From 38a9798e799c7e7b706fa9b0364a7ba591938467 Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Wed, 23 Aug 2023 14:27:38 -0300 Subject: [PATCH] make charts --- ...ancher-gatekeeper-crd-103.0.1+up3.12.0.tgz | Bin 0 -> 13234 bytes .../rancher-gatekeeper-103.0.1+up3.12.0.tgz | Bin 0 -> 17281 bytes .../103.0.1+up3.12.0/Chart.yaml | 10 + .../103.0.1+up3.12.0/README.md | 2 + .../assign-customresourcedefinition.yaml | 757 ++++++++++++++++++ .../assignimage-customresourcedefinition.yaml | 237 ++++++ ...signmetadata-customresourcedefinition.yaml | 655 +++++++++++++++ .../config-customresourcedefinition.yaml | 105 +++ ...intpodstatus-customresourcedefinition.yaml | 67 ++ ...ainttemplate-customresourcedefinition.yaml | 357 +++++++++ ...atepodstatus-customresourcedefinition.yaml | 66 ++ ...siontemplate-customresourcedefinition.yaml | 73 ++ .../modifyset-customresourcedefinition.yaml | 676 ++++++++++++++++ ...torpodstatus-customresourcedefinition.yaml | 65 ++ .../provider-customresourcedefinition.yaml | 78 ++ .../103.0.1+up3.12.0/templates/_helpers.tpl | 22 + .../103.0.1+up3.12.0/templates/jobs.yaml | 126 +++ .../103.0.1+up3.12.0/templates/manifest.yaml | 14 + .../103.0.1+up3.12.0/templates/rbac.yaml | 76 ++ .../templates/validate-psp-install.yaml | 7 + .../103.0.1+up3.12.0/values.yaml | 21 + .../103.0.1+up3.12.0/.helmignore | 21 + .../103.0.1+up3.12.0/CHANGELOG.md | 15 + .../103.0.1+up3.12.0/Chart.yaml | 26 + .../103.0.1+up3.12.0/README.md | 210 +++++ .../103.0.1+up3.12.0/app-readme.md | 32 + .../103.0.1+up3.12.0/templates/_helpers.tpl | 113 +++ .../templates/allowedrepos.yaml | 35 + .../gatekeeper-admin-podsecuritypolicy.yaml | 38 + .../gatekeeper-admin-serviceaccount.yaml | 11 + .../gatekeeper-audit-deployment.yaml | 156 ++++ ...ekeeper-controller-manager-deployment.yaml | 169 ++++ ...per-controller-manager-network-policy.yaml | 30 + ...ontroller-manager-poddisruptionbudget.yaml | 24 + ...atekeeper-critical-pods-resourcequota.yaml | 23 + .../gatekeeper-manager-role-clusterrole.yaml | 174 ++++ .../gatekeeper-manager-role-role.yaml | 37 + ...anager-rolebinding-clusterrolebinding.yaml | 20 + ...eeper-manager-rolebinding-rolebinding.yaml | 21 + ...guration-mutatingwebhookconfiguration.yaml | 60 ++ ...ration-validatingwebhookconfiguration.yaml | 109 +++ ...gatekeeper-webhook-server-cert-secret.yaml | 14 + .../gatekeeper-webhook-service-service.yaml | 38 + .../templates/namespace-post-install.yaml | 165 ++++ .../templates/namespace-post-upgrade.yaml | 153 ++++ .../templates/probe-webhook-post-install.yaml | 46 ++ .../templates/requiredlabels.yaml | 57 ++ .../templates/upgrade-crds-hook.yaml | 116 +++ .../templates/validate-install-crd.yaml | 24 + .../templates/validate-psp-install.yaml | 7 + .../templates/webhook-configs-pre-delete.yaml | 141 ++++ .../103.0.1+up3.12.0/values.yaml | 271 +++++++ index.yaml | 44 + 53 files changed, 5814 insertions(+) create mode 100644 assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz create mode 100644 assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml diff --git a/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz b/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..757e9f9b26e4d2cfe68cc5ad95918261ec4c60f4 GIT binary patch literal 13234 zcmch8Wn3K1vo6629^7GZcPBUmch}$$G`PD7QG?MMNGLHGNyu`@xN)-^vZ^r|E3;c@DRXnktEq9w zs#|?CurYR1QMCOmVPa(scHH*lfX7+Qc$#&i{ww(<$_>2bCKzdoF5<6=m3?IKNwRcS?sUbG zavbRt{9qOySLOmG80qHFEUPT>+==}KAl$P6Zj>5`D1-2`kG-q?<@5QrvE$?OHE{p@ z`ucny4rfJVDT7)$b&xW*Y)R{6Sv}4?4px>OD~xA}gzR@}pCM+T%26_u4t}7_H~t+u z9#Wg~Y16bTDnlR+j(JLzkabcZL$Z{`z-XwKMyBJpA~x;mqX0~hl_ zA48?@vFWjCJsF`z3YRK9Yd^y#*?wS5IEd@Dwka6X7|V)v$yuVgr&O~FPqFQi*jerM zHMnx|Ac=QvfU@%XyEYV=7Tt~wPBL(3L5NYT`KOX#j%6UTkS`@ipa&pxIVeP8Ee4(= zPqQ?P;4(PRfI_VD3einqFWgRy>Y?Ilt|C~O1WUydGnP6!1!&jRoh&78Q@HK;iB+tY z7)@NM7(D`3zLr=zRx)P+5LIMKGry41Ybb0)>Ek#&%qUzcVYl68!dhOdlNs9uwwg~< zw*YGpW&saGcpsk{ab-lT#S6{cz2(GGm9`K@AFusMFj5-rfyb=dSc@1uoG*>M$F z%8xw9ZliK;<)l-Ik8=Se+&(vlv7+KVk7Hl<*7Y4Q3uKA~3tTXu2#!E@jy%QXptl?T zK>bf|G}x%GJ-pnJgv}>VMj{+9KB*heb#?sK_JUw}zJ_DDq=xgZP7Bm+^X@6vt#hkV zxfGQLu7i|e0(ezBI^{y6!Y527Jn((g*% z#*zUHzxnhVr&MYzH}`A(kyN z>0rf0R^wKd4mMjKB%gVs7 z*!LNeAAj{oR;f>;PzkvTczgIPGeym|LE*qre+yhi*{B@DsN6LlO1~SV)@*ojelOhM zIK>eiXtVVc9ow=M=!bRYhii+Fm}EJPV@KlDe0Fx+pyF>ypIDM>Tu}=jx^zO1x^N_e zCPi!zTfCmslSav+lAol*xiZJk-P^9244J2_lEafjhPrT4DvM&QV9$QB>X1D_zN%pC#nqhK87JvBb*PvHnH&NEI5 zxE+P_7#N9X8qLXHAtv^T38X}oW_#e(Tss_^S(p=z0Odq9^7j)N*D=&&G?vF+$}LG~ zoAew5Dq5Z9l+;JZg><5lY~zRH9B#zPY=g!