit a10c3feb authored 3 years ago by Michael McLeroy Committed by runyontr 3 years ago
--- a/chart/templates/gatekeeper/gatekeeper-helmrelease.yaml
+++ b/chart/templates/gatekeeper/gatekeeper-helmrelease.yaml
@@ -11,6 +11,7 @@ metadata:
    {{- include "commonLabels" . | nindent 4}}
 spec:
  targetNamespace: gatekeeper-system
+
  chart:
    spec:
      chart: {{ .Values.gatekeeper.git.path }}

--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -14,5 +14,35 @@ postInstall:
      - name: private-registry
 networkPolicies:
  enabled: {{ .Values.networkPolicies.enabled }}
-  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}        
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+violations:  # Try to keep this in alpha order to make it easier to find keys
+  {{- if .Values.monitoring.enabled }}
+  hostNetworking:
+    match:
+      excludedNamespaces:
+        - monitoring # Allow node exporter to export metrics. The exporters live in pod monitoring-monitoring-prometheus-node-exporter-XXXX
+  {{- end }}
+
+  {{- if .Values.logging.enabled }}
+  noPrivilegedContainers:
+    match:
+      excludedNamespaces:
+        - kube-system
+        - logging # Fluentbit needs privileged to read and store the buffer for tailing logs from the nodes
+  {{- end }}
+
+  {{- if .Values.monitoring.enabled }}
+  restrictedTaint:
+    match:
+      excludedNamespaces:
+        - kube-system
+        - monitoring # Prometheus Node Exporter needs to be able to run on all nodes, regardless of taint, to gather node metrics
+  {{- end }}
+
+  {{- if .Values.logging.enabled }}
+  selinuxPolicy:
+    match:
+      excludedNamespaces:
+        - logging # FluentBit needs selinux option type spc_t
+  {{- end }}
 {{- end -}}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -234,10 +234,14 @@ gatekeeper:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
    path: "./chart"
-    tag: "3.4.0-bb.19"
+    tag: "3.5.1-bb.1"

  # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
-  flux: {}
+  flux:
+    install:
+      crds: CreateReplace
+    upgrade:
+      crds: CreateReplace

  # -- Values to passthrough to the gatekeeper chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
  values: {}