CHANGELOG.md

@@ -3,6 +3,11 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+## [1.13.1]
+
+* [!722](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/722): Bumping Gatekeeper tag, reducing pod footprint, cleaning up constraints
+* [!730](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/730): Bumping Gatekeeper tag, properly excluding all of "kube-system" namespace from gatekeeper via upstream recommendation, removing "kube-system" exclusions from package values.
+
 ## [1.13.0]
 
 [!1.13.0 Merge Requests](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests?scope=all&utf8=%E2%9C%93&state=merged&milestone_title=1.13.0); List of Merge Requests in this Release

README.md

 # bigbang
 
-![Version: 1.13.0](https://img.shields.io/badge/Version-1.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 1.13.1](https://img.shields.io/badge/Version-1.13.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.
 
@@ -112,7 +112,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | gatekeeper.enabled | bool | `true` | Toggle deployment of OPA Gatekeeper. |
 | gatekeeper.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git"` |  |
 | gatekeeper.git.path | string | `"./chart"` |  |
-| gatekeeper.git.tag | string | `"3.5.1-bb.4"` |  |
+| gatekeeper.git.tag | string | `"3.5.1-bb.8"` |  |
 | gatekeeper.flux | object | `{"install":{"crds":"CreateReplace"},"upgrade":{"crds":"CreateReplace"}}` | Flux reconciliation overrides specifically for the OPA Gatekeeper Package |
 | gatekeeper.values | object | `{}` | Values to passthrough to the gatekeeper chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git |
 | gatekeeper.postRenderers | list | `[]` | Post Renderers.  See docs/postrenders.md |
@@ -145,7 +145,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | monitoring.enabled | bool | `true` | Toggle deployment of Monitoring (Prometheus, Grafana, and Alertmanager). |
 | monitoring.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/core/monitoring.git"` |  |
 | monitoring.git.path | string | `"./chart"` |  |
-| monitoring.git.tag | string | `"14.0.0-bb.1"` |  |
+| monitoring.git.tag | string | `"14.0.0-bb.3"` |  |
 | monitoring.flux | object | `{"install":{"crds":"CreateReplace"},"upgrade":{"crds":"CreateReplace"}}` | Flux reconciliation overrides specifically for the Monitoring Package |
 | monitoring.ingress.gateway | string | `""` |  |
 | monitoring.sso.enabled | bool | `false` | Toggle SSO for monitoring components on and off |
@@ -199,7 +199,7 @@ To start using Big Bang, you will need to create your own Big Bang environment t
 | addons.minio.enabled | bool | `false` | Toggle deployment of minio. |
 | addons.minio.git.repo | string | `"https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio.git"` |  |
 | addons.minio.git.path | string | `"./chart"` |  |
-| addons.minio.git.tag | string | `"2.0.9-bb.12"` |  |
+| addons.minio.git.tag | string | `"2.0.9-bb.13"` |  |
 | addons.minio.flux | object | `{}` | Flux reconciliation overrides specifically for the Minio Package |
 | addons.minio.ingress.gateway | string | `""` |  |
 | addons.minio.accesskey | string | `""` | Default access key to use for minio. |

base/gitrepository.yaml

@@ -11,4 +11,4 @@ spec:
   interval: 10m
   url: https://repo1.dso.mil/platform-one/big-bang/bigbang.git
   ref:
-    tag: 1.13.0
+    tag: 1.13.1

chart/Chart.yaml

 apiVersion: v2
 name: bigbang
-version: 1.13.0
+version: 1.13.1
 description: Big Bang is a declarative, continuous delivery tool for core DoD hardened and approved packages into a Kubernetes cluster.
 
 type: application

chart/templates/gatekeeper/values.yaml

@@ -12,23 +12,25 @@ postInstall:
     image:
       pullSecrets:
       - name: private-registry
-      
+
 networkPolicies:
   enabled: {{ .Values.networkPolicies.enabled }}
   controlPlaneCidr: {{ .Values.networkPolicies.controlPlaneCidr }}
 violations:  # Try to keep this in alpha order to make it easier to find keys
+
+  {{- if or .Values.istio.enabled .Values.addons.mattermost.enabled }}
   allowedDockerRegistries:
+    {{- if .Values.istio.enabled }}
     match:
-      excludedNamespaces: 
-       {{- if .Values.istio.enabled }}
+      excludedNamespaces:
         - istio-system # allows creation for loadbalancer pods for various ports and various vendor loadbalancers
-       {{- end }}
-        - kube-system # ignored as the kubernetes distro cannot be controlled
+    {{- end }}
     {{- if .Values.addons.mattermost.enabled }}
     parameters:
       exemptContainers:
         - init-check-database # mattermost needs postgres:13 image and cannot override the upstream
     {{- end }}
+  {{- end }}
 
   {{- if .Values.monitoring.enabled }}
   hostNetworking:
@@ -40,7 +42,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
   {{- if .Values.addons.mattermost.enabled }}
   httpsOnly:
     match:
-      excludedNamespaces: 
+      excludedNamespaces:
         # mattermost currently does not useIngressTLS hence Ingress is created without TLS field by the operator.
         # Adding exemption, pending https://github.com/mattermost/mattermost-operator/issues/235
         - mattermost
@@ -50,7 +52,6 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
   noPrivilegedContainers:
     match:
       excludedNamespaces:
-        - kube-system
         - logging # Fluentbit needs privileged to read and store the buffer for tailing logs from the nodes
   {{- end }}
 
@@ -58,7 +59,6 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
   restrictedTaint:
     match:
       excludedNamespaces:
-        - kube-system
         - monitoring # Prometheus Node Exporter needs to be able to run on all nodes, regardless of taint, to gather node metrics
   {{- end }}
 
@@ -69,16 +69,17 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
         - logging # FluentBit needs selinux option type spc_t
   {{- end }}
 
+  {{- if or .Values.fluentbit.enabled (or .Values.twistlock.enabled .Values.monitoring.enabled) }}
   volumeTypes:
     match:
-      excludedNamespaces: 
+      excludedNamespaces:
        {{- if .Values.fluentbit.enabled }}
         # fluent-bit container requires certain host level access to ship logs and for keep track of state
         # https://docs.fluentbit.io/manual/pipeline/filters/kubernetes#workflow-of-tail-kubernetes-filter
         - logging
        {{- end }}
        {{- if .Values.twistlock.enabled }}
-        # Twistlock requires /dev/log for its syslog daemon. 
+        # Twistlock requires /dev/log for its syslog daemon.
         # https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/audit/logging.html#
         - twistlock
        {{- end }}
@@ -87,5 +88,5 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
         # https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus-node-exporter/templates/daemonset.yaml#L150
         - monitoring
        {{- end }}
-        - kube-system #local-path_local-path-provisioner helper-pod-create-pvc
+  {{- end }}
 {{- end -}}

chart/values.yaml

@@ -281,7 +281,7 @@ gatekeeper:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy.git
     path: "./chart"
-    tag: "3.5.1-bb.4"
+    tag: "3.5.1-bb.8"
 
   # -- Flux reconciliation overrides specifically for the OPA Gatekeeper Package
   flux: