From b89fd875c6a40285dd144d66ee1ed6485ea3fcf5 Mon Sep 17 00:00:00 2001 From: Sertac Ozercan Date: Thu, 11 Nov 2021 21:16:33 +0000 Subject: [PATCH] Prepare for v3.7.0 release Signed-off-by: Sertac Ozercan --- Makefile | 2 +- charts/gatekeeper/Chart.yaml | 4 +- charts/gatekeeper/README.md | 14 +- .../crds/assign-customresourcedefinition.yaml | 223 +- ...signmetadata-customresourcedefinition.yaml | 189 +- .../modifyset-customresourcedefinition.yaml | 209 ++ .../gatekeeper-audit-deployment.yaml | 14 + ...ekeeper-controller-manager-deployment.yaml | 4 +- .../gatekeeper-manager-role-clusterrole.yaml | 28 +- .../gatekeeper-manager-role-role.yaml | 2 + ...anager-rolebinding-clusterrolebinding.yaml | 2 + ...eeper-manager-rolebinding-rolebinding.yaml | 2 + ...guration-mutatingwebhookconfiguration.yaml | 2 +- .../templates/namespace-post-install.yaml | 5 +- .../templates/upgrade-crds-hook.yaml | 10 +- charts/gatekeeper/values.yaml | 16 +- cmd/build/helmify/static/Chart.yaml | 4 +- cmd/build/helmify/static/README.md | 4 +- cmd/build/helmify/static/values.yaml | 4 +- config/manager/manager.yaml | 4 +- deploy/experimental/gatekeeper-mutation.yaml | 1976 ----------------- deploy/gatekeeper.yaml | 1555 ++++++++++++- manifest_staging/charts/gatekeeper/Chart.yaml | 4 +- manifest_staging/charts/gatekeeper/README.md | 4 +- .../charts/gatekeeper/values.yaml | 4 +- manifest_staging/deploy/gatekeeper.yaml | 4 +- .../versioned_docs/version-v3.7.x/audit.md | 139 ++ .../version-v3.7.x/cloud-specific.md | 45 + .../version-v3.7.x/constrainttemplates.md | 159 ++ .../version-v3.7.x/customize-admission.md | 78 + .../version-v3.7.x/customize-startup.md | 10 + .../versioned_docs/version-v3.7.x/debug.md | 98 + .../version-v3.7.x/emergency.md | 12 + .../versioned_docs/version-v3.7.x/examples.md | 8 + .../version-v3.7.x/exempt-namespaces.md | 62 + .../version-v3.7.x/failing-closed.md | 148 ++ website/versioned_docs/version-v3.7.x/help.md | 15 + .../versioned_docs/version-v3.7.x/howto.md | 92 + .../versioned_docs/version-v3.7.x/install.md | 114 + .../versioned_docs/version-v3.7.x/intro.md | 34 + .../versioned_docs/version-v3.7.x/library.md | 6 + .../versioned_docs/version-v3.7.x/metrics.md | 158 ++ .../versioned_docs/version-v3.7.x/mutation.md | 294 +++ .../versioned_docs/version-v3.7.x/security.md | 11 + website/versioned_docs/version-v3.7.x/sync.md | 44 + .../version-v3.7.x/violations.md | 73 + .../version-v3.7.x-sidebars.json | 108 + website/versions.json | 1 + 48 files changed, 3899 insertions(+), 2099 deletions(-) delete mode 100644 deploy/experimental/gatekeeper-mutation.yaml create mode 100644 website/versioned_docs/version-v3.7.x/audit.md create mode 100644 website/versioned_docs/version-v3.7.x/cloud-specific.md create mode 100644 website/versioned_docs/version-v3.7.x/constrainttemplates.md create mode 100644 website/versioned_docs/version-v3.7.x/customize-admission.md create mode 100644 website/versioned_docs/version-v3.7.x/customize-startup.md create mode 100644 website/versioned_docs/version-v3.7.x/debug.md create mode 100644 website/versioned_docs/version-v3.7.x/emergency.md create mode 100644 website/versioned_docs/version-v3.7.x/examples.md create mode 100644 website/versioned_docs/version-v3.7.x/exempt-namespaces.md create mode 100644 website/versioned_docs/version-v3.7.x/failing-closed.md create mode 100644 website/versioned_docs/version-v3.7.x/help.md create mode 100644 website/versioned_docs/version-v3.7.x/howto.md create mode 100644 website/versioned_docs/version-v3.7.x/install.md create mode 100644 website/versioned_docs/version-v3.7.x/intro.md create mode 100644 website/versioned_docs/version-v3.7.x/library.md create mode 100644 website/versioned_docs/version-v3.7.x/metrics.md create mode 100644 website/versioned_docs/version-v3.7.x/mutation.md create mode 100644 website/versioned_docs/version-v3.7.x/security.md create mode 100644 website/versioned_docs/version-v3.7.x/sync.md create mode 100644 website/versioned_docs/version-v3.7.x/violations.md create mode 100644 website/versioned_sidebars/version-v3.7.x-sidebars.json diff --git a/Makefile b/Makefile index c7426d1ec80..31a4d838cda 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ DEV_TAG ?= dev USE_LOCAL_IMG ?= false ENABLE_EXTERNAL_DATA ?= false -VERSION := v3.7.0-beta.2 +VERSION := v3.7.0 KIND_VERSION ?= 0.11.0 # note: k8s version pinned since KIND image availability lags k8s releases diff --git a/charts/gatekeeper/Chart.yaml b/charts/gatekeeper/Chart.yaml index dea5f4d1b1c..5a6fd67b223 100644 --- a/charts/gatekeeper/Chart.yaml +++ b/charts/gatekeeper/Chart.yaml @@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper name: gatekeeper keywords: - open policy agent -version: 3.7.0-beta.2 +version: 3.7.0 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.7.0-beta.2 +appVersion: v3.7.0 diff --git a/charts/gatekeeper/README.md b/charts/gatekeeper/README.md index 5a3cfb93702..a760cc2895f 100644 --- a/charts/gatekeeper/README.md +++ b/charts/gatekeeper/README.md @@ -63,10 +63,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi ## Parameters | Parameter | Description | Default | -| :------------------------------------------- | :------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | +|:---------------------------------------------|:---------------------------------------------------------------------------------------|:--------------------------------------------------------------------------| | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | -| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.7.0-beta.2` | +| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.7.0` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | psp.enabled | Enabled PodSecurityPolicy | `true` | @@ -77,11 +77,12 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `0` | | auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | | disableValidatingWebhook | Disable the validating webhook | `false` | +| disableMutation | Disable mutation | `false` | | validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | | validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | | validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | | enableDeleteOperations | Enable validating webhook for delete operations | `false` | -| experimentalEnableMutation | Enable mutation (alpha feature) | `false` | +| enableExternalData | Enable external data (alpha feature) | `false` | | mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | | mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | | emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` | @@ -90,7 +91,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.7.0-beta.2` | +| image.release | The image release tag to use | Current release version: `v3.7.0` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | @@ -103,8 +104,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` | | controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | +| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `Default` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | +| audit.dnsPolicy | Set the dnsPolicy for audit pods | `Default` | | audit.healthPort | Health port for audit | `9090` | | audit.metricsPort | Metrics port for audit | `8888` | | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | @@ -115,6 +118,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | | service.type | Service type | `ClusterIP` | | service.loadBalancerIP | The IP address of LoadBalancer service | `` | +| rbac.create | Enable the creation of RBAC resources | `true` | ## Contributing Changes diff --git a/charts/gatekeeper/crds/assign-customresourcedefinition.yaml b/charts/gatekeeper/crds/assign-customresourcedefinition.yaml index 9e720a2799f..bbbd2f3e4ab 100644 --- a/charts/gatekeeper/crds/assign-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/assign-customresourcedefinition.yaml @@ -161,8 +161,229 @@ spec: properties: assign: description: Assign.value holds the value to be assigned + properties: + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: ResourceScope is an enum defining the different scopes available to a custom resource + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true type: object - x-kubernetes-preserve-unknown-fields: true pathTests: items: description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." diff --git a/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml b/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml index 9ea26709771..f0708748a4f 100644 --- a/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/assignmetadata-customresourcedefinition.yaml @@ -140,8 +140,195 @@ spec: properties: assign: description: Assign.value holds the value to be assigned + properties: + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects objects to apply mutations to. + properties: + excludedNamespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: ResourceScope is an enum defining the different scopes available to a custom resource + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true type: object - x-kubernetes-preserve-unknown-fields: true type: object type: object status: diff --git a/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml b/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml index e5e58c7d9c1..9e3353d53d6 100644 --- a/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/modifyset-customresourcedefinition.yaml @@ -226,6 +226,215 @@ spec: type: object type: object served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: ResourceScope is an enum defining the different scopes available to a custom resource + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true storage: true subresources: status: {} diff --git a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 655c4a52f10..38d8dd4f43c 100644 --- a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -50,9 +50,11 @@ spec: - --emit-audit-events={{ .Values.emitAuditEvents }} - --operation=audit - --operation=status + {{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }} - --logtostderr - --health-addr=:{{ .Values.audit.healthPort }} - --prometheus-port={{ .Values.audit.metricsPort }} + - --enable-external-data={{ .Values.enableExternalData }} command: - /manager env: @@ -94,6 +96,10 @@ spec: runAsGroup: 999 runAsNonRoot: true runAsUser: 1000 + volumeMounts: + - mountPath: /tmp/audit + name: tmp-volume + dnsPolicy: {{ .Values.audit.dnsPolicy }} hostNetwork: {{ .Values.audit.hostNetwork }} imagePullSecrets: {{- toYaml .Values.image.pullSecrets | nindent 8 }} @@ -106,3 +112,11 @@ spec: terminationGracePeriodSeconds: 60 tolerations: {{- toYaml .Values.audit.tolerations | nindent 8 }} + volumes: + {{- if .Values.audit.writeToRAMDisk }} + - emptyDir: + medium: Memory + {{ else }} + - emptyDir: {} + {{- end }} + name: tmp-volume diff --git a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index f2ea8355dc8..a2141e367a1 100644 --- a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -50,7 +50,8 @@ spec: - --log-level={{ .Values.logLevel }} - --exempt-namespace={{ .Release.Namespace }} - --operation=webhook - - --enable-mutation={{ .Values.experimentalEnableMutation}} + - --enable-external-data={{ .Values.enableExternalData }} + {{ if not .Values.disableMutation}}- --operation=mutation-webhook{{- end }} {{- range .Values.disabledBuiltins}} - --disable-opa-builtin={{ . }} @@ -111,6 +112,7 @@ spec: - mountPath: /certs name: cert readOnly: true + dnsPolicy: {{ .Values.controllerManager.dnsPolicy }} hostNetwork: {{ .Values.controllerManager.hostNetwork }} imagePullSecrets: {{- toYaml .Values.image.pullSecrets | nindent 8 }} diff --git a/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml b/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml index b148acb07bf..2ccd9f0671e 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -18,6 +19,18 @@ rules: - get - list - watch +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - gatekeeper-mutating-webhook-configuration + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - watch - apiGroups: - apiextensions.k8s.io resources: @@ -149,17 +162,4 @@ rules: - patch - update - watch -- apiGroups: - - admissionregistration.k8s.io - resourceNames: - - gatekeeper-mutating-webhook-configuration - resources: - - mutatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch +{{- end }} diff --git a/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml b/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml index 73e2c5cf701..25b2e702f37 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -30,3 +31,4 @@ rules: - patch - update - watch +{{- end }} diff --git a/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml b/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml index 22194d2ad25..1fb9f6c87a5 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -16,3 +17,4 @@ subjects: - kind: ServiceAccount name: gatekeeper-admin namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml b/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml index 4bf6087dcec..fbe9580d57f 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -17,3 +18,4 @@ subjects: - kind: ServiceAccount name: gatekeeper-admin namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index ebaa1fd9c03..19e68b0cb53 100644 --- a/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -1,4 +1,4 @@ -{{- if .Values.experimentalEnableMutation }} +{{- if not .Values.disableMutation }} apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: diff --git a/charts/gatekeeper/templates/namespace-post-install.yaml b/charts/gatekeeper/templates/namespace-post-install.yaml index b2388d5b1dd..41dabefd08a 100644 --- a/charts/gatekeeper/templates/namespace-post-install.yaml +++ b/charts/gatekeeper/templates/namespace-post-install.yaml @@ -60,6 +60,7 @@ metadata: "helm.sh/hook-weight": "-5" "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation --- +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -82,7 +83,9 @@ rules: - patch resourceNames: - {{ .Release.Namespace }} +{{- end }} --- +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -102,5 +105,5 @@ subjects: - kind: ServiceAccount name: gatekeeper-update-namespace-label namespace: {{ .Release.Namespace | quote }} - +{{- end }} {{- end }} diff --git a/charts/gatekeeper/templates/upgrade-crds-hook.yaml b/charts/gatekeeper/templates/upgrade-crds-hook.yaml index 78fcaf81cd2..42a15381781 100644 --- a/charts/gatekeeper/templates/upgrade-crds-hook.yaml +++ b/charts/gatekeeper/templates/upgrade-crds-hook.yaml @@ -1,4 +1,5 @@ {{- if .Values.upgradeCRDs.enabled }} +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -14,7 +15,9 @@ rules: - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "create", "update", "patch"] +{{- end }} --- +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -34,6 +37,7 @@ roleRef: kind: ClusterRole name: gatekeeper-admin-upgrade-crds apiGroup: rbac.authorization.k8s.io +{{- end }} --- apiVersion: v1 kind: ServiceAccount @@ -83,15 +87,17 @@ spec: - apply - -f - crds/ + resources: + {{- toYaml .Values.crds.resources | nindent 10 }} securityContext: allowPrivilegeEscalation: false capabilities: drop: - all readOnlyRootFilesystem: true - runAsGroup: 999 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 1000 + runAsUser: 65532 nodeSelector: kubernetes.io/os: linux diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml index a6ab8fd3b43..eac2fe0e92c 100644 --- a/charts/gatekeeper/values.yaml +++ b/charts/gatekeeper/values.yaml @@ -3,15 +3,16 @@ auditInterval: 60 auditMatchKindOnly: false constraintViolationsLimit: 20 auditFromCache: false +disableMutation: false disableValidatingWebhook: false validatingWebhookTimeoutSeconds: 3 validatingWebhookFailurePolicy: Ignore validatingWebhookCheckIgnoreFailurePolicy: Fail enableDeleteOperations: false -experimentalEnableMutation: false +enableExternalData: false mutatingWebhookFailurePolicy: Ignore mutatingWebhookTimeoutSeconds: 3 -auditChunkSize: 0 +auditChunkSize: 500 logLevel: INFO logDenies: false emitAdmissionEvents: false @@ -22,13 +23,13 @@ postInstall: enabled: true image: repository: openpolicyagent/gatekeeper-crds - tag: v3.7.0-beta.2 + tag: v3.7.0 pullPolicy: IfNotPresent pullSecrets: [] image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.7.0-beta.2 + release: v3.7.0 pullPolicy: IfNotPresent pullSecrets: [] podAnnotations: @@ -40,6 +41,7 @@ controllerManager: exemptNamespaces: [] exemptNamespacePrefixes: [] hostNetwork: false + dnsPolicy: Default port: 8443 metricsPort: 8888 healthPort: 9090 @@ -67,12 +69,14 @@ controllerManager: memory: 256Mi audit: hostNetwork: false + dnsPolicy: Default metricsPort: 8888 healthPort: 9090 priorityClassName: system-cluster-critical affinity: {} tolerations: [] nodeSelector: { kubernetes.io/os: linux } + writeToRAMDisk: false resources: limits: cpu: 1000m @@ -80,6 +84,8 @@ audit: requests: cpu: 100m memory: 256Mi +crds: + resources: {} pdb: controllerManager: minAvailable: 1 @@ -89,3 +95,5 @@ psp: enabled: true upgradeCRDs: enabled: true +rbac: + create: true diff --git a/cmd/build/helmify/static/Chart.yaml b/cmd/build/helmify/static/Chart.yaml index dea5f4d1b1c..5a6fd67b223 100644 --- a/cmd/build/helmify/static/Chart.yaml +++ b/cmd/build/helmify/static/Chart.yaml @@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper name: gatekeeper keywords: - open policy agent -version: 3.7.0-beta.2 +version: 3.7.0 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.7.0-beta.2 +appVersion: v3.7.0 diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 5e32d11ea8f..a760cc2895f 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -66,7 +66,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi |:---------------------------------------------|:---------------------------------------------------------------------------------------|:--------------------------------------------------------------------------| | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.7.0-beta.2` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.7.0` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | psp.enabled | Enabled PodSecurityPolicy | `true` | @@ -91,7 +91,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.7.0-beta.2` | +| image.release | The image release tag to use | Current release version: `v3.7.0` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 38c7f0d5ac4..eac2fe0e92c 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -23,13 +23,13 @@ postInstall: enabled: true image: repository: openpolicyagent/gatekeeper-crds - tag: v3.7.0-beta.2 + tag: v3.7.0 pullPolicy: IfNotPresent pullSecrets: [] image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.7.0-beta.2 + release: v3.7.0 pullPolicy: IfNotPresent pullSecrets: [] podAnnotations: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index b17f69580cb..d61d9cdb0f8 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -51,7 +51,7 @@ spec: - "--exempt-namespace=gatekeeper-system" - "--operation=webhook" - "--operation=mutation-webhook" - image: openpolicyagent/gatekeeper:v3.7.0-beta.2 + image: openpolicyagent/gatekeeper:v3.7.0 imagePullPolicy: Always name: manager ports: @@ -140,7 +140,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - image: openpolicyagent/gatekeeper:v3.7.0-beta.2 + image: openpolicyagent/gatekeeper:v3.7.0 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/deploy/experimental/gatekeeper-mutation.yaml b/deploy/experimental/gatekeeper-mutation.yaml deleted file mode 100644 index a88b64928b2..00000000000 --- a/deploy/experimental/gatekeeper-mutation.yaml +++ /dev/null @@ -1,1976 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - admission.gatekeeper.sh/ignore: no-self-managing - control-plane: controller-manager - gatekeeper.sh/system: "yes" - name: gatekeeper-system ---- -apiVersion: v1 -kind: ResourceQuota -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-critical-pods - namespace: gatekeeper-system -spec: - hard: - pods: 100 - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-cluster-critical ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - labels: - gatekeeper.sh/system: "yes" - name: assign.mutations.gatekeeper.sh -spec: - group: mutations.gatekeeper.sh - names: - kind: Assign - listKind: AssignList - plural: assign - singular: assign - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Assign is the Schema for the assign API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - properties: - name: - maxLength: 63 - type: string - type: object - spec: - description: AssignSpec defines the desired state of Assign. - properties: - applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. - items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. - properties: - groups: - items: - type: string - type: array - kinds: - items: - type: string - type: array - versions: - items: - type: string - type: array - type: object - type: array - location: - description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' - type: string - match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. - properties: - excludedNamespaces: - items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - kinds: - items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. - properties: - apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. - items: - type: string - type: array - kinds: - items: - type: string - type: array - type: object - type: array - labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - namespaceSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - scope: - description: ResourceScope is an enum defining the different scopes available to a custom resource - type: string - type: object - parameters: - description: Parameters define the behavior of the mutator. - properties: - assign: - description: Assign.value holds the value to be assigned - type: object - x-kubernetes-preserve-unknown-fields: true - pathTests: - items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." - properties: - condition: - description: Condition describes whether the path either MustExist or MustNotExist in the original object - enum: - - MustExist - - MustNotExist - type: string - subPath: - type: string - type: object - type: array - type: object - type: object - status: - description: AssignStatus defines the observed state of Assign. - properties: - byPod: - items: - description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. - properties: - enforced: - type: boolean - errors: - items: - description: MutatorError represents a single error caught while adding a mutator to a system. - properties: - message: - type: string - type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. - type: string - required: - - message - type: object - type: array - id: - type: string - mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - labels: - gatekeeper.sh/system: "yes" - name: assignmetadata.mutations.gatekeeper.sh -spec: - group: mutations.gatekeeper.sh - names: - kind: AssignMetadata - listKind: AssignMetadataList - plural: assignmetadata - singular: assignmetadata - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: AssignMetadata is the Schema for the assignmetadata API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - properties: - name: - maxLength: 63 - type: string - type: object - spec: - description: AssignMetadataSpec defines the desired state of AssignMetadata. - properties: - location: - type: string - match: - description: Match selects objects to apply mutations to. - properties: - excludedNamespaces: - items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - kinds: - items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. - properties: - apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. - items: - type: string - type: array - kinds: - items: - type: string - type: array - type: object - type: array - labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - namespaceSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - scope: - description: ResourceScope is an enum defining the different scopes available to a custom resource - type: string - type: object - parameters: - properties: - assign: - description: Assign.value holds the value to be assigned - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - status: - description: AssignMetadataStatus defines the observed state of AssignMetadata. - properties: - byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' - items: - description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. - properties: - enforced: - type: boolean - errors: - items: - description: MutatorError represents a single error caught while adding a mutator to a system. - properties: - message: - type: string - type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. - type: string - required: - - message - type: object - type: array - id: - type: string - mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - labels: - gatekeeper.sh/system: "yes" - name: configs.config.gatekeeper.sh -spec: - group: config.gatekeeper.sh - names: - kind: Config - listKind: ConfigList - plural: configs - singular: config - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Config is the Schema for the configs API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ConfigSpec defines the desired state of Config. - properties: - match: - description: Configuration for namespace exclusion - items: - properties: - excludedNamespaces: - items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - processes: - items: - type: string - type: array - type: object - type: array - readiness: - description: Configuration for readiness tracker - properties: - statsEnabled: - type: boolean - type: object - sync: - description: Configuration for syncing k8s objects - properties: - syncOnly: - description: If non-empty, only entries on this list will be replicated into OPA - items: - properties: - group: - type: string - kind: - type: string - version: - type: string - type: object - type: array - type: object - validation: - description: Configuration for validation - properties: - traces: - description: List of requests to trace. Both "user" and "kinds" must be specified - items: - properties: - dump: - description: Also dump the state of OPA with the trace. Set to `All` to dump everything. - type: string - kind: - description: Only trace requests of the following GroupVersionKind - properties: - group: - type: string - kind: - type: string - version: - type: string - type: object - user: - description: Only trace requests from the specified user - type: string - type: object - type: array - type: object - type: object - status: - description: ConfigStatus defines the observed state of Config. - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - labels: - gatekeeper.sh/system: "yes" - name: constraintpodstatuses.status.gatekeeper.sh -spec: - group: status.gatekeeper.sh - names: - kind: ConstraintPodStatus - listKind: ConstraintPodStatusList - plural: constraintpodstatuses - singular: constraintpodstatus - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: ConstraintPodStatus is the Schema for the constraintpodstatuses API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - status: - description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus. - properties: - constraintUID: - description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - enforced: - type: boolean - errors: - items: - description: Error represents a single error caught while adding a constraint to OPA. - properties: - code: - type: string - location: - type: string - message: - type: string - required: - - code - - message - type: object - type: array - id: - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - labels: - gatekeeper.sh/system: "yes" - name: constrainttemplatepodstatuses.status.gatekeeper.sh -spec: - group: status.gatekeeper.sh - names: - kind: ConstraintTemplatePodStatus - listKind: ConstraintTemplatePodStatusList - plural: constrainttemplatepodstatuses - singular: constrainttemplatepodstatus - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - status: - description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus. - properties: - errors: - items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. - properties: - code: - type: string - location: - type: string - message: - type: string - required: - - code - - message - type: object - type: array - id: - description: 'Important: Run "make" to regenerate code after modifying this file' - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. - type: string - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - labels: - gatekeeper.sh/system: "yes" - name: constrainttemplates.templates.gatekeeper.sh -spec: - group: templates.gatekeeper.sh - names: - kind: ConstraintTemplate - listKind: ConstraintTemplateList - plural: constrainttemplates - singular: constrainttemplate - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. - properties: - crd: - properties: - spec: - properties: - names: - properties: - kind: - type: string - shortNames: - items: - type: string - type: array - type: object - validation: - default: - legacySchema: false - properties: - legacySchema: - default: false - type: boolean - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: object - targets: - items: - properties: - libs: - items: - type: string - type: array - rego: - type: string - target: - type: string - type: object - type: array - type: object - status: - description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. - properties: - byPod: - items: - description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller - properties: - errors: - items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. - properties: - code: - type: string - location: - type: string - message: - type: string - required: - - code - - message - type: object - type: array - id: - description: a unique identifier for the pod that wrote the status - type: string - observedGeneration: - format: int64 - type: integer - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - created: - type: boolean - type: object - type: object - served: true - storage: true - subresources: - status: {} - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. - properties: - crd: - properties: - spec: - properties: - names: - properties: - kind: - type: string - shortNames: - items: - type: string - type: array - type: object - validation: - default: - legacySchema: true - properties: - legacySchema: - default: true - type: boolean - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: object - targets: - items: - properties: - libs: - items: - type: string - type: array - rego: - type: string - target: - type: string - type: object - type: array - type: object - status: - description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. - properties: - byPod: - items: - description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller - properties: - errors: - items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. - properties: - code: - type: string - location: - type: string - message: - type: string - required: - - code - - message - type: object - type: array - id: - description: a unique identifier for the pod that wrote the status - type: string - observedGeneration: - format: int64 - type: integer - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - created: - type: boolean - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. - properties: - crd: - properties: - spec: - properties: - names: - properties: - kind: - type: string - shortNames: - items: - type: string - type: array - type: object - validation: - default: - legacySchema: true - properties: - legacySchema: - default: true - type: boolean - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: object - targets: - items: - properties: - libs: - items: - type: string - type: array - rego: - type: string - target: - type: string - type: object - type: array - type: object - status: - description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. - properties: - byPod: - items: - description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller - properties: - errors: - items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. - properties: - code: - type: string - location: - type: string - message: - type: string - required: - - code - - message - type: object - type: array - id: - description: a unique identifier for the pod that wrote the status - type: string - observedGeneration: - format: int64 - type: integer - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - created: - type: boolean - type: object - type: object - served: true - storage: false - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - labels: - gatekeeper.sh/system: "yes" - name: modifyset.mutations.gatekeeper.sh -spec: - group: mutations.gatekeeper.sh - names: - kind: ModifySet - listKind: ModifySetList - plural: modifyset - singular: modifyset - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - properties: - name: - maxLength: 63 - type: string - type: object - spec: - description: ModifySetSpec defines the desired state of ModifySet. - properties: - applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. - items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. - properties: - groups: - items: - type: string - type: array - kinds: - items: - type: string - type: array - versions: - items: - type: string - type: array - type: object - type: array - location: - description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' - type: string - match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. - properties: - excludedNamespaces: - items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - kinds: - items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. - properties: - apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. - items: - type: string - type: array - kinds: - items: - type: string - type: array - type: object - type: array - labelSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - namespaceSelector: - description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - items: - description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - scope: - description: ResourceScope is an enum defining the different scopes available to a custom resource - type: string - type: object - parameters: - description: Parameters define the behavior of the mutator. - properties: - operation: - default: merge - description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" - enum: - - merge - - prune - type: string - pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied - items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." - properties: - condition: - description: Condition describes whether the path either MustExist or MustNotExist in the original object - enum: - - MustExist - - MustNotExist - type: string - subPath: - type: string - type: object - type: array - values: - description: Values describes the values provided to the operation as `values.fromList`. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - status: - description: ModifySetStatus defines the observed state of ModifySet. - properties: - byPod: - items: - description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. - properties: - enforced: - type: boolean - errors: - items: - description: MutatorError represents a single error caught while adding a mutator to a system. - properties: - message: - type: string - type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. - type: string - required: - - message - type: object - type: array - id: - type: string - mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - labels: - gatekeeper.sh/system: "yes" - name: mutatorpodstatuses.status.gatekeeper.sh -spec: - group: status.gatekeeper.sh - names: - kind: MutatorPodStatus - listKind: MutatorPodStatusList - plural: mutatorpodstatuses - singular: mutatorpodstatus - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: MutatorPodStatus is the Schema for the mutationpodstatuses API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - status: - description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. - properties: - enforced: - type: boolean - errors: - items: - description: MutatorError represents a single error caught while adding a mutator to a system. - properties: - message: - type: string - type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. - type: string - required: - - message - type: object - type: array - id: - type: string - mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.5.0 - labels: - gatekeeper.sh/system: "yes" - name: providers.externaldata.gatekeeper.sh -spec: - group: externaldata.gatekeeper.sh - names: - kind: Provider - listKind: ProviderList - plural: providers - singular: provider - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Provider is the Schema for the Provider API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec defines the Provider specifications. - properties: - timeout: - description: Timeout is the timeout when querying the provider. - type: integer - url: - description: URL is the url for the provider. URL is prefixed with http:// or https://. - type: string - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-admin - namespace: gatekeeper-system ---- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-admin -spec: - allowPrivilegeEscalation: false - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - requiredDropCapabilities: - - ALL - runAsUser: - rule: MustRunAsNonRoot - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - projected - - secret - - downwardAPI ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-manager-role - namespace: gatekeeper-system -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-manager-role -rules: -- apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - config.gatekeeper.sh - resources: - - configs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - config.gatekeeper.sh - resources: - - configs/status - verbs: - - get - - patch - - update -- apiGroups: - - constraints.gatekeeper.sh - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - externaldata.gatekeeper.sh - resources: - - providers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - mutations.gatekeeper.sh - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - policy - resourceNames: - - gatekeeper-admin - resources: - - podsecuritypolicies - verbs: - - use -- apiGroups: - - status.gatekeeper.sh - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - templates.gatekeeper.sh - resources: - - constrainttemplates - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - templates.gatekeeper.sh - resources: - - constrainttemplates/finalizers - verbs: - - delete - - get - - patch - - update -- apiGroups: - - templates.gatekeeper.sh - resources: - - constrainttemplates/status - verbs: - - get - - patch - - update -- apiGroups: - - admissionregistration.k8s.io - resourceNames: - - gatekeeper-validating-webhook-configuration - resources: - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - admissionregistration.k8s.io - resourceNames: - - gatekeeper-mutating-webhook-configuration - resources: - - mutatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-manager-rolebinding - namespace: gatekeeper-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: gatekeeper-manager-role -subjects: -- kind: ServiceAccount - name: gatekeeper-admin - namespace: gatekeeper-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: gatekeeper-manager-role -subjects: -- kind: ServiceAccount - name: gatekeeper-admin - namespace: gatekeeper-system ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-webhook-server-cert - namespace: gatekeeper-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-webhook-service - namespace: gatekeeper-system -spec: - ports: - - name: https-webhook-server - port: 443 - targetPort: webhook-server - selector: - control-plane: controller-manager - gatekeeper.sh/operation: webhook - gatekeeper.sh/system: "yes" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - control-plane: audit-controller - gatekeeper.sh/operation: audit - gatekeeper.sh/system: "yes" - name: gatekeeper-audit - namespace: gatekeeper-system -spec: - replicas: 1 - selector: - matchLabels: - control-plane: audit-controller - gatekeeper.sh/operation: audit - gatekeeper.sh/system: "yes" - template: - metadata: - annotations: - container.seccomp.security.alpha.kubernetes.io/manager: runtime/default - labels: - control-plane: audit-controller - gatekeeper.sh/operation: audit - gatekeeper.sh/system: "yes" - spec: - automountServiceAccountToken: true - containers: - - args: - - --operation=audit - - --operation=status - - --operation=mutation-status - - --logtostderr - command: - - /manager - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - image: openpolicyagent/gatekeeper:v3.7.0-beta.2 - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthz - port: 9090 - name: manager - ports: - - containerPort: 8888 - name: metrics - protocol: TCP - - containerPort: 9090 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 9090 - resources: - limits: - cpu: 1000m - memory: 512Mi - requests: - cpu: 100m - memory: 256Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - volumeMounts: - - mountPath: /tmp/audit - name: tmp-volume - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - serviceAccountName: gatekeeper-admin - terminationGracePeriodSeconds: 60 - volumes: - - emptyDir: {} - name: tmp-volume ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - control-plane: controller-manager - gatekeeper.sh/operation: webhook - gatekeeper.sh/system: "yes" - name: gatekeeper-controller-manager - namespace: gatekeeper-system -spec: - replicas: 3 - selector: - matchLabels: - control-plane: controller-manager - gatekeeper.sh/operation: webhook - gatekeeper.sh/system: "yes" - template: - metadata: - annotations: - container.seccomp.security.alpha.kubernetes.io/manager: runtime/default - labels: - control-plane: controller-manager - gatekeeper.sh/operation: webhook - gatekeeper.sh/system: "yes" - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: gatekeeper.sh/operation - operator: In - values: - - webhook - topologyKey: kubernetes.io/hostname - weight: 100 - automountServiceAccountToken: true - containers: - - args: - - --port=8443 - - --logtostderr - - --exempt-namespace=gatekeeper-system - - --operation=webhook - - --enable-mutation=true - command: - - /manager - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - image: openpolicyagent/gatekeeper:v3.7.0-beta.2 - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthz - port: 9090 - name: manager - ports: - - containerPort: 8443 - name: webhook-server - protocol: TCP - - containerPort: 8888 - name: metrics - protocol: TCP - - containerPort: 9090 - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 9090 - resources: - limits: - cpu: 1000m - memory: 512Mi - requests: - cpu: 100m - memory: 256Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - volumeMounts: - - mountPath: /certs - name: cert - readOnly: true - nodeSelector: - kubernetes.io/os: linux - priorityClassName: system-cluster-critical - serviceAccountName: gatekeeper-admin - terminationGracePeriodSeconds: 60 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: gatekeeper-webhook-server-cert ---- -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-controller-manager - namespace: gatekeeper-system -spec: - minAvailable: 1 - selector: - matchLabels: - control-plane: controller-manager - gatekeeper.sh/operation: webhook - gatekeeper.sh/system: "yes" ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - creationTimestamp: null - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-mutating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: gatekeeper-webhook-service - namespace: gatekeeper-system - path: /v1/mutate - failurePolicy: Ignore - matchPolicy: Exact - name: mutation.gatekeeper.sh - namespaceSelector: - matchExpressions: - - key: admission.gatekeeper.sh/ignore - operator: DoesNotExist - rules: - - apiGroups: - - '*' - apiVersions: - - '*' - operations: - - CREATE - - UPDATE - resources: - - '*' - sideEffects: None - timeoutSeconds: 3 ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - gatekeeper.sh/system: "yes" - name: gatekeeper-validating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: gatekeeper-webhook-service - namespace: gatekeeper-system - path: /v1/admit - failurePolicy: Ignore - matchPolicy: Exact - name: validation.gatekeeper.sh - namespaceSelector: - matchExpressions: - - key: admission.gatekeeper.sh/ignore - operator: DoesNotExist - rules: - - apiGroups: - - '*' - apiVersions: - - '*' - operations: - - CREATE - - UPDATE - resources: - - '*' - sideEffects: None - timeoutSeconds: 3 -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: gatekeeper-webhook-service - namespace: gatekeeper-system - path: /v1/admitlabel - failurePolicy: Fail - matchPolicy: Exact - name: check-ignore-label.gatekeeper.sh - rules: - - apiGroups: - - "" - apiVersions: - - '*' - operations: - - CREATE - - UPDATE - resources: - - namespaces - sideEffects: None - timeoutSeconds: 3 diff --git a/deploy/gatekeeper.yaml b/deploy/gatekeeper.yaml index 83c626f7fe3..0268c0a763a 100644 --- a/deploy/gatekeeper.yaml +++ b/deploy/gatekeeper.yaml @@ -26,6 +26,840 @@ spec: --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + labels: + gatekeeper.sh/system: "yes" + name: assign.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: Assign + listKind: AssignList + plural: assign + singular: assign + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: ResourceScope is an enum defining the different scopes available to a custom resource + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: ResourceScope is an enum defining the different scopes available to a custom resource + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + labels: + gatekeeper.sh/system: "yes" + name: assignmetadata.