}$qHK^eCR6(YY7U6ef z?Hz?DwO4)pfnwQ-opir2n-dGQJw?fisDqVlrJ%vTJylRsHDq=HI zM{W()i#)|Jj9~}9*H9>azx3K%0*Qi;dO@`pJ~jWM`qG%IEXkOM4_1t2rzSu_-1PF2 zT6y+LW6+Is)2d4^&8=e4`X`QNLb)-M8gZ1j%;wJE*M(XpCq2c_0<>t#gVS8dGFmA< zD;&m&M+zPb-8v+r?&-xhWp(-~b-i1ODIJqhlfpcFG~v>w&LSt2UC}_7g#MIknVO!M zXhGUDdQ$zV+T|jOi{zh#NFls;mE@XmpmFUuW3e7xkI}YMhCH?JE)NkW4161pVnaxz z3&P8l8wr$byB*A7PY9>1(d}ckMWS*_uac@c;e`}j>K)HbkNZ3mW_2Lm7lFhBmj(`= zF;G^;11MVV;`vNya^jYwEmPH_U zvcx$71on|@9f?=GdFHO0wGElV7=&B9ld@1v{e|`8UK>2#F}j+0t3vULy*26BJOzYT zV1T<`=y^U%GVaf$ag7gS{1*Dk({n%zDca zI$G+_B@788;x}1*VXiDskpZ-Zw@I=j-?}eKgZc=BXDRhK#c0x=k>S~80NSs*y=@aE z%3d5bs-}B%x)!#q&Z|G?XeuUSnt+}RE$t8Hd{=ahfF6o+T#(m&5u;Tq>v zx*fo`2mG{ZW`SD+CCwHEAKRd}Q||T6F*y!cwGPDL9<~mLdT|xc%*Z6nIz?eob>5 zc3QP#BY>cXwL14F$8a#0aCV3{n-fr^OOQEB5}P%$_4nDBE&{ELCx20?F(_8@S#Qqf zpT_}lYt?~%$Yo~zdc8wAz-yo%W_#c;g?r$@+~ko4{*txEjuEmDAdK;QxVxst@w2!Z zq2P@gONW(hN7PHmAq%)Fk#2x1S_dhJLC<9Df3-%&dg3Nc9mJV(Q_&zx z_V3%h4i*x;*J9s(K4h6|2e*gPMhk0X5sfc#Q4c>4+~-y&WAliOAR;b8CovND_y`R} znjUKT_%gq>R{6Tt&e!4k!lEI1Hz7XvD8R?B83iIF5a_u9p&X=9)b=zXBRIwDj1^IM zB1*||Hbj_ad1Er-5j za^Zs?Cp)w>G|A-bU~N3BhH?4AFD0r5c(d7w@q`i0-}RbHYYv6jgnx7nh@_D9zq=I1 z_oe)pW%E*$xHU>@ z>$It?8BUk$51ao0<{$w1Y5{R{b(FW+CZOCHwJ-;d9f((<+ z*DeS&t3CD-h?Z-)&9+GP+6?c)W3|QuNUl`Mj4(J@IWDwvF zH{O;IqeqA(*|qWc!i`X-U@8%a9tZcrgpUQQ1Ur;#7P117%m+gRtqk`T0gn`S5T~c5 zS*A4fZc6-LgK*}%O;~a05r#19+NhE(2ywhyy&g`z$_KTAwO27URl7`k0GTo=wcG_t zbiXi@M2ptLf(5#hYedl!WifTqE}mTa5;#avVz4Tofq}7f>>NhuF++i^zu+-DeuaBE zQ{dSYXB+4Va8&fE*U9>9Mt@V!^z+%qkT!Mq7SAN8XtOq7?5ONf0Q}k{Rq_NIEQ8EjxwRvMe(h}1e7!qwEwuy zzLvyjpe6!+rw0W)x_l8)wMfIg9DveNg zSWMc2x%`cNY6s{52BY*Q*|J_^OP-V#ke{N{$+V0MwJ>c_0`|K7hZhdoGuXz5C?YIx ztQ7lPq1rqnwO**kLhTZ>yr6G&ewvG0y+(ohpqc{);c|;zf0dRfz&}`ZS(ObFQ+Ty% z(^CpKL5A1w2sTqQV=GfPg+R?0tGZCA9bm=Q*M^P+mQC4^ zDx(a%8gg@Dx&3zx;3LAG|3GP>8CJF$n zm!GuybY*A7Uh(+xPN#}cwOkiXkuyMY&QO0sxosEHJ1Si{m;~)A`J3T%S`oUb%I^t3 zgxs-#PJ6?zoUFVbV8~NpDDHm!3F_j5wDw(ouN@I@YEV2|jt z;PDvUQ8(C&IkCXNrF|Rq+H)T;!_*y<*W9{Z%BSYsGZwuoEd@lkV&c757=Wd3NhF-d z&(o^4`&3$;r|ns_FmCXfv0CGbO|Pt1)j%{wnQu5X#Dw9~t|@q-0G++jH!W&MXOv66 zDmB9le?fODxWJfiOk&E#G~DVxe|#Tx=Idy7Tq!{*0u!*Fje{LHU1fmn;BwaV<2@~^ z;l3@af|jbOgTzr}Mn-hOm`4T}d~iE5byu$7-3yofeCs+XGDWOAI4Tl9RqXDl{^3Uw ze%pl6PY+dw^#V~UOtj4HzLs_jQNa(mEn?2%eN02yjrIV7%+_b~U5G+kBieoR0Nmw6 znY_jgR8rI|xfC|FJ^zEI%803MsmQ|Mk)dOz-RPqZtccOm?