From a10c3febaab001ecce210f04a6296190da53701c Mon Sep 17 00:00:00 2001
From: michaelmcleroy <michaelmcleroy@cloudfitsoftware.com>
Date: Mon, 26 Jul 2021 21:15:11 +0000
Subject: [PATCH] feat(gatekeeper): upgrade to 3.5.1

---
 .../gatekeeper/gatekeeper-helmrelease.yaml    |  1 +
 chart/templates/gatekeeper/values.yaml        | 32 ++++++++++++++++++-
 chart/values.yaml                             |  8 +++--
 3 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/chart/templates/gatekeeper/gatekeeper-helmrelease.yaml b/chart/templates/gatekeeper/gatekeeper-helmrelease.yaml
index 4e54a08c1d..82185afa35 100644
--- a/chart/templates/gatekeeper/gatekeeper-helmrelease.yaml
+++ b/chart/templates/gatekeeper/gatekeeper-helmrelease.yaml
@@ -11,6 +11,7 @@ metadata:
     {{- include "commonLabels" . | nindent 4}}
 spec:
   targetNamespace: gatekeeper-system
+
   chart:
     spec:
       chart: {{ .Values.gatekeeper.git.path }}
diff --git a/chart/templates/gatekeeper/values.yaml b/chart/templates/gatekeeper/values.yaml
index 693669ace6..f82d2ea12a 100644
--- a/chart/templates/gatekeeper/values.yaml
+++ b/chart/templates/gatekeeper/values.yaml
@@ -14,5 +14,35 @@ postInstall:
       - name: private-registry
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
-  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}        
+  controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+violations:  # Try to keep this in alpha order to make it easier to find keys
+  {{- if .Values.monitoring.enabled }}
+  hostNetworking:
+    match:
+      excludedNamespaces:
+        - monitoring # Allow node exporter to export metrics. The exporters live in pod monitoring-monitoring-prometheus-node-exporter-XXXX
+  {{- end }}
+
+  {{- if .Values.logging.enabled }}
+  noPrivilegedContainers:
+    match:
+      excludedNamespaces:
+        - kube-system
+        - logging # Fluentbit needs privileged to read and store the buffer for tailing logs from the nodes
+  {{- end }}
+
+  {{- if .Values.monitoring.enabled }}
+  restrictedTaint:
+    match:
+      excludedNamespaces:
+        - kube-system
+        - monitoring # Prometheus Node Exporter needs to be able to run on all nodes, regardless of taint, to gather node metrics
+  {{- end }}
+
+  {{- if .Values.logging.enabled }}
+  selinuxPolicy:
+    match:
+      excludedNamespaces:
+        - logging # FluentBit needs selinux option type spc_t
+  {{- end }}
 {{- end -}}
diff --git a/chart/values.yaml b/chart/values.yaml
index b0d1564a46..d4efde77c5 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -234,10 +234,14 @@ gatekeeper:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
     path: "./chart"
-    tag: "3.4.0-bb.19"
+    tag: "3.5.1-bb.1"
 
   # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
-  flux: {}
+  flux:
+    install:
+      crds: CreateReplace
+    upgrade:
+      crds: CreateReplace
 
   # -- Values to passthrough to the gatekeeper chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
   values: {}
-- 
GitLab