Skip to content

Commit

Permalink
feat: add PDB fields in the policy server spec.
Browse files Browse the repository at this point in the history 
Adds two new fields in the PolicyServerSpec: minAvailable and
maxUnavailable. These fields are used to create a PodDisruptionBudget
for the policy server pods. Both fields cannot be set together because
Kubernetes does not allow setting both together in the PDB spec.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
  • Loading branch information
@jvanz
jvanz committed Apr 3, 2024
1 parent 3fa9744 commit 282cc1e
Show file tree
Hide file tree
Showing 16 changed files with 728 additions and 159 deletions.
48 changes: 24 additions & 24 deletions config/crd/bases/policies.kubewarden.io_admissionpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,20 +87,20 @@ spec:
the API request to be rejected. The default behaviour is "Fail"
type: string
matchPolicy:
description: "matchPolicy defines how the \"rules\" list is used to
match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".
\n - Exact: match a request only if it exactly matches a specified
description: 'matchPolicy defines how the "rules" list is used to
match incoming requests. Allowed values are "Exact" or "Equivalent".
<ul> <li> Exact: match a request only if it exactly matches a specified
rule. For example, if deployments can be modified via apps/v1, apps/v1beta1,
and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"],
apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to
apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
\n - Equivalent: match a request if modifies a resource listed in
rules, even via another API group or version. For example, if deployments
and extensions/v1beta1, but "rules" only included `apiGroups:["apps"],
apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1
or extensions/v1beta1 would not be sent to the webhook. </li> <li>
Equivalent: match a request if modifies a resource listed in rules,
even via another API group or version. For example, if deployments
can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"],
resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. \n Defaults
to \"Equivalent\""
and "rules" only included `apiGroups:["apps"], apiVersions:["v1"],
resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. </li> </ul>
Defaults to "Equivalent"'
type: string
mode:
default: protect
Expand Down Expand Up @@ -425,20 +425,20 @@ spec:
the API request to be rejected. The default behaviour is "Fail"
type: string
matchPolicy:
description: "matchPolicy defines how the \"rules\" list is used to
match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".
\n - Exact: match a request only if it exactly matches a specified
description: 'matchPolicy defines how the "rules" list is used to
match incoming requests. Allowed values are "Exact" or "Equivalent".
<ul> <li> Exact: match a request only if it exactly matches a specified
rule. For example, if deployments can be modified via apps/v1, apps/v1beta1,
and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"],
apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to
apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
\n - Equivalent: match a request if modifies a resource listed in
rules, even via another API group or version. For example, if deployments
and extensions/v1beta1, but "rules" only included `apiGroups:["apps"],
apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1
or extensions/v1beta1 would not be sent to the webhook. </li> <li>
Equivalent: match a request if modifies a resource listed in rules,
even via another API group or version. For example, if deployments
can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"],
resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. \n Defaults
to \"Equivalent\""
and "rules" only included `apiGroups:["apps"], apiVersions:["v1"],
resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. </li> </ul>
Defaults to "Equivalent"'
type: string
mode:
default: protect
Expand Down
118 changes: 68 additions & 50 deletions config/crd/bases/policies.kubewarden.io_clusteradmissionpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,20 +108,20 @@ spec:
the API request to be rejected. The default behaviour is "Fail"
type: string
matchPolicy:
description: "matchPolicy defines how the \"rules\" list is used to
match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".
\n - Exact: match a request only if it exactly matches a specified
description: 'matchPolicy defines how the "rules" list is used to
match incoming requests. Allowed values are "Exact" or "Equivalent".
<ul> <li> Exact: match a request only if it exactly matches a specified
rule. For example, if deployments can be modified via apps/v1, apps/v1beta1,
and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"],
apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to
apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
\n - Equivalent: match a request if modifies a resource listed in
rules, even via another API group or version. For example, if deployments
and extensions/v1beta1, but "rules" only included `apiGroups:["apps"],
apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1
or extensions/v1beta1 would not be sent to the webhook. </li> <li>
Equivalent: match a request if modifies a resource listed in rules,
even via another API group or version. For example, if deployments
can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"],
resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. \n Defaults
to \"Equivalent\""
and "rules" only included `apiGroups:["apps"], apiVersions:["v1"],
resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. </li> </ul>
Defaults to "Equivalent"'
type: string
mode:
default: protect
Expand All @@ -147,22 +147,31 @@ spec:
mutate incoming requests or not.
type: boolean
namespaceSelector:
description: "NamespaceSelector decides whether to run the webhook
description: 'NamespaceSelector decides whether to run the webhook
on an object based on whether the namespace for that object matches
the selector. If the object itself is a namespace, the matching
is performed on object.metadata.labels. If the object is another
cluster scoped resource, it never skips the webhook. \n For example,
to run the webhook on any objects whose namespace is not associated
with \"runlevel\" of \"0\" or \"1\"; you will set the selector
as follows: \"namespaceSelector\": { \"matchExpressions\": [ { \"key\":
\"runlevel\", \"operator\": \"NotIn\", \"values\": [ \"0\", \"1\"
] } ] } \n If instead you want to only run the webhook on any objects