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignMetadata + listKind: AssignMetadataList + plural: assignmetadata + singular: assignmetadata + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects objects to apply mutations to. + properties: + excludedNamespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: ResourceScope is an enum defining the different scopes available to a custom resource + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects objects to apply mutations to. + properties: + excludedNamespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: ResourceScope is an enum defining the different scopes available to a custom resource + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.5.0 @@ -437,54 +1271,387 @@ spec: x-kubernetes-preserve-unknown-fields: true type: object type: object - type: object - targets: - items: - properties: - libs: - items: - type: string - type: array - rego: - type: string - target: + type: object + targets: + items: + properties: + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: true + properties: + legacySchema: + default: true + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + labels: + gatekeeper.sh/system: "yes" + name: modifyset.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: ModifySet + listKind: ModifySetList + plural: modifyset + singular: modifyset + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string - type: object - type: array + type: array + scope: + description: ResourceScope is an enum defining the different scopes available to a custom resource + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object type: object status: - description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + description: ModifySetStatus defines the observed state of ModifySet. properties: byPod: items: - description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. properties: + enforced: + type: boolean errors: items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. + description: MutatorError represents a single error caught while adding a mutator to a system. properties: - code: - type: string - location: - type: string message: type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string required: - - code - message type: object type: array id: - description: a unique identifier for the pod that wrote the status + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch type: string observedGeneration: format: int64 type: integer + operations: + items: + type: string + type: array type: object - x-kubernetes-preserve-unknown-fields: true type: array - created: - type: boolean type: object type: object served: true @@ -494,7 +1661,7 @@ spec: - name: v1beta1 schema: openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' @@ -505,85 +1672,199 @@ spec: metadata: type: object spec: - description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + description: ModifySetSpec defines the desired state of ModifySet. properties: - crd: - properties: - spec: - properties: - names: - properties: - kind: - type: string - shortNames: - items: - type: string - type: array - type: object - validation: - default: - legacySchema: true - properties: - legacySchema: - default: true - type: boolean - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: object - targets: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. properties: - libs: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: items: type: string type: array - rego: - type: string - target: - type: string type: object type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + items: + description: 'A string that supports globbing at its end. Ex: "kube-*" will match "kube-system" or "kube-public". The asterisk is required for wildcard matching.' + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: ResourceScope is an enum defining the different scopes available to a custom resource + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object type: object status: - description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + description: ModifySetStatus defines the observed state of ModifySet. properties: byPod: items: - description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. properties: + enforced: + type: boolean errors: items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. + description: MutatorError represents a single error caught while adding a mutator to a system. properties: - code: - type: string - location: - type: string message: type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string required: - - code - message type: object type: array id: - description: a unique identifier for the pod that wrote the status + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch type: string observedGeneration: format: int64 type: integer + operations: + items: + type: string + type: array type: object - x-kubernetes-preserve-unknown-fields: true type: array - created: - type: boolean type: object type: object served: true - storage: false + storage: true subresources: status: {} status: @@ -595,6 +1876,78 @@ status: --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.5.0 + labels: + gatekeeper.sh/system: "yes" + name: mutatorpodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: MutatorPodStatus + listKind: MutatorPodStatusList + plural: mutatorpodstatuses + singular: mutatorpodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: MutatorPodStatus is the Schema for the mutationpodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.5.0 @@ -729,6 +2082,18 @@ rules: - get - list - watch +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - gatekeeper-mutating-webhook-configuration + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - watch - apiGroups: - apiextensions.k8s.io resources: @@ -960,7 +2325,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - image: openpolicyagent/gatekeeper:v3.7.0-beta.2 + image: openpolicyagent/gatekeeper:v3.7.0 imagePullPolicy: Always livenessProbe: httpGet: @@ -994,11 +2359,17 @@ spec: runAsGroup: 999 runAsNonRoot: true runAsUser: 1000 + volumeMounts: + - mountPath: /tmp/audit + name: tmp-volume nodeSelector: kubernetes.io/os: linux priorityClassName: system-cluster-critical serviceAccountName: gatekeeper-admin terminationGracePeriodSeconds: 60 + volumes: + - emptyDir: {} + name: tmp-volume --- apiVersion: apps/v1 kind: Deployment @@ -1044,6 +2415,7 @@ spec: - --logtostderr - --exempt-namespace=gatekeeper-system - --operation=webhook + - --operation=mutation-webhook command: - /manager env: @@ -1056,7 +2428,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - image: openpolicyagent/gatekeeper:v3.7.0-beta.2 + image: openpolicyagent/gatekeeper:v3.7.0 imagePullPolicy: Always livenessProbe: httpGet: @@ -1124,6 +2496,41 @@ spec: gatekeeper.sh/system: "yes" --- apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + gatekeeper.sh/system: "yes" + name: gatekeeper-mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: gatekeeper-webhook-service + namespace: gatekeeper-system + path: /v1/mutate + failurePolicy: Ignore + matchPolicy: Exact + name: mutation.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: admission.gatekeeper.sh/ignore + operator: DoesNotExist + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - '*' + sideEffects: None + timeoutSeconds: 1 +--- +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: diff --git a/manifest_staging/charts/gatekeeper/Chart.yaml b/manifest_staging/charts/gatekeeper/Chart.yaml index dea5f4d1b1c..5a6fd67b223 100644 --- a/manifest_staging/charts/gatekeeper/Chart.yaml +++ b/manifest_staging/charts/gatekeeper/Chart.yaml @@ -3,8 +3,8 @@ description: A Helm chart for Gatekeeper name: gatekeeper keywords: - open policy agent -version: 3.7.0-beta.2 +version: 3.7.0 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.7.0-beta.2 +appVersion: v3.7.0 diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 5e32d11ea8f..a760cc2895f 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -66,7 +66,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi |:---------------------------------------------|:---------------------------------------------------------------------------------------|:--------------------------------------------------------------------------| | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.7.0-beta.2` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.7.0` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | psp.enabled | Enabled PodSecurityPolicy | `true` | @@ -91,7 +91,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.7.0-beta.2` | +| image.release | The image release tag to use | Current release version: `v3.7.0` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 38c7f0d5ac4..eac2fe0e92c 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -23,13 +23,13 @@ postInstall: enabled: true image: repository: openpolicyagent/gatekeeper-crds - tag: v3.7.0-beta.2 + tag: v3.7.0 pullPolicy: IfNotPresent pullSecrets: [] image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.7.0-beta.2 + release: v3.7.0 pullPolicy: IfNotPresent pullSecrets: [] podAnnotations: diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index 5f0bda72810..0268c0a763a 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -2325,7 +2325,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - image: openpolicyagent/gatekeeper:v3.7.0-beta.2 + image: openpolicyagent/gatekeeper:v3.7.0 imagePullPolicy: Always livenessProbe: httpGet: @@ -2428,7 +2428,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - image: openpolicyagent/gatekeeper:v3.7.0-beta.2 + image: openpolicyagent/gatekeeper:v3.7.0 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/website/versioned_docs/version-v3.7.x/audit.md b/website/versioned_docs/version-v3.7.x/audit.md new file mode 100644 index 00000000000..2d066d7dc6c --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/audit.md @@ -0,0 +1,139 @@ +--- +id: audit +title: Audit +--- + +Audit performs periodic evaluations of existing resources against constraints, detecting pre-existing misconfigurations. + +## Reading Audit Results + +There are three ways to gather audit results, depending on the level of detail needed. + +### Prometheus Metrics + +Prometheus metrics provide an aggregated look at the number of audit violations: + +* `gatekeeper_audit_last_run_time` provides the timestamp of the most recently completed audit run +* `gatekeeper_violations` provides the total number of audited violations for the last audit run, broken down by violation severity + +### Constraint Status + +Violations of constraints are listed in the `status` field of the corresponding constraint. +Note that only violations from the most recent audit run are reported. Also note that there +is a maximum number of individual violations that will be reported on the constraint +itself. If the number of current violations is greater than this cap, the excess violations +will not be reported (though they will still be included in the `totalViolations` count). +This is because Kubernetes has a cap on how large individual API objects can grow, which makes +unbounded growth a bad idea. This limit can be configured via the `--constraint-violations-limit` flag. + +Here is an example of a constraint with violations: + +```yaml +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sRequiredLabels +metadata: + name: ns-must-have-gk +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Namespace"] + parameters: + labels: ["gatekeeper"] +status: + auditTimestamp: "2019-05-11T01:46:13Z" + enforced: true + violations: + - enforcementAction: deny + kind: Namespace + message: 'you must provide labels: {"gatekeeper"}' + name: default + - enforcementAction: deny + kind: Namespace + message: 'you must provide labels: {"gatekeeper"}' + name: gatekeeper-system + - enforcementAction: deny + kind: Namespace + message: 'you must provide labels: {"gatekeeper"}' + name: kube-public + - enforcementAction: deny + kind: Namespace + message: 'you must provide labels: {"gatekeeper"}' + name: kube-system +``` + +### Audit Logs + +#### Violations + +The audit pod emits JSON-formatted audit logs to stdout. The following is an example audit event: + +```json +{ + "level": "info", + "ts": 1632889070.3075402, + "logger": "controller", + "msg": "container has no resource limits", + "process": "audit", + "audit_id": "2021-09-29T04:17:47Z", + "event_type": "violation_audited", + "constraint_group": "constraints.gatekeeper.sh", + "constraint_api_version": "v1beta1", + "constraint_kind": "K8sContainerLimits", + "constraint_name": "container-must-have-limits", + "constraint_namespace": "", + "constraint_action": "deny", + "resource_group": "", + "resource_api_version": "v1", + "resource_kind": "Pod", + "resource_namespace": "kube-system", + "resource_name": "kube-scheduler-kind-control-plane" +} +``` + +In addition to information on the violated constraint, violating resource, and violation message, the +audit log entries also contain: + +* An `audit_id` field that uniquely identifies a given audit run. This allows indexing of historical audits +* An `event_type` field with a value of `violation_audited` to make it easy to programatically identify audit violations + +#### Other Event Types + +In addition to violations, these other audit events may be useful (all uniquely identified via the `event_type` field): + +* `audit_started` marks the beginning of a new audit run +* `constraint_audited` marks when a constraint is done being audited for a given run, along with the number of violations found +* `audit_finished` marks the end of the current audit run + +All of these events (including `violation_audited`) are marked with the same `audit_id` for a given audit run. + +## Configuring Audit + +- Audit violations per constraint: set `--constraint-violations-limit=123` (defaults to `20`) +- Audit chunk size: set `--audit-chunk-size=500` (defaults to `0` = infinite) to limit memory consumption of the auditing `Pod` +- Audit interval: set `--audit-interval=123` (defaults to every `60` seconds). Disable audit interval by setting `--audit-interval=0` + +By default, audit will request each resource from the Kubernetes API during each audit cycle. To rely on the OPA cache instead, use the flag `--audit-from-cache=true`. Note that this requires replication of Kubernetes resources into OPA before they can be evaluated against the enforced policies. Refer to the [Replicating data](sync.md) section for more information. + +### Audit using kinds specified in the constraints only + +By default, Gatekeeper will audit all resources in the cluster. This operation can take some time depending on the number of resources. + +If all of your constraints match against specific kinds (e.g. "match only pods"), then you can speed up audit runs by setting `--audit-match-kind-only=true` flag. This will only check resources of the kinds specified in all [constraints](howto.md#constraints) defined in the cluster. + +For example, defining this constraint will only audit `Pod` kind: + +```yaml +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sAllowedRepos +metadata: + name: prod-repo-is-openpolicyagent +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] +... +``` + +If any of the [constraints](howto.md#constraints) do not specify `kinds`, it will be equivalent to not setting `--audit-match-kind-only` flag (`false` by default), and will fall back to auditing all resources in the cluster. diff --git a/website/versioned_docs/version-v3.7.x/cloud-specific.md b/website/versioned_docs/version-v3.7.x/cloud-specific.md new file mode 100644 index 00000000000..dac7262e9a6 --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/cloud-specific.md @@ -0,0 +1,45 @@ +--- +id: vendor-specific +title: Cloud and Vendor Specific Fixes +--- + +## Running on private GKE Cluster nodes + +By default, firewall rules restrict the cluster master communication to nodes only on ports 443 (HTTPS) and 10250 (kubelet). Although Gatekeeper exposes its service on port 443, GKE by default enables `--enable-aggregator-routing` option, which makes the master to bypass the service and communicate straight to the POD on port 8443. + +Two ways of working around this: + +- create a new firewall rule from master to private nodes to open port `8443` (or any other custom port) + - https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules +- make the pod to run on privileged port 443 (need to run pod as root) + - update Gatekeeper deployment manifest spec: + - remove `securityContext` settings that force the pods not to run as root + - update port from `8443` to `443` + ```yaml + containers: + - args: + - --port=443 + ports: + - containerPort: 443 + name: webhook-server + protocol: TCP + ``` + +## Running on OpenShift 4.x + +When running on OpenShift, the `anyuid` scc must be used to keep a restricted profile but being able to set the UserID. + +In order to use it, the following section must be added to the gatekeeper-manager-role Role: + +```yaml +- apiGroups: + - security.openshift.io + resourceNames: + - anyuid + resources: + - securitycontextconstraints + verbs: + - use +``` + +With this restricted profile, it won't be possible to set the `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` annotation. On the other hand, given the limited amount of privileges provided by the anyuid scc, the annotation can be removed. diff --git a/website/versioned_docs/version-v3.7.x/constrainttemplates.md b/website/versioned_docs/version-v3.7.x/constrainttemplates.md new file mode 100644 index 00000000000..08db467adb1 --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/constrainttemplates.md @@ -0,0 +1,159 @@ +--- +id: constrainttemplates +title: Constraint Templates +--- + +ConstraintTemplates define a way to validate some set of Kubernetes objects in Gatekeeper's Kubernetes [admission controller](https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/). They are made of two main elements: + +1. [Rego](https://www.openpolicyagent.org/docs/latest/#rego) code that defines a policy violation +2. The schema of the accompanying `Constraint` object, which represents an instantiation of a `ConstraintTemplate` + +## `v1` Constraint Template + +In release version 3.6.0, Gatekeeper included the `v1` version of `ConstraintTemplate`. Unlike past versions of `ConstraintTemplate`, `v1` requires the Constraint schema section to be [structural](https://kubernetes.io/blog/2019/06/20/crd-structural-schema/). + +Structural schemas have a variety of [requirements](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema). One such requirement is that the `type` field be defined for each level of the schema. + +For example, users of Gatekeeper may recognize the `k8srequiredlabels` ConstraintTemplate, defined here in version `v1beta1`: + +```yaml +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8srequiredlabels +spec: + crd: + spec: + names: + kind: K8sRequiredLabels + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + labels: + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8srequiredlabels + + violation[{"msg": msg, "details": {"missing_labels": missing}}] { + provided := {label | input.review.object.metadata.labels[label]} + required := {label | label := input.parameters.labels[_]} + missing := required - provided + count(missing) > 0 + msg := sprintf("you must provide labels: %v", [missing]) + } +``` + +The `parameters` field schema (`spec.crd.spec.validation.openAPIV3Schema`) is _not_ structural. Notably, it is missing the `type:` declaration: + +```yaml +openAPIV3Schema: + # missing type + properties: + labels: + type: array + items: + type: string +``` + +This schema is _invalid_ by default in a `v1` ConstraintTemplate. Adding the `type` information makes the schema valid: + +```yaml +openAPIV3Schema: + type: object + properties: + labels: + type: array + items: + type: string +``` + +For more information on valid types in JSONSchemas, see the [JSONSchema documentation](https://json-schema.org/understanding-json-schema/reference/type.html). + +## Why implement this change? + +Structural schemas are required in version `v1` of `CustomResourceDefinition` resources, which underlie ConstraintTemplates. Requiring the same in ConstraintTemplates puts Gatekeeper in line with the overall direction of Kubernetes. + +Beyond this alignment, structural schemas yield significant usability improvements. The schema of a ConstraintTemplate's associated Constraint is both more visible and type validated. + +As the data types of Constraint fields are defined in the ConstraintTemplate, the API server will reject a Constraint with an incorrect `parameters` field. Previously, the API server would ingest it and simply not pass those `parameters` to Gatekeeper. This experience was confusing for users, and is noticeably improved by structural schemas. + +For example, see this incorrectly defined `k8srequiredlabels` Constraint: + +```yaml +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sRequiredLabels +metadata: + name: ns-must-have-gk +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Namespace"] + parameters: + # Note that "labels" is now contained in an array item, rather than an object key under "parameters" + - labels: ["gatekeeper"] +``` + +In a `v1beta1` ConstraintTemplate, this Constraint would be ingested successfully. However, it would not work. The creation of a new namespace, `foobar`, would succeed, even in the absence of the `gatekeeper` label: + +```shell +$ kubectl create ns foobar +namespace/foobar created +``` + +This is incorrect. We'd expect this to fail: + +```shell +$ kubectl create ns foobar +Error from server ([ns-must-have-gk] you must provide labels: {"gatekeeper"}): admission webhook "validation.gatekeeper.sh" denied the request: [ns-must-have-gk] you must provide labels: {"gatekeeper"} +``` + +The structural schema requirement _prevents this mistake_. The aforementioned `type: object` declaration would prevent the API server from accepting the incorrect `k8srequiredlabels` Constraint. + +```shell +# Apply the Constraint with incorrect parameters schema +$ cat << EOF | kubectl apply -f - +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sRequiredLabels +metadata: + name: ns-must-have-gk +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Namespace"] + parameters: + # Note that "labels" is now an array item, rather than an object + - labels: ["gatekeeper"] +EOF +The K8sRequiredLabels "ns-must-have-gk" is invalid: spec.parameters: Invalid value: "array": spec.parameters in body must be of type object: "array" +``` + +Fixing the incorrect `parameters` section would then yield a successful ingestion and a working Constraint. + +```shell +$ cat << EOF | kubectl apply -f - +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sRequiredLabels +metadata: + name: ns-must-have-gk +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Namespace"] + parameters: + labels: ["gatekeeper"] +EOF +k8srequiredlabels.constraints.gatekeeper.sh/ns-must-have-gk created +``` + +```shell +$ kubectl create ns foobar +Error from server ([ns-must-have-gk] you must provide labels: {"gatekeeper"}): admission webhook "validation.gatekeeper.sh" denied the request: [ns-must-have-gk] you must provide labels: {"gatekeeper"} +``` diff --git a/website/versioned_docs/version-v3.7.x/customize-admission.md b/website/versioned_docs/version-v3.7.x/customize-admission.md new file mode 100644 index 00000000000..9476559c9d3 --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/customize-admission.md @@ -0,0 +1,78 @@ +--- +id: customize-admission +title: Customizing Admission Behavior +--- + +Gatekeeper is a [Kubernetes admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-configuration) +whose default configuration can be found in the `gatekeeper.yaml` manifest file. By default, it is +a `ValidatingWebhookConfiguration` resource named `gatekeeper-validating-webhook-configuration`. + +Currently the configuration specifies two webhooks: one for checking a request against +the installed constraints and a second webhook for checking labels on namespace requests +that would result in bypassing constraints for the namespace. The namespace-label webhook +is necessary to prevent a privilege escalation where the permission to add a label to a +namespace is equivalent to the ability to bypass all constraints for that namespace. +You can read more about the ability to exempt namespaces by label [here](exempt-namespaces.md#exempting-namespaces-from-the-gatekeeper-admission-webhook-using---exempt-namespace-flag). + +Because Kubernetes adds features with each version, if you want to know how the webhook can be configured it +is best to look at the official documentation linked at the top of this section. However, two particularly important +configuration options deserve special mention: [timeouts](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts) and +[failure policy](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy). + +Timeouts allow you to configure how long the API server will wait for a response from the admission webhook before it +considers the request to have failed. Note that setting the timeout longer than the overall request timeout +means that the main request will time out before the webhook's failure policy is invoked, causing the +request to fail. + +Failure policy controls what happens when a webhook fails for whatever reason. Common +failure scenarios include timeouts, a 5xx error from the server or the webhook being unavailable. +You have the option to ignore errors, allowing the request through, or failing, rejecting the request. +This results in a direct tradeoff between availability and enforcement. + +Currently Gatekeeper is defaulting to using `Ignore` for the constraint requests, which means +constraints will not be enforced at admission time if the webhook is down or otherwise inaccessible. +This is because we cannot know the operational details of the cluster Gatekeeper is running on and +how that might affect webhook uptime. For a more detailed treatment of this topic, see our docs +on [failing closed](failing-closed.md). + +The namespace label webhook defaults to `Fail`, this is to help ensure that policies preventing +labels that bypass the webhook from being applied are enforced. Because this webhook only gets +called for namespace modification requests, the impact of downtime is mitigated, making the +theoretical maximum availability less of an issue. + +Because the manifest is available for customization, the webhook configuration can +be tuned to meet your specific needs if they differ from the defaults. + +## Enable Validation of Delete Operations + +### Caveats + +#### Deletes are not Auditable + +Once a resource is deleted, it is gone. This means that non-compliant deletes cannot be +audited via Gatekeeper's audit mechanism, and increases the importance of webhook-based +enforcement. + +#### Policies Against DELETE May Not be Perfectly Enforced + +Since the webhook fails open by default (as described earlier on this page), it is possible +for admission requests to have imperfect enforcement, which means some non-compliant deletes +may still go through despite the policy. Normally such failures of webhook enforcement could +be caught by audit, but deletes are not auditable. + +It is possible to improve the likelihood of enforcement by configuring the webhook to +[fail closed](failing-closed.md). + +### How to Enable Validation of Delete Operations + +To enable Delete operations for the `validation.gatekeeper.sh` admission webhook, add "DELETE" to the list of operations in the `gatekeeper-validating-webhook-configuration` ValidatingWebhookConfiguration as seen in this deployment manifest of gatekeeper: [here](https://github.com/open-policy-agent/gatekeeper/blob/v3.1.0-beta.10/deploy/gatekeeper.yaml#L792-L794) + + So you have + ```YAML + operations: + - CREATE + - UPDATE + - DELETE +``` + +You can now check for deletes. diff --git a/website/versioned_docs/version-v3.7.x/customize-startup.md b/website/versioned_docs/version-v3.7.x/customize-startup.md new file mode 100644 index 00000000000..fc6d8b74317 --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/customize-startup.md @@ -0,0 +1,10 @@ +--- +id: customize-startup +title: Customizing Startup Behavior +--- + +## Allow retries when adding objects to OPA + +Gatekeeper's webhook servers undergo a bootstrapping period during which they are unavailable until the initial set of resources (constraints, templates, synced objects, etc...) have been ingested. This prevents Gatekeeper's webhook from validating based on an incomplete set of policies. This wait-for-bootstrapping behavior can be configured. + +The `--readiness-retries` flag defines the number of retry attempts allowed for an object (a Constraint, for example) to be successfully added to OPA. The default is `0`. A value of `-1` allows for infinite retries, blocking the webhook until all objects have been added to OPA. This guarantees complete enforcement, but has the potential to indefinitely block the webhook from serving requests. \ No newline at end of file diff --git a/website/versioned_docs/version-v3.7.x/debug.md b/website/versioned_docs/version-v3.7.x/debug.md new file mode 100644 index 00000000000..34552d7e195 --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/debug.md @@ -0,0 +1,98 @@ +--- +id: debug +title: Debugging +--- + +> NOTE: Verbose logging with DEBUG level can be turned on with `--log-level=DEBUG`. By default, the `--log-level` flag is set to minimum log level `INFO`. Acceptable values for minimum log level are [`DEBUG`, `INFO`, `WARNING`, `ERROR`]. In production, this flag should not be set to `DEBUG`. + +## Viewing the Request Object + +A simple way to view the request object is to use a constraint/template that +denies all requests and outputs the request object as its rejection message. + +Example template: + +```yaml +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8sdenyall +spec: + crd: + spec: + names: + kind: K8sDenyAll + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sdenyall + + violation[{"msg": msg}] { + msg := sprintf("REVIEW OBJECT: %v", [input.review]) + } +``` + +Example constraint: + +```yaml +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sDenyAll +metadata: + name: deny-all-namespaces +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Namespace"] +``` + +## Tracing + +In debugging decisions and constraints, a few pieces of information can be helpful: + + * Cached data and existing rules at the time of the request + * A trace of the evaluation + * The input document being