From e33dddf3d26a297af8d3c275cba01cedcab4d62c Mon Sep 17 00:00:00 2001 From: "branden.cobb" Date: Mon, 12 Apr 2021 18:45:05 +0000 Subject: [PATCH] Core Package Update --- .pre-commit-config.yaml | 4 - CHANGELOG.md | 8 + CODEOWNERS | 1 + LICENSE | 201 +++++ README.md | 6 +- chart/Chart.yaml | 4 +- chart/Kptfile | 6 +- chart/README.md | 46 +- ...ainttemplate-customresourcedefinition.yaml | 2 - chart/templates/bigbang/monitoring.yaml | 20 + .../gatekeeper-admin-podsecuritypolicy.yaml | 35 + .../gatekeeper-audit-deployment.yaml | 23 +- ...ekeeper-controller-manager-deployment.yaml | 19 +- .../gatekeeper-manager-role-clusterrole.yaml | 14 + .../gatekeeper-system-namespace.yaml | 2 +- ...ration-validatingwebhookconfiguration.yaml | 9 +- ...gatekeeper-webhook-server-cert-secret.yaml | 2 + chart/values.yaml | 58 +- deploy/Kptfile | 11 - deploy/configs/configs.yaml | 10 - deploy/configs/kustomization.yaml | 4 - .../core/all_ns_must_have_owner.yaml | 15 - deploy/constraints/core/kustomization.yaml | 25 - .../core/k8srequiredlabels_template.yaml | 27 - .../core/kustomization.yaml | 7 - deploy/kustomization.yaml | 10 - deploy/opa-gatekeeper/gatekeeper.yaml | 848 ------------------ deploy/opa-gatekeeper/kustomization.yaml | 4 - tests/test-values.yml | 5 +- 29 files changed, 391 insertions(+), 1035 deletions(-) delete mode 100644 .pre-commit-config.yaml create mode 100644 CHANGELOG.md create mode 100644 CODEOWNERS create mode 100644 LICENSE create mode 100644 chart/templates/bigbang/monitoring.yaml create mode 100644 chart/templates/gatekeeper-admin-podsecuritypolicy.yaml delete mode 100644 deploy/Kptfile delete mode 100644 deploy/configs/configs.yaml delete mode 100644 deploy/configs/kustomization.yaml delete mode 100644 deploy/constraints/core/all_ns_must_have_owner.yaml delete mode 100644 deploy/constraints/core/kustomization.yaml delete mode 100644 deploy/contraint-templates/core/k8srequiredlabels_template.yaml delete mode 100644 deploy/contraint-templates/core/kustomization.yaml delete mode 100644 deploy/kustomization.yaml delete mode 100644 deploy/opa-gatekeeper/gatekeeper.yaml delete mode 100644 deploy/opa-gatekeeper/kustomization.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml deleted file mode 100644 index 61529ed..0000000 --- a/.pre-commit-config.yaml +++ /dev/null @@ -1,4 +0,0 @@ -repos: -- repo: https://repo1.dso.mil/platform-one/plugins/pre-commit-bootstraps.git - rev: v0.2.0 - hooks: [] \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..27d6587 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [3.3.0-bb.0] - 2021-04-09 +Added changelog + +update chart and image to v3.3.0 diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..c7d24c7 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @toladipupo diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..2a6218e --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2021 Platform One + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md index e685c05..465a2a9 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,4 @@ Policy enforcement with [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper). -Default deployment (`deploy/`) is absent of `Constraints`. Instead, `ConstraintTemplates` and `Configs` are provided in addition to `OPA-Gatekeeper` that are known settings to work with the remaining [core](https://repo1.dso.mil/platform-one/big-bang/bootstraps/bigbang-bootstrap) P1 components. - -For enabling constraints, ensure that `deploy/contstraints/core` is deployed. - -For more details on usage , installation and application information follow this [link](./docs/README.md) \ No newline at end of file +For more details on usage , installation and application information follow this [link](./docs/README.md) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 543fac5..d8a43b3 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper name: gatekeeper keywords: - open policy agent -version: 3.1.2-bb.3 +version: 3.3.0-bb.0 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.1.2 +appVersion: v3.3.0 diff --git a/chart/Kptfile b/chart/Kptfile index 7e213a1..29f330d 100644 --- a/chart/Kptfile +++ b/chart/Kptfile @@ -1,11 +1,11 @@ apiVersion: kpt.dev/v1alpha1 kind: Kptfile metadata: - name: gatekeeper + name: chart upstream: type: git git: - commit: bfcfa2d44c2f4e86fc0a9a6cea6c812a9d59cce1 + commit: 201a78d6096e048719395263b87618ecb5235409 repo: https://github.com/open-policy-agent/gatekeeper directory: /charts/gatekeeper - ref: v3.1.2 + ref: v3.3.0 diff --git a/chart/README.md b/chart/README.md index 9d158d6..3d32e39 100644 --- a/chart/README.md +++ b/chart/README.md @@ -2,26 +2,32 @@ ## Parameters -| Parameter | Description | Default | -| :------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | -| auditInterval | The frequency with which audit is run | `60` | -| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | -| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | -| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | -| disableValidatingWebhook | Disable ValidatingWebhook | `false` | -| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` | -| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` | -| logLevel | Minimum log level | `INFO` | -| image.pullPolicy | The image pull policy | `IfNotPresent` | -| image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.1.2` | -| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | -| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| affinity | The node affinity to use for pod scheduling | `{}` | -| tolerations | The tolerations to use for pod scheduling | `[]` | -| replicas | The number of Gatekeeper replicas to deploy for the webhook | `1` | -| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | -| customResourceDefinitions.create | Whether the release should install CRDs. Regardless of this value, Helm v3+ will install the CRDs if those are not present already. Use --skip-crds with helm install if you want to skip CRD creation | `true` | +| Parameter | Description | Default | +| :---------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | +| auditInterval | The frequency with which audit is run | `60` | +| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | +| auditFromCache | Take the roster of resources to audit from the OPA cache | `false` | +| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | +| disableValidatingWebhook | Disable the validating webhook | `false` | +| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | +| enableDeleteOperations | Enable validating webhook for delete operations | `false` | +| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` | +| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` | +| logLevel | Minimum log level | `INFO` | +| image.pullPolicy | The image pull policy | `IfNotPresent` | +| image.repository | Image repository | `openpolicyagent/gatekeeper` | +| image.release | The image release tag to use | Current release version: `v3.3.0` | +| image.pullSecrets | Specify an array of imagePullSecrets | `[]` | +| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| affinity | The node affinity to use for pod scheduling | `{}` | +| tolerations | The tolerations to use for pod scheduling | `[]` | +| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | +| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | +| replicas | The number of Gatekeeper replicas to deploy for the webhook | `1` | +| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | +| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | +| customResourceDefinitions.create | Whether the release should install CRDs. Regardless of this value, Helm v3+ will install the CRDs if those are not present already. Use --skip-crds with helm install if you want to skip CRD creation | `true` | ## Contributing Changes diff --git a/chart/crds/constrainttemplate-customresourcedefinition.yaml b/chart/crds/constrainttemplate-customresourcedefinition.yaml index 91dcd7a..37a6523 100644 --- a/chart/crds/constrainttemplate-customresourcedefinition.yaml +++ b/chart/crds/constrainttemplate-customresourcedefinition.yaml @@ -13,8 +13,6 @@ spec: names: kind: ConstraintTemplate plural: constrainttemplates - shortNames: - - constraints scope: Cluster subresources: status: {} diff --git a/chart/templates/bigbang/monitoring.yaml b/chart/templates/bigbang/monitoring.yaml new file mode 100644 index 0000000..4b3c2e2 --- /dev/null +++ b/chart/templates/bigbang/monitoring.yaml @@ -0,0 +1,20 @@ +{{- if .Values.monitoring.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: gatekeeper + namespace: {{ .Release.Namespace }} + labels: + monitoring: gatekeeper + release: gatekeeper-system-gatekeeper +spec: + selector: + matchLabels: + app: gatekeeper + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + podMetricsEndpoints: + - port: metrics + interval: 10s +{{- end }} diff --git a/chart/templates/gatekeeper-admin-podsecuritypolicy.yaml b/chart/templates/gatekeeper-admin-podsecuritypolicy.yaml new file mode 100644 index 0000000..78f36ec --- /dev/null +++ b/chart/templates/gatekeeper-admin-podsecuritypolicy.yaml @@ -0,0 +1,35 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-admin +spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - projected + - secret + - downwardAPI diff --git a/chart/templates/gatekeeper-audit-deployment.yaml b/chart/templates/gatekeeper-audit-deployment.yaml