whose namespace is associated with the \"environment\" of \"prod\"
or \"staging\"; you will set the selector as follows: \"namespaceSelector\":
{ \"matchExpressions\": [ { \"key\": \"environment\", \"operator\":
\"In\", \"values\": [ \"prod\", \"staging\" ] } ] } \n See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors. \n Default to the empty LabelSelector,
which matches everything."
cluster scoped resource, it never skips the webhook. <br/><br/>
For example, to run the webhook on any objects whose namespace is
not associated with "runlevel" of "0" or "1"; you will set the
selector as follows: <pre> "namespaceSelector": \{<br/> &nbsp;&nbsp;"matchExpressions":
[<br/> &nbsp;&nbsp;&nbsp;&nbsp;\{<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key":
"runlevel",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator":
"NotIn",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"0",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"1"<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/> &nbsp;&nbsp;&nbsp;&nbsp;\}<br/>
&nbsp;&nbsp;]<br/> \} </pre> If instead you want to only run the
webhook on any objects whose namespace is associated with the "environment"
of "prod" or "staging"; you will set the selector as follows: <pre>
"namespaceSelector": \{<br/> &nbsp;&nbsp;"matchExpressions": [<br/>
&nbsp;&nbsp;&nbsp;&nbsp;\{<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key":
"environment",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator":
"In",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"prod",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"staging"<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/> &nbsp;&nbsp;&nbsp;&nbsp;\}<br/>
&nbsp;&nbsp;]<br/> \} </pre> See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors. <br/><br/> Default to the
empty LabelSelector, which matches everything.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
Expand Down Expand Up @@ -506,20 +515,20 @@ spec:
the API request to be rejected. The default behaviour is "Fail"
type: string
matchPolicy:
description: "matchPolicy defines how the \"rules\" list is used to
match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".
\n - Exact: match a request only if it exactly matches a specified
description: 'matchPolicy defines how the "rules" list is used to
match incoming requests. Allowed values are "Exact" or "Equivalent".
<ul> <li> Exact: match a request only if it exactly matches a specified
rule. For example, if deployments can be modified via apps/v1, apps/v1beta1,
and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"],
apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to
apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
\n - Equivalent: match a request if modifies a resource listed in
rules, even via another API group or version. For example, if deployments
and extensions/v1beta1, but "rules" only included `apiGroups:["apps"],
apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1
or extensions/v1beta1 would not be sent to the webhook. </li> <li>
Equivalent: match a request if modifies a resource listed in rules,
even via another API group or version. For example, if deployments
can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"],
resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. \n Defaults
to \"Equivalent\""
and "rules" only included `apiGroups:["apps"], apiVersions:["v1"],
resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1
would be converted to apps/v1 and sent to the webhook. </li> </ul>
Defaults to "Equivalent"'
type: string
mode:
default: protect
Expand All @@ -544,22 +553,31 @@ spec:
mutate incoming requests or not.
type: boolean
namespaceSelector:
description: "NamespaceSelector decides whether to run the webhook
description: 'NamespaceSelector decides whether to run the webhook
on an object based on whether the namespace for that object matches
the selector. If the object itself is a namespace, the matching
is performed on object.metadata.labels. If the object is another
cluster scoped resource, it never skips the webhook. \n For example,
to run the webhook on any objects whose namespace is not associated
with \"runlevel\" of \"0\" or \"1\"; you will set the selector
as follows: \"namespaceSelector\": { \"matchExpressions\": [ { \"key\":
\"runlevel\", \"operator\": \"NotIn\", \"values\": [ \"0\", \"1\"
] } ] } \n If instead you want to only run the webhook on any objects
whose namespace is associated with the \"environment\" of \"prod\"
or \"staging\"; you will set the selector as follows: \"namespaceSelector\":
{ \"matchExpressions\": [ { \"key\": \"environment\", \"operator\":
\"In\", \"values\": [ \"prod\", \"staging\" ] } ] } \n See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors. \n Default to the empty LabelSelector,
which matches everything."
cluster scoped resource, it never skips the webhook. <br/><br/>
For example, to run the webhook on any objects whose namespace is
not associated with "runlevel" of "0" or "1"; you will set the
selector as follows: <pre> "namespaceSelector": \{<br/> &nbsp;&nbsp;"matchExpressions":
[<br/> &nbsp;&nbsp;&nbsp;&nbsp;\{<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key":
"runlevel",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator":
"NotIn",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"0",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"1"<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/> &nbsp;&nbsp;&nbsp;&nbsp;\}<br/>
&nbsp;&nbsp;]<br/> \} </pre> If instead you want to only run the
webhook on any objects whose namespace is associated with the "environment"
of "prod" or "staging"; you will set the selector as follows: <pre>
"namespaceSelector": \{<br/> &nbsp;&nbsp;"matchExpressions": [<br/>
&nbsp;&nbsp;&nbsp;&nbsp;\{<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"key":
"environment",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"operator":
"In",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"values": [<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"prod",<br/> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"staging"<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]<br/> &nbsp;&nbsp;&nbsp;&nbsp;\}<br/>
&nbsp;&nbsp;]<br/> \} </pre> See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
for more examples of label selectors. <br/><br/> Default to the
empty LabelSelector, which matches everything.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
Expand Down
Loading

0 comments on commit 282cc1e

Please sign in to comment.