evaluated + +Writing out this information for every request would be very expensive, and it would be hard +to find the relevant logs for a given request. Instead, Gatekeeper allows users to specify +resources and requesting users for which information will be logged. They can do so by +configuring the `Config` resource, which lives in the `gatekeeper-system` namespace. + +Below is an example of a config resource: + +```yaml +apiVersion: config.gatekeeper.sh/v1alpha1 +kind: Config +metadata: + name: config + namespace: "gatekeeper-system" +spec: + # Data to be replicated into OPA + sync: + syncOnly: + - group: "" + version: "v1" + kind: "Namespace" + validation: + # Requests for which we want to run traces + traces: + # The requesting user for which traces will be run + - user: "user_to_trace@company.com" + kind: + # The group, version, kind for which we want to run a trace + group: "" + version: "v1" + kind: "Namespace" + # If dump is defined and set to `All`, also dump the state of OPA + dump: "All" +``` + +Traces will be written to the stdout logs of the Gatekeeper controller. + + +If there is an error in the Rego in the ConstraintTemplate, there are cases where it is still created via `kubectl apply -f [CONSTRAINT_TEMPLATE_FILENAME].yaml`. + +When applying the constraint using `kubectl apply -f constraint.yaml` with a ConstraintTemplate that contains incorrect Rego, and error will occur: `error: unable to recognize "[CONSTRAINT_FILENAME].yaml": no matches for kind "[NAME_OF_CONSTRAINT]" in version "constraints.gatekeeper.sh/v1beta1"`. + +To find the error, run `kubectl get -f [CONSTRAINT_TEMPLATE_FILENAME].yaml -o yaml`. Build errors are shown in the `status` field. \ No newline at end of file diff --git a/website/versioned_docs/version-v3.7.x/emergency.md b/website/versioned_docs/version-v3.7.x/emergency.md new file mode 100644 index 00000000000..ae703e044aa --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/emergency.md @@ -0,0 +1,12 @@ +--- +id: emergency +title: Emergency Recovery +--- + +If a situation arises where Gatekeeper is preventing the cluster from operating correctly, +the webhook can be disabled. This will remove all Gatekeeper admission checks. Assuming +the default webhook name has been used this can be achieved by running: + +`kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io gatekeeper-validating-webhook-configuration` + +Redeploying the webhook configuration will re-enable Gatekeeper. \ No newline at end of file diff --git a/website/versioned_docs/version-v3.7.x/examples.md b/website/versioned_docs/version-v3.7.x/examples.md new file mode 100644 index 00000000000..24f05dd6638 --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/examples.md @@ -0,0 +1,8 @@ +--- +id: examples +title: Examples +--- + +The [demo/basic](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/basic) directory contains the above examples of simple constraints, templates and configs to play with. + +The [demo/agilebank](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/agilebank) directory contains more complex examples based on a slightly more realistic scenario. Both folders have a handy demo script to step you through the demos. \ No newline at end of file diff --git a/website/versioned_docs/version-v3.7.x/exempt-namespaces.md b/website/versioned_docs/version-v3.7.x/exempt-namespaces.md new file mode 100644 index 00000000000..fe0dd1d9e6b --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/exempt-namespaces.md @@ -0,0 +1,62 @@ +--- +id: exempt-namespaces +title: Exempting Namespaces +--- + +## Exempting Namespaces from Gatekeeper using config resource + +The config resource can be used as follows to exclude namespaces from certain processes for all constraints in the cluster. To exclude namespaces at a constraint level, use `excludedNamespaces` in the [constraint](howto.md#constraints) instead. + +```yaml +apiVersion: config.gatekeeper.sh/v1alpha1 +kind: Config +metadata: + name: config + namespace: "gatekeeper-system" +spec: + match: + - excludedNamespaces: ["kube-system", "gatekeeper-system"] + processes: ["*"] + - excludedNamespaces: ["audit-excluded-ns"] + processes: ["audit"] + - excludedNamespaces: ["audit-webhook-sync-excluded-ns"] + processes: ["audit", "webhook", "sync"] + - excludedNamespaces: ["mutation-excluded-ns"] + processes: ["mutation-webhook"] +... +``` + +Available processes: +- `audit` process exclusion will exclude resources from specified namespace(s) in audit results. +- `webhook` process exclusion will exclude resources from specified namespace(s) from the admission webhook. +- `sync` process exclusion will exclude resources from specified namespace(s) from being synced into OPA. +- `mutation-webhook` process exclusion will exclude resources from specified namespace(s) from the mutation webhook. +- `*` includes all current processes above and includes any future processes. + +## Exempting Namespaces from the Gatekeeper Admission Webhook using `--exempt-namespace` flag + +Note that the following only exempts resources from the admission webhook. They will still be audited. Editing individual constraints or [config resource](#exempting-namespaces-from-gatekeeper-using-config-resource) is +necessary to exclude them from audit. + +If it becomes necessary to exempt a namespace from Gatekeeper webhook entirely (e.g. you want `kube-system` to bypass admission checks), here's how to do it: + + 1. Make sure the validating admission webhook configuration for Gatekeeper has the following namespace selector: + + ```yaml + namespaceSelector: + matchExpressions: + - key: admission.gatekeeper.sh/ignore + operator: DoesNotExist + ``` + the default Gatekeeper manifest should already have added this. The default name for the + webhook configuration is `gatekeeper-validating-webhook-configuration` and the default + name for the webhook that needs the namespace selector is `validation.gatekeeper.sh` + + 2. Tell Gatekeeper it's okay for the namespace to be ignored by adding a flag to the pod: + `--exempt-namespace=`. This step is necessary because otherwise the + permission to modify a namespace would be equivalent to the permission to exempt everything + in that namespace from policy checks. This way a user must explicitly have permissions + to configure the Gatekeeper pod before they can add exemptions. + + 3. Add the `admission.gatekeeper.sh/ignore` label to the namespace. The value attached + to the label is ignored, so it can be used to annotate the reason for the exemption. diff --git a/website/versioned_docs/version-v3.7.x/failing-closed.md b/website/versioned_docs/version-v3.7.x/failing-closed.md new file mode 100644 index 00000000000..8152a0454b1 --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/failing-closed.md @@ -0,0 +1,148 @@ +--- +id: failing-closed +title: Failing Closed +--- + +Here we discuss how to configure Gatekeeper to fail closed and some factors you may want to consider before doing so. + +## How to Fail Closed + +If you installed Gatekeeper via the manifest, the only needed change is to set the `failurePolicy` field of Gatekeeper's `ValidatingWebhookConfiguration` to `Fail`. For example: + + +```yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + gatekeeper.sh/system: "yes" + name: gatekeeper-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: SOME_CERT + service: + name: gatekeeper-webhook-service + namespace: gatekeeper-system + path: /v1/admit + port: 443 + failurePolicy: Fail + matchPolicy: Exact + name: validation.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: admission.gatekeeper.sh/ignore + operator: DoesNotExist + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - '*' + scope: '*' + sideEffects: None + timeoutSeconds: 3 +- admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: SOME_CERT + service: + name: gatekeeper-webhook-service + namespace: gatekeeper-system + path: /v1/admitlabel + port: 443 + failurePolicy: Fail + matchPolicy: Exact + name: check-ignore-label.gatekeeper.sh + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - "" + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - namespaces + scope: '*' + sideEffects: None + timeoutSeconds: 3 +``` + +If you installed Gatekeeper via any other method (Helm chart, operator), please consult the documentation for that method. + +## Considerations + +Here are some factors you may want to consider before configuring Gatekeeper to fail closed. + +### Admission Deadlock + +#### Example + +It is possible to put the cluster in a state where automatic self-healing is impossible. Imagine you delete every `Node` in your cluster. This will kill all running Gatekeeper servers, which means the webhook will fail. Because a request to add a `Node` is subject to admission validation, it cannot succeed until the webhook can serve. The webhook cannot serve until a `Node` is added. This circular dependency will need to be broken before the cluster's control plane can recover. + +#### Mitigation + +This can normally be mitigated by deleting the `ValidatingWebhookConfiguration`, per the [emergency procedure](emergency.md). + +Note that it should always be possible to modify or delete the `ValidatingWebhookConfiguration` because Kubernetes does not make requests to edit webhook configurations subject to admission webhooks. + +#### Potential Gotchas + +If the existence of the webhook resource is enforced by some external process (such as an operator), that may interfere with the emergency recovery process. If this applies, it would be good to have a plan in place to deal with that scenario. + +### Cluster Control Plane Availability + +Because the webhook is being called for all K8s API server requests (under the default configuration), the availability of K8s's control plane becomes subject to the availability of the webhook. It is important to have an idea of your expected API server availability [SLO](https://en.wikipedia.org/wiki/Service-level_objective) and make sure Gatekeeper is configured to support that. + +Below are some potential ways to do that and their gotchas. + +#### Limit the Gatekeeper Webhook's Scope + +It is possible to exempt certain namespaces from being subject to the webhook, or to only call the webhook for certain kinds. This could be one way to prevent the webhook from interfering with sensitive processes. + +##### Potential Gotchas + +It can be hard to say for certain that all critical resources have been exempted because dependencies can be non-obvious. Some examples: + +- Exempting `kube-system` namespace is a good starting place, but what about cluster-scoped resources, like nodes? What about other potentially critical namespaces like `istio-system`? +- Some seemingly innocuous kinds can actually play a critical role in cluster operations. Did you know that a `ConfigMap` is used as the locking resource for some Kubernetes leader elections? + +If you are relying on exempting resources to keep your cluster available, be sure you know all the critical dependencies of your cluster. Unfortunately this is very cluster-specific, so there is no general guidance to be offered here. + +#### Harden Your Deployment + +Gatekeeper attempts to be resilient out-of-the-box by running its webhook in multiple pods. You can take that work and adapt it to your cluster by adding the appropriate node selectors and scaling the number of nodes up or down as desired. + +##### Impact of Scaling Nodes + +Putting hard numbers on the impact scaling resources has on Gatekeeper's availability depends on the specifics of the underlying hardware of your cluster and how Gatekeeper is distributed across it, but there are some general themes: + +- Increasing the number of webhook pods should increase QPS serving capacity +- Increasing the number of webhook pods tends to increase uptime of the service +- Increasing the number of webhook pods may increase the time it takes for a constraint to be enforced by all pods in the system + +##### Potential Gotcha: Failure Domains + +Increasing the number of pods increases the theoretical uptime of a system under the theory that if one pod goes down the other pods continue to serve and pick up the slack. This assumption fails if multiple pods fail at the same time due to the same root cause. This happens when multiple pods are in the same [failure domain](https://en.wikipedia.org/wiki/Failure_domain#:~:text=In%20computing%2C%20a%20failure%20domain,of%20infrastructure%20that%20could%20fail.). + +Here are some common ways for two pods to be in the same failure domain: + +- Running on the same node +- Running on the same physical host (e.g. multiple nodes are VMs backed by the same physical machine) +- Running on different physical hosts with the same network switch +- Running on different physical hosts with the same power supply +- Running on different physical hosts in the same rack + +Different clusters may have different backing physical infrastructures and different risk tolerances. Because of this, there is no definitive list of failure domains or guidance on how that should affect your setup. + +## Why Is This Hard? + +In a nutshell it's because it's a webhook, and because it's self-hosted. All REST servers require enough high-availabily infrastructure to satisfy their SLOs (see cloud availability zones / regions). Self-hosted webhooks create a circular dependency that has the potential to interfere with the self-healing Kubenetes usually provides. Any self-hosted admission webhook would be subject to these same concerns. \ No newline at end of file diff --git a/website/versioned_docs/version-v3.7.x/help.md b/website/versioned_docs/version-v3.7.x/help.md new file mode 100644 index 00000000000..9188e3b0b2c --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/help.md @@ -0,0 +1,15 @@ +--- +id: help +title: Want to help? +--- + +Join us to help define the direction and implementation of this project! + +- Join the [`#kubernetes-policy`](https://openpolicyagent.slack.com/messages/CDTN970AX) + channel on [OPA Slack](https://slack.openpolicyagent.org/). + +- Join [weekly meetings](https://docs.google.com/document/d/1A1-Q-1OMw3QODs1wT6eqfLTagcGmgzAJAjJihiO3T48/edit) + to discuss development, issues, use cases, etc. + +- Use [GitHub Issues](https://github.com/open-policy-agent/gatekeeper/issues) + to file bugs, request features, or ask questions asynchronously. diff --git a/website/versioned_docs/version-v3.7.x/howto.md b/website/versioned_docs/version-v3.7.x/howto.md new file mode 100644 index 00000000000..ca43ce0d5ae --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/howto.md @@ -0,0 +1,92 @@ +--- +id: howto +title: How to use Gatekeeper +--- + +Gatekeeper uses the [OPA Constraint Framework](https://github.com/open-policy-agent/frameworks/tree/master/constraint) to describe and enforce policy. Look there for more detailed information on their semantics and advanced usage. + +## Constraint Templates + +Before you can define a constraint, you must first define a [`ConstraintTemplate`](constrainttemplates.md), which describes both the [Rego](https://www.openpolicyagent.org/docs/latest/#rego) that enforces the constraint and the schema of the constraint. The schema of the constraint allows an admin to fine-tune the behavior of a constraint, much like arguments to a