||>+esB>$c5N-@bsOIA zzhVYTnap@ybD4;@`F?ou0!T`U=N9`a^{JoK+^l<7KgKLU1^%Q@gfben|5zi2sXStv zjI|GM6uDQ@Rn;Vv?ox553e7nN93-y5EIDLO3dyYhxbfjwIk9{j!9uSiV{S^6xitox!hqoG)ZQGCg25GAvtHYkZF)t5)9tZ zeHmtXKsWXyE`MH}?10fp3QNjL*k*LFyUaMHt%S~KL?`uXnhudwiYcvi?}QTfimIY} zG;PQ@s}*(e`Rb7SYxMjBV30< zT%*a`PkUO;xa8bJ9}q{P{o7qrJH#j?2E(RSWv>`qAi~RNrJNa2Q#1!56#5Hb#;Q-G z`l~%Og(=sWp?&m;O>WhG1AM#=jEyC(jhcnm*}`HIe8X|oi#da}Fa1X?^zSVWdN*-2 zZH>(gEA%*OdJN{@Oi$0m>AJTcM3n~fJ`Ql>8~-W2{IOJ4s}oh^M{C%(72GF|l1841 zVw$@kb5i0l$lnyi>kugskg=-5)Mz@?^}1+9q(cEgTRFGu!muKgLfF~TwNjs*nW|zG z?A~#X`{Y7mJ`v`mY`W8!yNS8pY(+bna!_23%R!D@>HrHFD2SJ_>r=L2>m^zg8th?Y z5050h)XY9S0)KeTdF8Qr;-PJ0n;c$Pj$g+}d<5yuX~BMHnd4jA)YIH0F{?~`7IT%@?3jBe#+NM05qs0L<6NCifbK-39krb|iq{hv{W z;Mm9Ynj1L^7b$Y!a|Sy3os)3FIuIoj;lX%oqgnk&kjYN~)BSYF19CP}?yMM$Fs8D= zC1W_b;kI9fsiNRO6R#BRS=1eHK4?4YZUj5>N(?Ou;C%ZD_ao5Jk{%Z7`OUw3Z%%ozxmU(0Wp}-uOHgi+S`og`LnDqYdJ!$ES!FQRZBmEU7 zSQ16Q;aN4WGfctDXipd8*#=hzVA|P=XW7+)YtT1+jki{hwgP}MmE39 zWC$)c<2KG)-&RI*0Im$_7t3P{f93&bHyGPFKBc&vCQI;0eTe-^_Di71dUgLP#WFwE zg`T$V7vby(&WGixrrRoBf*>i~_5tm|7oN&V@<{NfLUP11APhkW;$Z(Yb%9mgc}Vf( zAFH{Yw7FFIo~UMSGNJ?$iz@dy1@@a-1ik{!_0krI)~_W|sdQeColK0%!{@vfTRFx& z@hBS-$q9Xj&WHQctMJ=kQ>G#uNoAPE=Ryx@;m{{mXA3@aaV>F$Yrmg=T)N|^4^^BE z(wEwe+>BA(qKr0D_ta;(K?(4(=#73NSt?krOk@50rPswZz`||Et#%XLW_S1Va2BEX zu}XOF(c=1kU%96`&89QFk=%SCV4_hAs6j7`B(ksTd-O8l| z;gGS7n$zu0sVEUQ@Aw<$567>RU1*-|c zPe?L*!c7EGR#y_TFi6K~aikWd)vYGA!R=B;9E4Pa4Z<7>qMxh%=!~9Wai5OL8q$sX zHqQK!h1FX2Jgu98<~9P3SHFaa8D%u_VJx{5t^8h|jA&9_);8Lp;QEozqrBpaKcMEf z9SS$l$!la!F+{6alXufo&{~hVl^9BA(zdTn?})|qQ955Zc%YqGmydmlG-q-~qO2W#b|W#ou6^m;j|b=#^5+ZT*RGQGd;? zLk4F<@{b7D%x|cVG?7LAl_En3MqGHb=GAmUE|OFLXe4t|FoCKF2qsYz$?0IgAvhBov^qfR3_tDN5NuL<3f3)sn|K0Kj5B zb4T|a`|*b{8S2m;HwJB=4c_+$Ekl zIsm7HzV>#!y85>{Ej`(Cx-K7(A`uTwvT7)HO+b}+k4W@%6 z(LhpwCpifKA9W)Xw!bk;z+)L1(ETntw;m7@<$BA52ci%Mf?3ZP1cH%376#zIC$R6; zzld@b2NWVX$449z7YE!iV-_Oi@Z2XB2mBRfBK&LB7Dq!gkn>Z}yE9G}#D6sJSE$7P zTK@+`#VCtt;M|_Ds4F?`yZd$=bt~a_xilQ=Mhpt-YRP_ms2%9#B8qqeE&o5rTidPw zHh}$KS8s>_-OQ&23=sdeVN3|=Z|=PXB#`DMNTiUkB!UFn#P7*pn1Js06{0dt=Y6SY zjjj@WUneS52t?maT^Rq{P}iYO0H8IN>fKvwti`{YXX4cV`1z+BosviZt^8PkZd%R1 z9XQfxi1semlM00m2@E~g6C*-EeTAILB9lxFbf5^y>&aCRhsll%hEF}GR(|YEb@LQ5 zvob#+65te62kT|mm=s$c?=xq^{mjel2l|pbF$n6X++EoK0znl`n`8YH}sDs5|FaA7!4X#dHjyHOd61xww2oGZiDixS51_l+SEF|O@i=Mwk1^N-mB zdE9_Dtm`e>PS(s=vwlP=-KfFF5pv?n(x+8O@RSQ4lvX6j3W$eInU?-GBr@L-B1Wh# zX`yo^6oi*Q?`e$M>1G~r3EclF7WK1XLg66!h_3i66kH6QDn}4hN~O?>4*9o&!rv{z z+g{TeLw2QK?_I$Q6F|mJc4h4F8 zKEFr5=s=ErCA(kayS;P}@_nguIyc0CI@ad^^TXPyF40(@9D4GDSW-JhfE+#Bv+M!i z`?*enkG;_e3uBY^x-IPw@zlG5g?fB-#~zc$9De7IR(nD7O7S*i^Kth4D?bOGY-}8F z5sd<@kPSRwmzIL@15Ze-khf}?=2r)KpIr}+jo6|b;&TH=FIbl)H=2}x~b>l&!dYdtlb9BD~SU$0JYH)e& zRFUQ|0-2TJu2t4KfCqay4$n43yULn`N~+(WJT87Sk^h{OVS8Y!^t)=+oN$c zUr98k^$_@i#bGf$+pe7JZ}+@UiXRTk=}h2F4BsZjuaR+*eMUyyX@g!gp{&dtbG4H}%U#*3U~hM>N|3FwE+Y zA(K7oI+|f=Z^6RvtL=%Ed>?EZe40fzi1IBS+c?l9L`8=@TBTO7oG)x0Il`(Vs z6QjH?SFM1P*q%zU3;9qF7l*B@Ba<9MkFIN_yK_4VNA^5rXMbD@xAWy}7aKFnVzTLj zY|V#rp*dyxWoW}~xVnagk1!vVPglK75c3zne z7$y<32dba?UvPsrQk!?#o_(DW(ct3p#530xT;g^*71X$*>&>2F z$4kT(k}WMOSOyG-4oY zJ(`}cknhc`;}W4wQ#JCaeEO*uBfOBgxo`^8yd9<542s~p62Zo@FM?B^^yr8 zSphX1i{5u%Zy$a*X?eNbMUI3}5T$yWUs|KeS64r}_a>Dl99SO#aaZcLB3+|iy?0=X zBoG|aulWKL9Y}7{oZ}?cBJA9=NN<`T3y9WBFRo_`2&q<*N6Z@?pM#4T^e_#ct_U`D-)+6rLkseOsbR@vqM01Mtt;62Wx5guDyt7)>rLxPwaKCnk#=PK~NY& zF_PT4nk^Vj9^l=R8`($h@QS1jd?E4F@3iQAJ2HIs+BrS!Nszj7&I&Y)y~OrrA+U)! zvt9yNA5xdL@a^NNI{OrE@!L0cb)4!8&;S}(oTz}GUe6*?332dj2UCXc8dXG3C!wg9 zDayjHUMb?*u_G;E&>H4r)7;KRcR09-T7JfZS1*_$G<=cIMnlN>x(_KriOthBpg#yV z`z_m>gGj@&1XB0wKDY=Lc5^3ebLV9s1Cyg)Havpv*PXX));JXO!PqAFkyp{uo-gRv zd-*>2ktu6)r+WhFJ~*w3=)2;hso;Au4kbPgl|=ck{+skI`|xH(!iO7c-iXwy7rw4+M?;igyxU3AwiyMNsMq0m;p^>#V-BVIEtH(Dmqd~j2`i!7I z`V6nrE@t0vbw}>?c91LeRz`NpL%RN!-b5IXGb66ihYKa&5jnONl*T>I`y3ldbx}1g-RSGyuGMT!?a{9J zc)ULEqn~tyNa(k{G;nYSJWIAL%q5idU3whUaOk|&-FlAb?9KD6(GH9UU6OM@59qVbU;t5s4x z*;9g5gFPP^-$`&`T3Ie7Z*U+SyY4XO*p`AYqtqzS>t7!7)nRcgRJ%w1Z#O!~G4r2f41c!cDy-u=T`N@(QG z&ZZftD4P^haK4R_8H2}QsDXrst?-A@6w?bdg-oFH*q-1NB(xj$6gpij!!$Na9?WZ^ za#UMiF_2Ut;UrVPn>_i$zf3>m&|qWk%guxCFOuXE+)hUcgR#% zNY9o%*yraanPG-7;36DHi;8FvILtO;N!tX;k~qPo2Tm^}hJ4yfz_u*#<QCh&iYw^bnHiiN+eGPd=vJ*GtIVU2c#J|y^QM_ z57WqZUp2_>Hf0VpOqRStowzXGYX9gx%%F#EbS1JpCH3DySakWoL9`?MUs7Q)Jq?BH zX>HsiZ}(Ru%EEs%qM2^LwNZah%)wJgb-Ba-VR^GnRrd;08_<#R_23q6hO~nRz@pxfSc>5B`o>MHSs@nJhSy?fw>j zI-Sycl6rP{q9y*ROxc_Ja=5n+retRFyE+>^(@b3L{EzBjPR^+BG@HB;dFbGzibQCO zBzf9pw5UW*bCwN#jnioTd4!%@O_1J*l$(%RMQmInNbPhn%haWJin0s0=_3>MVn9Lb?n<(T~6+*Edtm z_0uJoy#hqA%WutS>0pQ_?7XgcwG4}OFUx=tgo@e74C$#+9=I9Gj!