index 7798263..9f2c55b 100644 --- a/chart/templates/gatekeeper-audit-deployment.yaml +++ b/chart/templates/gatekeeper-audit-deployment.yaml @@ -4,7 +4,7 @@ metadata: labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' - control-plane: controller-manager + control-plane: audit-controller gatekeeper.sh/operation: audit gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' @@ -35,6 +35,7 @@ spec: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' spec: + automountServiceAccountToken: true containers: - args: - --audit-interval={{ .Values.auditInterval }} @@ -77,24 +78,26 @@ spec: path: /readyz port: 9090 resources: -{{ toYaml .Values.resources | indent 10 }} +{{ toYaml .Values.audit.resources | indent 10 }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - all + readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true runAsUser: 1000 - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8}} - {{- end }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} + nodeSelector: +{{ toYaml .Values.audit.nodeSelector | indent 8 }} affinity: -{{ toYaml .Values.affinity | indent 8 }} +{{ toYaml .Values.audit.affinity | indent 8 }} tolerations: -{{ toYaml .Values.tolerations | indent 8 }} +{{ toYaml .Values.audit.tolerations | indent 8 }} + imagePullSecrets: +{{ toYaml .Values.image.pullSecrets | indent 8 }} +{{- if .Values.audit.priorityClassName }} + priorityClassName: {{ .Values.audit.priorityClassName }} +{{- end }} serviceAccountName: gatekeeper-admin terminationGracePeriodSeconds: 60 diff --git a/chart/templates/gatekeeper-controller-manager-deployment.yaml b/chart/templates/gatekeeper-controller-manager-deployment.yaml index 1e06f79..55aa261 100644 --- a/chart/templates/gatekeeper-controller-manager-deployment.yaml +++ b/chart/templates/gatekeeper-controller-manager-deployment.yaml @@ -47,6 +47,7 @@ spec: - webhook topologyKey: kubernetes.io/hostname weight: 100 + automountServiceAccountToken: true containers: - args: - --port=8443 @@ -89,12 +90,13 @@ spec: path: /readyz port: 9090 resources: -{{ toYaml .Values.resources | indent 10 }} +{{ toYaml .Values.controllerManager.resources | indent 10 }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - all + readOnlyRootFilesystem: true runAsGroup: 999 runAsNonRoot: true runAsUser: 1000 @@ -102,16 +104,17 @@ spec: - mountPath: /certs name: cert readOnly: true - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} +{{ toYaml .Values.controllerManager.nodeSelector | indent 8 }} affinity: -{{ toYaml .Values.affinity | indent 8 }} +{{ toYaml .Values.controllerManager.affinity | indent 8 }} tolerations: -{{ toYaml .Values.tolerations | indent 8 }} +{{ toYaml .Values.controllerManager.tolerations | indent 8 }} + imagePullSecrets: +{{ toYaml .Values.image.pullSecrets | indent 8 }} +{{- if .Values.controllerManager.priorityClassName }} + priorityClassName: {{ .Values.controllerManager.priorityClassName }} +{{- end }} serviceAccountName: gatekeeper-admin terminationGracePeriodSeconds: 60 volumes: diff --git a/chart/templates/gatekeeper-manager-role-clusterrole.yaml b/chart/templates/gatekeeper-manager-role-clusterrole.yaml index b03f23f..05577fb 100644 --- a/chart/templates/gatekeeper-manager-role-clusterrole.yaml +++ b/chart/templates/gatekeeper-manager-role-clusterrole.yaml @@ -62,8 +62,22 @@ rules: - patch - update - watch +- apiGroups: + - mutations.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - policy + resourceNames: + - gatekeeper-admin resources: - podsecuritypolicies verbs: diff --git a/chart/templates/gatekeeper-system-namespace.yaml b/chart/templates/gatekeeper-system-namespace.yaml index 52a2b6e..3292d84 100644 --- a/chart/templates/gatekeeper-system-namespace.yaml +++ b/chart/templates/gatekeeper-system-namespace.yaml @@ -11,4 +11,4 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-system -{{- end }} \ No newline at end of file +{{- end }} diff --git a/chart/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/chart/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index dcfb0ab..048e23f 100644 --- a/chart/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/chart/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -28,13 +28,16 @@ webhooks: - '*' apiVersions: - '*' - operations: + operations: - CREATE - UPDATE + {{- if .Values.enableDeleteOperations }} + - DELETE + {{- end}} resources: - '*' sideEffects: None - timeoutSeconds: 3 + timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} - clientConfig: caBundle: Cg== service: @@ -54,5 +57,5 @@ webhooks: resources: - namespaces sideEffects: None - timeoutSeconds: 3 + timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} {{- end }} diff --git