function. + +Here is an example constraint template that requires all labels described by the constraint to be present: + +```yaml +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8srequiredlabels +spec: + crd: + spec: + names: + kind: K8sRequiredLabels + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + labels: + type: array + items: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8srequiredlabels + + violation[{"msg": msg, "details": {"missing_labels": missing}}] { + provided := {label | input.review.object.metadata.labels[label]} + required := {label | label := input.parameters.labels[_]} + missing := required - provided + count(missing) > 0 + msg := sprintf("you must provide labels: %v", [missing]) + } +``` + +You can install this ConstraintTemplate with the following command: + +```sh +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/demo/basic/templates/k8srequiredlabels_template.yaml +``` + +## Constraints + +Constraints are then used to inform Gatekeeper that the admin wants a ConstraintTemplate to be enforced, and how. This constraint uses the `K8sRequiredLabels` constraint template above to make sure the `gatekeeper` label is defined on all namespaces: + +```yaml +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sRequiredLabels +metadata: + name: ns-must-have-gk +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Namespace"] + parameters: + labels: ["gatekeeper"] +``` + +You can install this Constraint with the following command: + +```sh +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/demo/basic/constraints/all_ns_must_have_gatekeeper.yaml +``` + +Note the `match` field, which defines the scope of objects to which a given constraint will be applied. It supports the following matchers: + + * `kinds` accepts a list of objects with `apiGroups` and `kinds` fields that list the groups/kinds of objects to which the constraint will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + * `scope` accepts `*`, `Cluster`, or `Namespaced` which determines if cluster-scoped and/or namespace-scoped resources are selected. (defaults to `*`) + * `namespaces` is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix-based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`. + * `excludedNamespaces` is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix-based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`. + * `labelSelector` is a standard Kubernetes label selector. + * `namespaceSelector` is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + * `name` is the name of an object. If defined, it matches against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` matches both `pod-a` and `pod-b`. + +Note that if multiple matchers are specified, a resource must satisfy each top-level matcher (`kinds`, `namespaces`, etc.) to be in scope. Each top-level matcher has its own semantics for what qualifies as a match. An empty matcher is deemed to be inclusive (matches everything). Also understand `namespaces`, `excludedNamespaces`, and `namespaceSelector` will match on cluster scoped resources which are not namespaced. To avoid this adjust the `scope` to `Namespaced`. + +### Listing constraints +You can list all constraints in a cluster with the following command: + +```sh +kubectl get constraints +``` diff --git a/website/versioned_docs/version-v3.7.x/install.md b/website/versioned_docs/version-v3.7.x/install.md new file mode 100644 index 00000000000..e7aa3b49ddf --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/install.md @@ -0,0 +1,114 @@ +--- +id: install +title: Installation +--- + +## Prerequisites + +### Minimum Kubernetes Version + +The minimum supported Kubernetes version of Gatekeeper is **n-4 of the latest stable Kubernetes release** per [Kubernetes Supported Versions policy](https://kubernetes.io/releases/version-skew-policy/). NOTE: Gatekeeper requires Kubernetes resources introduced in v1.16. + +### RBAC Permissions + +For either installation method, make sure you have cluster admin permissions: + +```sh + kubectl create clusterrolebinding cluster-admin-binding \ + --clusterrole cluster-admin \ + --user +``` + +## Installation + +### Deploying a Release using Prebuilt Image + +If you want to deploy a released version of Gatekeeper in your cluster with a prebuilt image, then you can run the following command: + +```sh +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.5/deploy/gatekeeper.yaml +``` + +### Deploying a Release using development image + +If you want to deploy latest development version of Gatekeeper, you can use `openpolicyagent/gatekeeper:dev` tag or `openpolicyagent/gatekeeper:`. + +Images are hosted in [OPA Docker Hub repository](https://hub.docker.com/r/openpolicyagent/gatekeeper/tags). + +### Deploying HEAD Using make + +Currently the most reliable way of installing Gatekeeper is to build and install from HEAD: + + * Make sure that: + * You have Docker version 19.03 or later installed. + * [Kubebuilder](https://github.com/kubernetes-sigs/kubebuilder#getting-started) and [Kustomize](https://kubectl.docs.kubernetes.io/installation/kustomize/) are installed. + * Your kubectl context is set to the desired installation cluster. + * You have a container registry you can write to that is readable by the target cluster. + * Clone the Gatekeeper repository to your local system: + ```sh + git clone https://github.com/open-policy-agent/gatekeeper.git + ``` + * `cd` to the repository directory. + * Define your destination Docker image location: + ```sh + export DESTINATION_GATEKEEPER_DOCKER_IMAGE= + ``` + * Build and push your Docker image: + ```sh + make docker-buildx REPOSITORY="$DESTINATION_GATEKEEPER_DOCKER_IMAGE" + make docker-push REPOSITORY="$DESTINATION_GATEKEEPER_DOCKER_IMAGE" + ``` + * Finally, deploy: + ```sh + make deploy REPOSITORY="$DESTINATION_GATEKEEPER_DOCKER_IMAGE" + ``` + +### Deploying via Helm + +A basic Helm chart exists in `charts/gatekeeper`. If you have Helm installed, you can deploy via the following instructions for Helm v3: + +```sh +helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts +helm install gatekeeper/gatekeeper --generate-name +``` + +If you are using the older Gatekeeper Helm repo location and Helm v3.3.2+, then use `force-update` to override the default behavior to update the existing repo. + +```sh +helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts --force-update +``` + +Please note that this chart is compatible with Helm v3 starting with Gatekeeper v3.1.1. When using Helm v3, it is expected to see warnings regarding to `crd-install` hook. This is due to maintaining backwards compatibility with Helm v2 and should not impact the chart deployment. + +You can alter the variables in `charts/gatekeeper/values.yaml` to customize your deployment. To regenerate the base template, run `make manifests`. + +## Uninstallation + +### Using Prebuilt Image + +If you used a prebuilt image to deploy Gatekeeper, then you can delete all the Gatekeeper components with the following command: + + ```sh + kubectl delete -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.5/deploy/gatekeeper.yaml + ``` + +### Using make + +If you used `make` to deploy, then run the following to uninstall Gatekeeper: + + * cd to the repository directory + * run `make uninstall` + +### Using Helm + +If you used `helm` to deploy, then run the following to uninstall Gatekeeper: +```sh +helm delete +``` + +Helm v3 will not cleanup Gatekeeper installed CRDs. Run the following to uninstall Gatekeeper CRDs: +```sh +kubectl delete crd -l gatekeeper.sh/system=yes +``` + +This operation will also delete any user installed config changes, and constraint templates and constraints. diff --git a/website/versioned_docs/version-v3.7.x/intro.md b/website/versioned_docs/version-v3.7.x/intro.md new file mode 100644 index 00000000000..5c282f3ee68 --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/intro.md @@ -0,0 +1,34 @@ +--- +id: intro +title: Introduction +sidebar_label: Introduction +slug: / +--- + +## Goals + +Every organization has policies. Some are essential to meet governance and legal requirements. Others help ensure adherence to best practices and institutional conventions. Attempting to ensure compliance manually would be error-prone and frustrating. Automating policy enforcement ensures consistency, lowers development latency through immediate feedback, and helps with agility by allowing developers to operate independently without sacrificing compliance. + +Kubernetes allows decoupling policy decisions from the inner workings of the API Server by means of [admission controller webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/), which are executed whenever a resource is created, updated or deleted. Gatekeeper is a validating (mutating TBA) webhook that enforces CRD-based policies executed by [Open Policy Agent](https://github.com/open-policy-agent/opa), a policy engine for Cloud Native environments hosted by CNCF as an incubation-level project. + +In addition to the `admission` scenario, Gatekeeper's audit functionality allows administrators to see what resources are currently violating any given policy. + +Finally, Gatekeeper's engine is designed to be portable, allowing administrators to detect and reject non-compliant commits to an infrastructure-as-code system's source-of-truth, further strengthening compliance efforts and preventing bad state from slowing down the organization. + +## How is Gatekeeper different from OPA? + +Compared to using [OPA with its sidecar kube-mgmt](https://www.openpolicyagent.org/docs/kubernetes-admission-control.html) (aka Gatekeeper v1.0), Gatekeeper introduces the following functionality: + + * An extensible, parameterized policy library + * Native Kubernetes CRDs for instantiating the policy library (aka "constraints") + * Native Kubernetes CRDs for extending the policy library (aka "constraint templates") + * Audit functionality + +### Admission Webhook Fail-Open by Default + +Currently Gatekeeper is defaulting to using `failurePolicy​: ​Ignore` for admission request webhook errors. The impact of +this is that when the webhook is down, or otherwise unreachable, constraints will not be +enforced. Audit is expected to pick up any slack in enforcement by highlighting invalid +resources that made it into the cluster. + +If you would like to switch to fail closed, please see our [documentation](failing-closed.md) on how to do so and some things you should consider before doing so. diff --git a/website/versioned_docs/version-v3.7.x/library.md b/website/versioned_docs/version-v3.7.x/library.md new file mode 100644 index 00000000000..695dccc3edf --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/library.md @@ -0,0 +1,6 @@ +--- +id: library +title: Policy Library +--- + +See the [Gatekeeper policy library](https://www.github.com/open-policy-agent/gatekeeper-library) for a collection of constraint templates and sample constraints that you can use with Gatekeeper. \ No newline at end of file diff --git a/website/versioned_docs/version-v3.7.x/metrics.md b/website/versioned_docs/version-v3.7.x/metrics.md new file mode 100644 index 00000000000..24c24feb3db --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/metrics.md @@ -0,0 +1,158 @@ +--- +id: metrics +title: Metrics +--- + +Below are the list of metrics provided by Gatekeeper: + +## Constraint + +- Name: `gatekeeper_constraints` + + Description: `Current number of known constraints` + + Tags: + + - `enforcement_action`: [`deny`, `dryrun`, `warn`] + + - `status`: [`active`, `error`] + + Aggregation: `LastValue` + +## Constraint Template + +- Name: `gatekeeper_constraint_templates` + + Description: `Number of observed constraint templates` + + Tags: + + - `status`: [`active`, `error`] + + Aggregation: `LastValue` + +- Name: `gatekeeper_constraint_template_ingestion_count` + + Description: `Total number of constraint template ingestion actions` + + Tags: + + - `status`: [`active`, `error`] + + Aggregation: `Count` + +- Name: `gatekeeper_constraint_template_ingestion_duration_seconds` + + Description: `Distribution of how long it took to ingest a constraint template in seconds` + + Tags: + + - `status`: [`active`, `error`] + + Aggregation: `Distribution` + +## Webhook + +- Name: `gatekeeper_validation_request_count` + + Description: `The number of requests that are routed to validation webhook` + + Tags: + + - `admission_status`: [`allow`, `deny`] + + Aggregation: `Count` + +- Name: `gatekeeper_validation_request_duration_seconds` + + Description: `The validation webhook response time in seconds` + + Tags: + + - `admission_status`: [`allow`, `deny`] + + Aggregation: `Distribution` + +- Name: `gatekeeper_mutation_request_count` + + Description: `The number of requests that are routed to mutation webhook` + + Tags: + + - `admission_status`: [`allow`, `deny`] + + Aggregation: `Count` + +- Name: `gatekeeper_mutation_request_duration_seconds` + + Description: `The mutation webhook response time in seconds` + + Tags: + + - `admission_status`: [`allow`, `deny`] + + Aggregation: `Distribution` + +## Audit + +- Name: `gatekeeper_violations` + + Description: `Total number of audited violations` + + Tags: + + - `enforcement_action`: [`deny`, `dryrun`, `warn`] + + Aggregation: `LastValue` + +- Name: `gatekeeper_audit_duration_seconds` + + Description: `Latency of audit operation in seconds` + + Aggregation: `Distribution` + +- Name: `gatekeeper_audit_last_run_time` + + Description: `Timestamp of last audit run time` + + Aggregation: `LastValue` + +## Sync + +- Name: `gatekeeper_sync` + + Description: `Total number of resources of each kind being cached` + + Tags: + + - `status`: [`active`, `error`] + + - `kind` (examples, `pod`, `namespace`, ...) + + Aggregation: `LastValue` + +- Name: `gatekeeper_sync_duration_seconds` + + Description: `Latency of sync operation in seconds` + + Aggregation: `Distribution` + +- Name: `gatekeeper_sync_last_run_time` + + Description: `Timestamp of last sync operation` + + Aggregation: `LastValue` + +## Watch + +- Name: `gatekeeper_watch_manager_watched_gvk` + + Description: `Total number of watched GroupVersionKinds` + + Aggregation: `LastValue` + +- Name: `gatekeeper_watch_manager_intended_watch_gvk` + + Description: `Total number of GroupVersionKinds with a registered watch intent` + + Aggregation: `LastValue` diff --git a/website/versioned_docs/version-v3.7.x/mutation.md b/website/versioned_docs/version-v3.7.x/mutation.md new file mode 100644 index 00000000000..4c3c1f49869 --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/mutation.md @@ -0,0 +1,294 @@ +--- +id: mutation +title: Mutation +--- + +The mutation feature allows Gatekeeper to not only validate created Kubernetes resources but also modify them based on defined mutation policies. +The feature is still in an alpha stage, so the final form can still change. + +Status: alpha + +## Mutation CRDs + +The mutation policies are defined by means of mutation specific CRDs: +- AssignMetadata - defines changes to the metadata section of a resource +- Assign - any change outside the metadata section + +The rules of mutating the metadata section are more strict than for mutating the rest of the resource definition. The differences will be described in more detail below. + +Here is an example of a simple