-Ns6HP0R26K2S zs!laEJ4QO}4eY7^Ecc)-Ux$kb(v$`ew|KM=KX1;PK%F)gj6TmdIOFY)tyYv865^iH zFp-N+qSY@#EUck<&A`m86<_eNaepQ`kX7})+9in4EDSoX8ET`!I#&juN5IM3^XjdA zgdr_pz5vT(9=4|{PnQUxWE4n!0OMJn|H#w(3%Y?vncBwnkHnt>Ws0Z|&0pOajyF{V zLs4fc-5%B({w177&5%~e=d3JxeQ&@T3%Nsd8lVFkkRgOex8@s2KXre!FH1pqO02d` zoKvH-;^RbuWlW=m?@NC`H;tgnPhDeT953_etAOs`h5o+UwyKV^jF#V|Ra)GyLFm3n z69`i&ui6~P`rGZrnc-(K-#3y@Zt-V4lw&yN)XePlW*P^@*_~yTo|{@cLp8a-sq00aI2)J$IGB*yJE*Dow^c0It84b9 zHnHs$-SE>u*8q7pymOeNFKLcjn`CZ*c-bR9i~{~+U6K7kUk{_k&$m~3tbp@{Eqbo= z)ULV(0pd*`_TFt0J(@&OaWz{DdgR|#ve`i~uVw8}csOxjM|ii`5qYwbh_HgR);#K+PrC`!haIPM7QwX9 zYpFJ!_gW9hRo%Zk={9S#l(y=OPY*AzMQH>Aufl#ONMpn}AkR>BIB+&5lrXc~i4D6h zk0&oMrcMP`&WD>Y>nK6DLWuVo*R*anKGzYMJ_H_wp zu@+gPdGE&M9iw%_Rdw4|peM(WdOoR%*V{wx^UZUKnQ}Pox$W0j#FX z%RmQJQfMrUbE?<}lD$(Zi&oB6N+YZ}&Q(q$CI%ZL9GGowmpgj8#*5X)SBfblxmw*D z&6DEK2*rWvoo=qEYqk>TabvE+TluFuZ9^h2{XUUCjzN7skz-q~t&^-*`$e%Jj(HiG zp`ep=s0$-X8zEUaKh!fm)8FQ1WeLV8Zkh>2SR-^m%$ru+xGOFj*LdZn^VRsehx@u? zaOy-y1LzX*T@~nCnz4Q37Q{6(2lt*4U%3d@FC?6ZrUPee=BWm!x2EIg&6FF_?afM} z;aR~pw9Zv>Xr@PjMv1mC=N{+iYKk;9fnwWBAD*%K5C?+Ddt{kvfJ@JKV}83f2-Y<& znmN=nS9dZqy5p^Vzi6}OptDeWe=o%LCNSkD)Q}mAE;UM4ez7p*!Wh+b9YL7N2M@^aL*8bfRHgKX znKMZia)al)j0y)e20K1e&H}e2aXygnTBx!@)!l&+Ht<%CI(o)Ck;6vB5I?|5#3)f# zM!i3f9M|=%EK|55C9W#E6BlNiPqTYeuA4iNEiednQ*z33HyQ~;m&+txLCmIz#wG;X zRW=(6BE3(gKVFKpgKYab_%d0}Q2f{t;IZwLU)p54XHK{RCEAm~Oxw4TZLpQ6Lv6cP zmdL_=Bn^E7Uz{}tc;iw=Q?S}aqbdg^ov{M3JW;9_KbskBKWXjho{d~~?@6^x^k4s(`en4iav6=81=UD zIo$Yzir9F9^y2@uR z37e#<=4U8S<7OmFR$bDg^YT&WYOyNAP*warl+e|?M#5EYfqFvNr=rOYnQTznBg4$1 znS`Q$x&-}Gd7g#lyH>qQ_M(M{U!~?%W!rsJG=(&H1Ui-N9meVs{cNiJ@# zRVDlFBwOH(Cy=8WFEo6mNy+0b+@FoS)Ll5Q{Q0dxf7f&hD-5v_YnpB0Sj0hFk2?@d z43Y{UcrnzL1REO=ieD-jiZ8lN41hu94jmBsdG2|C#7!jrPeCIh_g`UfxKSZjaJcP^ z0Rl$9!Ud8&lM22_?_UMcHv%N|@GEE2I}_qcWaRfwjOZ8fyx9^(+61EfW49~GPwYQF zM3DgYD6s)CDDMvcy$Hp(vOtOrupAHqeeQ|+74XJ*yh*!K!~SoT61aD`$Gr%mNV8;r z)y6{pg}{&bzl_u63le`|ciFM(Q zmpfs8eY_3%N)#nt0?HyJ;`jLP-xKUV)a3S18egLz3?$@V0?m)=)p+j`e}6Je98ai; zP9?WX-}n&18N%yZOUC$he63liV*tjhAQA=A&PdZ3gZIj=FRrujPkdy5Up`0TQ@-un z+y7M9CyjP`>W#?>eyKznBfF6ZNisO3;~Rcz6z@?SR28W+S91WQLssk}-|0XPhmA*D zv3Yk%GVP1V$&vc%sMMCsWaAG$+Id&-_U;=5-auEQjet6gc87d_tcckPopdizUR8vJ zw(KJH$6fhT>ukP1YaT38x@2!VB-ljpLN?