a/chart/templates/gatekeeper-webhook-server-cert-secret.yaml b/chart/templates/gatekeeper-webhook-server-cert-secret.yaml index 75107f7..7598acd 100644 --- a/chart/templates/gatekeeper-webhook-server-cert-secret.yaml +++ b/chart/templates/gatekeeper-webhook-server-cert-secret.yaml @@ -1,6 +1,8 @@ apiVersion: v1 kind: Secret metadata: + annotations: +{{- toYaml .Values.secretAnnotations | trim | nindent 4 }} labels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' diff --git a/chart/values.yaml b/chart/values.yaml index 62f5cbb..891ac3d 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -2,30 +2,60 @@ replicas: 3 auditInterval: 60 constraintViolationsLimit: 20 auditFromCache: false +createNamespace: true disableValidatingWebhook: false +validatingWebhookTimeoutSeconds: 3 +enableDeleteOperations: false auditChunkSize: 0 logLevel: INFO emitAdmissionEvents: false emitAuditEvents: false image: repository: registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper - release: v3.1.2 + release: v3.3.0 pullPolicy: IfNotPresent -nodeSelector: { kubernetes.io/os: linux } -affinity: {} -tolerations: [] + pullSecrets: [] podAnnotations: { container.seccomp.security.alpha.kubernetes.io/manager: runtime/default } -resources: - limits: - cpu: 1000m - memory: 512Mi - requests: - cpu: 100m - memory: 256Mi +secretAnnotations: {} +controllerManager: + priorityClassName: system-cluster-critical + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: gatekeeper.sh/operation + operator: In + values: + - webhook + topologyKey: kubernetes.io/hostname + weight: 100 + tolerations: [] + nodeSelector: { kubernetes.io/os: linux } + resources: + limits: + cpu: 1000m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi +audit: + priorityClassName: system-cluster-critical + affinity: {} + tolerations: [] + nodeSelector: { kubernetes.io/os: linux } + resources: + limits: + cpu: 1000m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi customResourceDefinitions: create: true -# Additions from upstream -createNamespace: true -imagePullSecrets: [ ] \ No newline at end of file +#Bigbang Additions +monitoring: + enabled: false diff --git a/deploy/Kptfile b/deploy/Kptfile deleted file mode 100644 index e609626..0000000 --- a/deploy/Kptfile +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kpt.dev/v1alpha1 -kind: Kptfile -metadata: - name: deploy -upstream: - type: git - git: - commit: eefa3ff9a3b8527d6b107e802226fd8776f6bd3b - repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy - directory: /deploy - ref: bb-566-codeowners diff --git a/deploy/configs/configs.yaml b/deploy/configs/configs.yaml deleted file mode 100644 index d432739..0000000 --- a/deploy/configs/configs.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: config.gatekeeper.sh/v1alpha1 -kind: Config -metadata: - name: config - namespace: gatekeeper-system -spec: - match: - - excludedNamespaces: ["kube-system", "gatekeeper-system", "istio-system", "logging", - "monitoring", "elastic-system"] - processes: ["*"] diff --git a/deploy/configs/kustomization.yaml b/deploy/configs/kustomization.yaml deleted file mode 100644 index ea2764a..0000000 --- a/deploy/configs/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -commonAnnotations: - argocd.argoproj.io/sync-wave: "1" -resources: -- configs.yaml diff --git a/deploy/constraints/core/all_ns_must_have_owner.yaml b/deploy/constraints/core/all_ns_must_have_owner.yaml deleted file mode 100644 index fe4a88e..0000000 --- a/deploy/constraints/core/all_ns_must_have_owner.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: constraints.gatekeeper.sh/v1beta1 -kind: K8sRequiredLabels -metadata: - name: all-must-have-owner -spec: - enforcementAction: dryrun - match: - kinds: - - apiGroups: [""] - kinds: ["Namespace"] - parameters: - message: "All namespaces must have an `owner` label" - labels: - - key: owner - allowedRegex: "^[a-zA-Z]+$" diff --git a/deploy/constraints/core/kustomization.yaml b/deploy/constraints/core/kustomization.yaml deleted file mode 100644 index 6c75b40..0000000 --- a/deploy/constraints/core/kustomization.yaml +++ /dev/null @@ -1,25 +0,0 @@ -commonLabels: - owner: p1 - policy-type: core -commonAnnotations: - argocd.argoproj.io/sync-wave: "2" - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -resources: -- all_ns_must_have_owner.yaml -patches: -- target: - group: constraints.gatekeeper.sh - version: v1beta1 - patch: |- - apiVersion: constraints.gatekeeper.sh/v1beta1 - kind: K8sRequiredLabels - metadata: - name: all - spec: - parameters: - exemptNamespaces: - - istio-system - - monitoring - - elastic-system - - logging - - gatekeeper-system diff --git a/deploy/contraint-templates/core/k8srequiredlabels_template.yaml b/deploy/contraint-templates/core/k8srequiredlabels_template.yaml deleted file mode 100644 index 24e48be..0000000 --- a/deploy/contraint-templates/core/k8srequiredlabels_template.