AssignMetadata CRD: +```yaml +apiVersion: mutations.gatekeeper.sh/v1alpha1 +kind: AssignMetadata +metadata: + name: demo-annotation-owner +spec: + match: + scope: Namespaced + kinds: + - apiGroups: ["*"] + kinds: ["Pod"] + location: "metadata.annotations.owner" + parameters: + assign: + value: "admin" +``` + +Each mutation CRD can be divided into 3 distinct sections: +- extent of changes - what is to be modified (kinds, namespaces, ...) +- intent - the path and value of the modification +- conditional - conditions under which the mutation will be applied + +#### Extent of changes + +The extent of changes section describes the resource which will be mutated. +It allows to filter the resources to be mutated by kind, label and namespace. + +An example of the extent of changes section. +```yaml +applyTo: +- groups: [""] + kinds: ["Pod"] + versions: ["v1"] +match: + scope: Namespaced | Cluster + kinds: + - APIGroups: [] + kinds: [] + labelSelector: [] + namespaces: [] + namespaceSelector: [] + excludedNamespaces: [] +``` + +Note that the `applyTo` section applies to the Assign CRD only. It allows filtering of resources by the resource GVK (group version kind). Note that the `applyTo` section does not accept globs. + +The `match` section is common to both Assign and AssignMetadata. It supports the following elements: +- scope - the scope (Namespaced | Cluster) of the mutated resource +- kinds - the resource kind, any of the elements listed +- labelSelector - filters resources by resource labels listed +- namespaces - list of allowed namespaces, only resources in listed namespaces will be mutated +- namespaceSelector - filters resources by namespace selector +- excludedNamespaces - list of excluded namespaces, resources in listed namespaces will not be mutated + +Note that the resource is not filtered if an element is not present or an empty list. + +#### Intent + +This specifies what should be changed in the resource. + +An example of the section is shown below: +```yaml +location: "spec.containers[name:foo].imagePullPolicy" +parameters: + assign: + value: "Always" +``` + +The `location` element specifies the path to be modified. +The `parameters.assign.value` element specifies the value to be set for the element specified in `location`. Note that the value can either be a simple string or a composite value. + +An example of a composite value: +```yaml +location: "spec.containers[name:networking]" +parameters: + assign: + value: + name: "networking" + imagePullPolicy: Always + +``` + +The `location` element can specify either a simple subelement or an element in a list. +For example the location `spec.containers[name:foo].imagePullPolicy` would be parsed as follows: +- ***spec**.containers[name:foo].imagePullPolicy* - the spec element +- *spec.**containers[name:foo]**.imagePullPolicy* - container subelement of spec. The container element is a list. Out of the list chosen, an element with the `name` element having the value `foo`. + - *spec.containers[name:foo].**imagePullPolicy*** - in the element from the list chosen in the previous step the element `imagePullPolicy` is chosen + +The yaml illustrating the above `location`: +```yaml +spec: + containers: + - name: foo + imagePullPolicy: +``` + +Wildcards can be used for list element values: `spec.containers[name:*].imagePullPolicy` + + +##### Conditionals + +The conditions for updating the resource. + +Mutation has path tests, which make it so the resource will only be mutated if the specified path exists/does not exist. +This can be useful for things like setting a default value if a field is undeclared, or for avoiding creating a field +when a parent is missing, such as accidentally creating an empty sidecar named "foo" in the example below: + +```yaml +parameters: + pathTests: + - subPath: "spec.containers[name:foo]" + condition: MustExist + - subPath: spec.containers[name:foo].securityContext.capabilities + condition: MustNotExist +``` + + +### AssignMetadata + +AssignMetadata is a CRD for modifying the metadata section of a resource. Note that the metadata of a resource is a very sensitive piece of data, and certain mutations could result in unintended consequences. An example of this could be changing the name or namespace of a resource. The AssignMetadata changes have therefore been limited to only the labels and annotations. Furthermore, it is currently only allowed to add a label or annotation. + + An example of an AssignMetadata adding a label `owner` set to `admin`: +```yaml +apiVersion: mutations.gatekeeper.sh/v1alpha1 +kind: AssignMetadata +metadata: + name: demo-annotation-owner +spec: + match: + scope: Namespaced + location: "metadata.labels.owner" + parameters: + assign: + value: "admin" +``` + +## Examples + +### Adding an annotation + +```yaml +apiVersion: mutations.gatekeeper.sh/v1alpha1 +kind: AssignMetadata +metadata: + name: demo-annotation-owner +spec: + match: + scope: Namespaced + location: "metadata.annotations.owner" + parameters: + assign: + value: "admin" +``` + +### Setting security context of a specific container in a Pod in a namespace to be non-privileged + +Set the security context of container named `foo` in a Pod in namespace `bar` to be non-privileged + +```yaml +apiVersion: mutations.gatekeeper.sh/v1alpha1 +kind: Assign +metadata: + name: demo-privileged +spec: + applyTo: + - groups: [""] + kinds: ["Pod"] + versions: ["v1"] + match: + scope: Namespaced + kinds: + - apiGroups: ["*"] + kinds: ["Pod"] + namespaces: ["bar"] + location: "spec.containers[name:foo].securityContext.privileged" + parameters: + assign: + value: false +``` + +#### Setting imagePullPolicy of all containers to Always in all namespaces except namespace `system` + +```yaml +apiVersion: mutations.gatekeeper.sh/v1alpha1 +kind: Assign +metadata: + name: demo-image-pull-policy +spec: + applyTo: + - groups: [""] + kinds: ["Pod"] + versions: ["v1"] + match: + scope: Namespaced + kinds: + - apiGroups: ["*"] + kinds: ["Pod"] + excludedNamespaces: ["system"] + location: "spec.containers[name:*].imagePullPolicy" + parameters: + assign: + value: Always +``` + +### Adding a `network` sidecar to a Pod + +```yaml +apiVersion: mutations.gatekeeper.sh/v1alpha1 +kind: Assign +metadata: + name: demo-sidecar +spec: + applyTo: + - groups: [""] + kinds: ["Pod"] + versions: ["v1"] + match: + scope: Namespaced + kinds: + - apiGroups: ["*"] + kinds: ["Pod"] + location: "spec.containers[name:networking]" + parameters: + assign: + value: + name: "networking" + imagePullPolicy: Always + image: quay.io/foo/bar:latest + command: ["/bin/bash", "-c", "sleep INF"] + +``` + +### Adding dnsPolicy and dnsConfig to a Pod + +```yaml +apiVersion: mutations.gatekeeper.sh/v1alpha1 +kind: Assign +metadata: + name: demo-dns-policy +spec: + applyTo: + - groups: [""] + kinds: ["Pod"] + versions: ["v1"] + match: + scope: Namespaced + kinds: + - apiGroups: ["*"] + kinds: ["Pod"] + location: "spec.dnsPolicy" + parameters: + assign: + value: None +--- +apiVersion: mutations.gatekeeper.sh/v1alpha1 +kind: Assign +metadata: + name: demo-dns-config +spec: + applyTo: + - groups: [""] + kinds: ["Pod"] + versions: ["v1"] + match: + scope: Namespaced + kinds: + - apiGroups: ["*"] + kinds: ["Pod"] + location: "spec.dnsConfig" + parameters: + assign: + value: + nameservers: + - 1.2.3.4 +``` diff --git a/website/versioned_docs/version-v3.7.x/security.md b/website/versioned_docs/version-v3.7.x/security.md new file mode 100644 index 00000000000..2253d8b31db --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/security.md @@ -0,0 +1,11 @@ +--- +id: security +title: Security +--- + +Please report vulnerabilities by email to [open-policy-agent-security](mailto:open-policy-agent-security@googlegroups.com). +We will send a confirmation message to acknowledge that we have received the +report and then we will send additional messages to follow up once the issue +has been investigated. + +For details on the security release process please refer to the [open-policy-agent/opa/SECURITY.md](https://github.com/open-policy-agent/opa/blob/master/SECURITY.md) file. \ No newline at end of file diff --git a/website/versioned_docs/version-v3.7.x/sync.md b/website/versioned_docs/version-v3.7.x/sync.md new file mode 100644 index 00000000000..80585e86c03 --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/sync.md @@ -0,0 +1,44 @@ +--- +id: sync +title: Replicating Data +--- + +> The "Config" resource has to be named "config" for it to be reconciled by Gatekeeper. Gatekeeper will ignore the resource if you do not name it "config". + +Some constraints are impossible to write without access to more state than just the object under test. For example, it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we enable syncing of data into OPA. + +The [audit](audit.md) feature does not require replication by default. However, when the ``audit-from-cache`` flag is set to true, the OPA cache will be used as the source-of-truth for audit queries; thus, an object must first be cached before it can be audited for constraint violations. + +Kubernetes data can be replicated into OPA via the sync config resource. Currently resources defined in `syncOnly` will be synced into OPA. Updating `syncOnly` should dynamically update what objects are synced. Below is an example: + +```yaml +apiVersion: config.gatekeeper.sh/v1alpha1 +kind: Config +metadata: + name: config + namespace: "gatekeeper-system" +spec: + sync: + syncOnly: + - group: "" + version: "v1" + kind: "Namespace" + - group: "" + version: "v1" + kind: "Pod" +``` + +You can install this config with the following command: + +```sh +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/demo/basic/sync.yaml +``` + +Once data is synced into OPA, rules can access the cached data under the `data.inventory` document. + +The `data.inventory` document has the following format: + + * For cluster-scoped objects: `data.inventory.cluster[][][]` + * Example referencing the Gatekeeper namespace: `data.inventory.cluster["v1"].Namespace["gatekeeper"]` + * For namespace-scoped objects: `data.inventory.namespace[][groupVersion][][]` + * Example referencing the Gatekeeper pod: `data.inventory.namespace["gatekeeper"]["v1"]["Pod"]["gatekeeper-controller-manager-d4c98b788-j7d92"]` \ No newline at end of file diff --git a/website/versioned_docs/version-v3.7.x/violations.md b/website/versioned_docs/version-v3.7.x/violations.md new file mode 100644 index 00000000000..7d1b0215526 --- /dev/null +++ b/website/versioned_docs/version-v3.7.x/violations.md @@ -0,0 +1,73 @@ +--- +id: violations +title: Handling Constraint Violations +--- + +## Log denies + +Set the `--log-denies` flag to log all deny, dryrun and warn failures. +This is useful when trying to see what is being denied/fails dry-run and keeping a log to debug cluster problems without having to enable syncing or looking through the status of all constraints. + +## Dry Run enforcement action + +When rolling out new constraints to running clusters, the dry run functionality can be helpful as it enables constraints to be deployed in the cluster without making actual changes. This allows constraints to be tested in a running cluster without enforcing them. Cluster resources that are impacted by the dry run constraint are surfaced as violations in the `status` field of the constraint. + +To use the dry run feature, add `enforcementAction: dryrun` to the constraint spec to ensure no actual changes are made as a result of the constraint. By default, `enforcementAction` is set to `deny` as the default behavior is to deny admission requests with any violation. + +For example: +```yaml +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sRequiredLabels +metadata: + name: ns-must-have-gk +spec: + enforcementAction: dryrun + match: + kinds: + - apiGroups: [""] + kinds: ["Namespace"] + parameters: + labels: ["gatekeeper"] +status: + auditTimestamp: "2019-08-15T01:46:13Z" + enforced: true + violations: + - enforcementAction: dryrun + kind: Namespace + message: 'you must provide labels: {"gatekeeper"}' + name: default + - enforcementAction: dryrun + kind: Namespace + message: 'you must provide labels: {"gatekeeper"}' + name: gatekeeper-system + +``` + +## Warn enforcement action + +Warn enforcement action offers the same benefits as dry run, such as testing constraints without enforcing them. In addition to this, it will also provide immediate feedback on why that constraint would have been denied. It is available in Gatekeeper v3.4+ with Kubernetes v1.19+. + +```yaml +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sAllowedRepos +metadata: + name: repo-is-openpolicyagent +spec: + enforcementAction: warn + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + repos: + - "openpolicyagent" +``` + +```shell +$ kubectl apply pod.yaml +Warning: [prod-repo-is-openpolicyagent] container has an invalid image repo , allowed repos are ["openpolicyagent"] +pod/pause created +``` + + +> NOTE: The supported enforcementActions are [`deny`, `dryrun`, `warn`] for constraints. Update the `--disable-enforcementaction-validation=true` flag if the desire is to disable enforcementAction validation against the list of supported enforcementActions. diff --git a/website/versioned_sidebars/version-v3.7.x-sidebars.json b/website/versioned_sidebars/version-v3.7.x-sidebars.json new file mode 100644 index 00000000000..5142004e59a --- /dev/null +++ b/website/versioned_sidebars/version-v3.7.x-sidebars.json @@ -0,0 +1,108 @@ +{ + "version-v3.7.x/docs": [ + { + "type": "category", + "label": "Getting Started", + "collapsed": false, + "items": [ + { + "type": "doc", + "id": "version-v3.7.x/intro" + }, + { + "type": "doc", + "id": "version-v3.7.x/install" + }, + { + "type": "doc", + "id": "version-v3.7.x/examples" + } + ], + "collapsible": true + }, + { + "type": "category", + "label": "How to use Gatekeeper", + "collapsed": false, + "items": [ + { + "type": "doc", + "id": "version-v3.7.x/howto" + }, + { + "type": "doc", + "id": "version-v3.7.x/audit" + }, + { + "type": "doc", + "id": "version-v3.7.x/violations" + }, + { + "type": "doc", + "id": "version-v3.7.x/sync" + }, + { + "type": "doc", + "id": "version-v3.7.x/exempt-namespaces" + }, + { + "type": "doc", + "id": "version-v3.7.x/library" + }, + { + "type": "doc", + "id": "version-v3.7.x/customize-startup" + }, + { + "type": "doc", + "id": "version-v3.7.x/customize-admission" + }, + { + "type": "doc", + "id": "version-v3.7.x/metrics" + }, + { + "type": "doc", + "id": "version-v3.7.x/debug" + }, + { + "type": "doc", + "id": "version-v3.7.x/emergency" + }, + { + "type": "doc", + "id": "version-v3.7.x/vendor-specific" + }, + { + "type": "doc", + "id": "version-v3.7.x/failing-closed" + }, + { + "type": "doc", + "id": "version-v3.7.x/mutation" + }, + { + "type": "doc", + "id": "version-v3.7.x/constrainttemplates" + } + ], + "collapsible": true + }, + { + "type": "category", + "label": "Contributing", + "collapsed": false, + "items": [ + { + "type": "doc", + "id": "version-v3.7.x/help" + }, + { + "type": "doc", + "id": "version-v3.7.x/security" + } + ], + "collapsible": true + } + ] +} diff --git a/website/versions.json b/website/versions.json index 896aceb5dd1..064dfa646ee 100644 --- a/website/versions.json +++ b/website/versions.json @@ -1,3 +1,4 @@ [ + "v3.7.x", "v3.6.x" ]