*NhN^|LH3pmdmsINw4%$ZG>&n16sFcI@ zXWf#)-YxHkW1~-AwWd$z|F{cd3y&Gz8ZuSu*Ey? z<85EuIc_uU2==)i*N2|lQl^u3t~>l-kEkNWlUs~7Nl$BfYOLGAfY)+Y*VvIf_e%m) zw$FgrWtIvBUrOE0)%tEs-$6PdZe2$qBQX)WB_lKk`9|1eWb?d;t<56tnU$@3Fvon# z!_nJ2q_y-D^`c9c<#TprEA5Gl^tK5aaI15!2nPZ+WZ{+w+25#on?_8{dID)~kBtXD z87+z?YRvFKE{@;6&hTDtrpxF|1nRVTo}g=mE^dgS4vpJzbv$IWvJ= zSXpik`~iq$m+IjU-0dH}oE|0bwLd2kJbh`W--7nXgS8>1x5VZ|Sr%*$MugPmPi8Xc WcD%a=fxms813Kq+Sp}nk0Q)a^`pu94 literal 0 HcmV?d00001 diff --git a/assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz b/assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..0e986e1f8c98209024fe1e353d22e387b6e70b24 GIT binary patch literal 17281 zcmV)>K!d*@iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POvHbK5x5FpAH=KYa?k%5EjjW6JV18U3E@DUais@jG$iV|(T~ zZ>3TZOhOXYB)|ng*`7G(v!B9^1TUf}o4!Wat%*h4yMacdyV1=c@h6CRV<^x$LNQ`% zdlSe+?+QlYPwk|Bzu({4+EV}a`~Bj-8~x4ApVqgw-mGtJ^|#+_|I}aKdb7Fn6X>_p ze{D**fb6IKt@|oY?ujHw2o+FZO8B4yfDZ)>>A2@ZAwtx{bPXngdYEtl!*Bq~%f<6q z@GgSFpHx=&5fgZXQIOWHEEZrMhw#cHFhT?H>1Y@HmiACt;XFA*-V`y8DH(v5|9S`3 zdmH^;-|N4uEH4}8G4#;@=#TCc_!So@s;o!(0ECz%mzB9OVi6YHOG~X@U=q*^UR|2e zDGm_###1%`J|!bO?q$R1@kvjAT$`@LFrL8m%4RGMaJKhFjOLm`43 z890}*Sy@S3#S&~`!UbZUpfs#3mSE4PQA`OUVgQ^rVT}K>W1VhvU>s*ZH+$f<2|0Y9Wk00dR~M88e9-ZL?8J;3s7^W_;K)xH z7FV5_7~?cyK2i-VIPl&Wi%z5SPJ{%*KK}*!=ZFM+06uqP zMk6F9DB;~Ny2hbA{Qtlt_(a010T{uMqmEAr7Yt$|{=ziW48{i>VKD$3eO>QYMx#CG zPmrw>U=GhhbeL#{r11GK7~%j5Ove9%&L)(e+x%%Ug7i8w(%RrB5~7x@+9Fkwg^PXll;CX`hSX4he`z_;(^0{fRJip59EpYRXx423hw zemeU%^2G@XkuNB#F0(g5{<$7aVTkf)Mfrpa8XYGg(w!nAq5U3(NT5$KVs`8r*gALr zQXocP_#O&40D>hp<2OWP4a$y@K9}|{V@SAzOXlW%8gM2TJ68RNkYy~@ZV?vw)_1~NXH-06omtD@bTAA^5=U*FiPu$bZmEK zwi+TVc7q6WiQ)aJgA z3X#76U?`>>3(BriHfk-xj8TRHPqImxOHxcyo+Ac8z;VW_x=s5mxK-=&_Qb2Yh?6i( z*XZaY6-Nwl$r9?U6XY`_q5AntCuZot+|MLm&Vu7?EUIY*6a8m?pd<-H^EuajOu6_o z9y1uIYN1@U8T3^Ry^RBlirQ{0Jmj6t7x^C5t!=}6s+qLSb|aLMRXyjVfM1Mi%W%*11Vv zh>R%n(W2d%YH5!WM_XM7+(n`X033}lQJ_{o1r4)vLm`CF06D}h-(h-tmUZo>woThX z?olGprO@jOh9SK;Vt9%}G)DW}hhdIokY#)r!!sOWfi*plDPT0Ve|uo}!w0i>q2gVR zDHXrs5NUCMAt4a)3Vo zjad}w&+-TfihDk$fpe9JX|P8VBFz1|yWa12J6wUWSW#pBI3WT@=sg<2B$PJ_pGNT! zqaz$5GY}&$4G}wp1dcTmjSANpgMz~6BZfx!GR>V(EDl?-Pc}_{5)}APF%U>l>>1ynl)OM2*8#lZ#NcXj(f(EXuNEQXEIR zL2_9DD80@8Wz3MelksA{Z2cTvx!3I;pR7?U7AO@5Kw9d3;&K6{sqGVozmmo!