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - name: k8srequiredlabels -spec: - crd: - spec: - names: - kind: K8sRequiredLabels - validation: - # Schema for the `parameters` field - openAPIV3Schema: - properties: - labels: - type: array - items: string - targets: - - target: admission.k8s.gatekeeper.sh - rego: |- - package k8srequiredlabels - violation[{"msg": msg, "details": {"missing_labels": missing}}] { - provided := {label | input.review.object.metadata.labels[label]} - required := {label | label := input.parameters.labels[_]} - missing := required - provided - count(missing) > 0 - msg := sprintf("you must provide labels: %v", [missing]) - } diff --git a/deploy/contraint-templates/core/kustomization.yaml b/deploy/contraint-templates/core/kustomization.yaml deleted file mode 100644 index 6b23c09..0000000 --- a/deploy/contraint-templates/core/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -commonLabels: - owner: p1 - policy-type: core -commonAnnotations: - argocd.argoproj.io/sync-wave: "1" -resources: -- k8srequiredlabels_template.yaml diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml deleted file mode 100644 index 8d2eff8..0000000 --- a/deploy/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -namespace: gatekeeper-system -resources: -- opa-gatekeeper -# Global configs for gatekeeper -- configs -# Core constraint templates -- contraint-templates/core - -# Core constraints -# - constraints/core diff --git a/deploy/opa-gatekeeper/gatekeeper.yaml b/deploy/opa-gatekeeper/gatekeeper.yaml deleted file mode 100644 index b9e5dea..0000000 --- a/deploy/opa-gatekeeper/gatekeeper.yaml +++ /dev/null @@ -1,848 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - admission.gatekeeper.sh/ignore: no-self-managing - control-plane: controller-manager - gatekeeper.sh/system: "yes" - name: gatekeeper-system ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.3.0 - labels: - gatekeeper.sh/system: "yes" - name: configs.config.gatekeeper.sh -spec: - group: config.gatekeeper.sh - names: - kind: Config - listKind: ConfigList - plural: configs - singular: config - scope: Namespaced - validation: - openAPIV3Schema: - description: Config is the Schema for the configs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ConfigSpec defines the desired state of Config - properties: - match: - description: Configuration for namespace exclusion - items: - properties: - excludedNamespaces: - items: - type: string - type: array - processes: - items: - type: string - type: array - type: object - type: array - readiness: - description: Configuration for readiness tracker - properties: - statsEnabled: - type: boolean - type: object - sync: - description: Configuration for syncing k8s objects - properties: - syncOnly: - description: If non-empty, only entries on this list will be replicated - into OPA - items: - properties: - group: - type: string - kind: - type: string - version: - type: string - type: object - type: array - type: object - validation: - description: Configuration for validation - properties: - traces: - description: List of requests to trace. Both "user" and "kinds" - must be specified - items: - properties: - dump: - description: Also dump the state of OPA with the trace. Set - to `All` to dump everything. - type: string - kind: - description: Only trace requests of the following GroupVersionKind - properties: - group: - type: string - kind: - type: string - version: - type: string - type: object - user: - description: Only trace requests from the specified user - type: string - type: object - type: array - type: object - type: object - status: - description: ConfigStatus defines the observed state of Config - type: object - type: object - version: v1alpha1 - versions: - - name: v1alpha1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.3.0 - labels: - gatekeeper.sh/system: "yes" - name: constraintpodstatuses.status.gatekeeper.sh -spec: - group: status.gatekeeper.sh - names: - kind: ConstraintPodStatus - listKind: ConstraintPodStatusList - plural: constraintpodstatuses - singular: constraintpodstatus - scope: Namespaced - validation: - openAPIV3Schema: - description: ConstraintPodStatus is the Schema for the constraintpodstatuses - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - status: - description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus - properties: - constraintUID: - description: Storing the constraint UID allows us to detect drift, such - as when a constraint has been recreated after its CRD was deleted - out from under it, interrupting the watch - type: string - enforced: - type: boolean - errors: - items: - description: Error represents a single error caught while adding a - constraint to OPA - properties: - code: - type: string - location: - type: string - message: - type: string - required: - - code - - message - type: object - type: array - id: - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.3.0 - labels: - gatekeeper.sh/system: "yes" - name: constrainttemplatepodstatuses.status.gatekeeper.sh -spec: - group: status.gatekeeper.sh - names: - kind: ConstraintTemplatePodStatus - listKind: ConstraintTemplatePodStatusList - plural: constrainttemplatepodstatuses - singular: constrainttemplatepodstatus - scope: Namespaced - validation: - openAPIV3Schema: - description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - status: - description: ConstraintTemplatePodStatusStatus defines the observed state - of ConstraintTemplatePodStatus - properties: - errors: - items: - description: CreateCRDError represents a single error caught during - parsing, compiling, etc. - properties: - code: - type: string - location: - type: string - message: - type: string - required: - - code - - message - type: object - type: array - id: - description: 'Important: Run "make" to regenerate code after modifying - this file' - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because - we don't ONLY use UUIDs, this is an alias to string. Being a type - captures intent and helps make sure that UIDs and names do not get - conflated. - type: string - type: object - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - controller-tools.k8s.io: "1.0" - gatekeeper.sh/system: "yes" - name: constrainttemplates.templates.gatekeeper.sh -spec: - group: templates.gatekeeper.sh - names: - kind: ConstraintTemplate - plural: constrainttemplates - scope: Cluster - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - crd: - properties: - spec: - properties: - names: - properties: - kind: - type: string - shortNames: - items: - type: string - type: array - type: object - validation: - type: object - type: object - type: object - targets: - items: - properties: - libs: - items: - type: string - type: array - rego: - type: string - target: - type: string - type: object - type: array - type: object - status: - properties: - byPod: - items: - properties: - errors: - items: - properties: - code: - type: string - location: - type: string - message: - type: string - required: - - code - - message - type: object - type: array - id: - description: a unique identifier for the pod that wrote the status - type: string - observedGeneration: - format: int64 - type: integer - type: object - type: array - created: - type: boolean - type: object - version: v1beta1 - versions: - - name: v1beta1 - served: true - storage: true - - name: v1alpha1 - served: true - storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-admin - namespace: gatekeeper-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-manager-role - namespace: gatekeeper-system -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-manager-role -rules: -- apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - config.gatekeeper.sh - resources: - - configs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - config.gatekeeper.sh - resources: - - configs/status - verbs: - - get - - patch - - update -- apiGroups: - - constraints.gatekeeper.sh - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - policy - resources: - - podsecuritypolicies - verbs: - - use -- apiGroups: - - status.gatekeeper.sh - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - templates.gatekeeper.sh - resources: - - constrainttemplates - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - templates.gatekeeper.sh - resources: - - constrainttemplates/finalizers - verbs: - - delete - - get - - patch - - update -- apiGroups: - - templates.gatekeeper.sh - resources: - - constrainttemplates/status - verbs: - - get - - patch - - update -- apiGroups: - - admissionregistration.k8s.io - resourceNames: - - gatekeeper-validating-webhook-configuration - resources: - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-manager-rolebinding - namespace: gatekeeper-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: gatekeeper-manager-role -subjects: -- kind: ServiceAccount - name: gatekeeper-admin - namespace: gatekeeper-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: gatekeeper-manager-role -subjects: -- kind: ServiceAccount - name: gatekeeper-admin - namespace: gatekeeper-system ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-webhook-server-cert - namespace: gatekeeper-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-webhook-service - namespace: gatekeeper-system -spec: - ports: - - port: 443 - targetPort: 8443 - selector: - control-plane: controller-manager - gatekeeper.sh/operation: webhook - gatekeeper.sh/system: "yes" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - control-plane: controller-manager - gatekeeper.sh/operation: audit - gatekeeper.sh/system: "yes" - name: gatekeeper-audit - namespace: gatekeeper-system -spec: - replicas: 1 - selector: - matchLabels: - control-plane: audit-controller - gatekeeper.sh/operation: audit - gatekeeper.sh/system: "yes" - template: - metadata: - annotations: - container.seccomp.security.alpha.kubernetes.io/manager: runtime/default - labels: - control-plane: audit-controller - gatekeeper.sh/operation: audit - gatekeeper.sh/system: "yes" - spec: - containers: - - args: - - --operation=audit - - --operation=status - - --logtostderr - command: - - /manager - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - image: openpolicyagent/gatekeeper:v3.1.1 - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthz - port: 9090 - name: manager - ports: - - containerPort: 8888 - name: metrics - protocol: TCP - - containerPort: 9090 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 9090 - resources: - limits: - cpu: 1000m - memory: 512Mi - requests: - cpu: 100m - memory: 256Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: gatekeeper-admin - terminationGracePeriodSeconds: 60 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - control-plane: controller-manager - gatekeeper.sh/operation: webhook - gatekeeper.sh/system: "yes" - name: gatekeeper-controller-manager - namespace: gatekeeper-system -spec: - replicas: 3 - selector: - matchLabels: - control-plane: controller-manager - gatekeeper.sh/operation: webhook - gatekeeper.sh/system: "yes" - template: - metadata: - annotations: - container.seccomp.security.alpha.kubernetes.io/manager: runtime/default - labels: - control-plane: controller-manager - gatekeeper.sh/operation: webhook - gatekeeper.sh/system: "yes" - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: gatekeeper.sh/operation - operator: In - values: - - webhook - topologyKey: kubernetes.io/hostname - weight: 100 - containers: - - args: - - --port=8443 - - --logtostderr - - --exempt-namespace=gatekeeper-system - - --operation=webhook - command: - - /manager - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - image: openpolicyagent/gatekeeper:v3.1.1 - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthz - port: 9090 - name: manager - ports: - - containerPort: 8443 - name: webhook-server - protocol: TCP - - containerPort: 8888 - name: metrics - protocol: TCP - - containerPort: 9090 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 9090 - resources: - limits: - cpu: 1000m - memory: 512Mi - requests: - cpu: 100m - memory: 256Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - volumeMounts: - - mountPath: /certs - name: cert - readOnly: true - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: gatekeeper-admin - terminationGracePeriodSeconds: 60 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: gatekeeper-webhook-server-cert ---- -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-validating-webhook-configuration -webhooks: -- clientConfig: - caBundle: Cg== - service: - name: gatekeeper-webhook-service - namespace: gatekeeper-system - path: /v1/admit - failurePolicy: Ignore - name: validation.gatekeeper.sh - namespaceSelector: - matchExpressions: - - key: admission.gatekeeper.sh/ignore - operator: DoesNotExist - rules: - - apiGroups: - - '*' - apiVersions: - - '*' - operations: - - CREATE - - UPDATE - resources: - - '*' - sideEffects: None - timeoutSeconds: 5 -- clientConfig: - caBundle: Cg== - service: - name: gatekeeper-webhook-service - namespace: gatekeeper-system - path: /v1/admitlabel - failurePolicy: Fail - name: check-ignore-label.gatekeeper.sh - rules: - - apiGroups: - - "" - apiVersions: - - '*' - operations: - - CREATE - - UPDATE - resources: - - namespaces - sideEffects: None - timeoutSeconds: 5 diff --git a/deploy/opa-gatekeeper/kustomization.yaml b/deploy/opa-gatekeeper/kustomization.yaml deleted file mode 100644 index d92356b..0000000 --- a/deploy/opa-gatekeeper/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -commonLabels: - owner: p1 -resources: -- gatekeeper.yaml diff --git a/tests/test-values.yml b/tests/test-values.yml index fe8eeaf..4e705b9 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -1,3 +1,4 @@ createNamespace: false -imagePullSecrets: -- name: private-registry-mil +image: + pullSecrets: + - name: private-registry-mil -- GitLab