}pjwYpt*$e5EP;q3+u|+uNHP4e_GO#=)5qgjI1c07RJV zP9YBEPLX?T9MUrw8rugE8va)g$uLOAXpFg#OIID|0K`0b zQ|u#!2eXxfUlJS&tkBy1Ca+38j!5vm`=yg;`P|;|dj;*{jjyn9*ctS-bPz#dc|2sK z_>y28kbfiJG8UytX=bt{dA9<0IdVyg5EDzS@zY8b`d@*fSjjoozD`gWBgT6ozKtq) zj{Vop#@0qb|NCZh^UYHKdmpLu?c3Vxj?&TvKui#j{4}5=^|vx*>2+SOegEG1_RRwU z8exJ!*SQVI;$7fn1th@)J#9lM2?pr>rR@o1$xlt&505~#oR5cd@20x<1kl!W0G_)h{uWnTth9IL_iI{$-o>#DqveaMM$aE5%Ca0EDw z5cnfK67`fv7=-}`kRi?Jpa2L8!~}Ej>g-B^=OwI=Gda#t3R9 zUKM`LV$r44?Ykbws$h5Kj9h^0zm3QNTub&Mggye@|LTJ7*X|8=)oviyd=OxH^utiH zw0g{3uYS3tqlgkf3F5WWNJUbWYc0u^iB8#Rzys@?kKrt$GV+I-X+TWZPygCO02az_be#i%%V z#pv_Zjx2J9LV967J2wJ}NO^$`DGWI9X%fn!fNKGhC3BP`x5YB5Ri-C1J*RO!CnF^4 zx@NPIQ&z&BfvGD$pwS5VVgR}ysS$7?`8ksrb@wGf@6N`xGYoF-H+l>+t~eDi{*;I~ z5g?{q03$@Vf+wv?v6KrjfQVpMbJl&T;4=dFBiY8DZNfrG+izNqS@q+|x*aQb2i6DU=l0vR~cvd)RH zrH5Q0qA0+1zM8{Mp68VxR&%8+-t+Z41;EW2e_@d2Sxjk|MCgzvM2pNk5XrxfpqLB{ z($r`);ZS#LS9oIX@HZiEy62nIw!c*UJYh5A(}IG51#K!caP~{3)S;IZE*|v{eM5TQ zsrLS_#C|AHXUHw=!RNjI+I&;E|8MlS`s>U4|9vF)ZBB~#{G+6`>G~NGaJ_SmNiYDJ z7VXrO??gzz017Dgy(S0eZ@Ig8I`Y13tP>4!Fdr<1b5w%5n?K(2UEP8*XEeFidf8Qg zz5tS!jG*F*<&|X^Lk1%x5aUCAuTRU;7?IthgTFR)6;}@#Gs%X!(rca61d0kveLz6Q z;8h_93lvr8H+2Or7$)Nm00Ocx5-HQ8e-1!u9osv9TfjnUmNBLSaGkavL;oC(Q3>E_ zfvGjW|NN~R@o{$mB0m291$=XcnDM)VcL0+(5j}>c7+v(JGE44BZ1vJo{PWi@PHhea z=1K%Jcn3a@DGl`1lmgpWh7Zk;e*XFe{QrR}`3}haC-?;xlUHdEntxnXt*p3x5h?&A zSFh4OSDeg8f*DevP*wdcQc2auGBcrgtuU#rc(8gT`4 z&j0nT?VZB;zqRvbdwKrfN2(Q%#XL4wDRt*@c?FIB0&8%TDa7@)KgSsqo|>n3uk@{iW7bPaqQul+W`+R$tw{ zLR{aQCx~I8gg7tV%khc6FsIEJT|uFgx%9kDnWy5mOSz}{YItjUpu2-)j8YyWf|puD zzHRL>FwsUP0I(!P18|sdah#A{-qFS!n4#c3qw!urvu`!|ndZH!5u>SBm%gC!PW5L%FUSRC!S2z4`i-JkT)oH4 z6+u7rZf!p;M*ocj2>L!vNMj!%bLfA6yT4wf|Lgtb``>#>Io}MHjvKnQtI?bz;y(<{ zHP=%8-mp~HiacLFb&}9{|EniA0g6La86fBN}W@u=Hi20~!jEn~8u(LCeb5^hdTk$Res+4o?yBn)8vIWZq3~pg|Q4Q;AJA;GQj7 zjYgOVsx)?aZt0YsBjT7RJK{XY>f5ONU*1UNuU}`n;^CQE{&G>R*w4V1>E89oJag1z z;|J!Q(^}3!jJpnHwUCaz5KWP)@hT5V>sta`>uZ&SC>1Mmn;=FYy8<)H+t2BTLZ_LV z884Nra!(oXxdWf+ji%V%JWnyoahlt5rSq9$tMwjAN^Mp+JSn!QaWrBy@_gt|Pzg(^ zbDip%{v;vi9>;%|Yo=~Ns%xq<$dfFBM@e{9s-E)(RBQr8SeSN@^6lYPFL(^8?p{~( zu<;4vrH5;2ATykY6q`-S)Vn;D%I9$bMZz7DArA^dMcQS-chUFn`TEuui>DhZ9RTST z5|oPoF_!zT-w=5)2-v$pah|>Gg;BA+%vX~aQzl9v>NyXVN~ltDKhJ9GJ$ZWOuvKyd zG^2&FbqVBIlMWAAr$FTfXFCvbo6pg1B`C@^Pu^u!aVP3r?@VW_{%cR>LSGJhkW#8& zafm8t;RuK2MQO{==~K30R+M^G;W5Km$Ob7Zv{~`)YmT*rBh+Pba01Jw~IVinJhz$Y-ib+A_v+a=mot z&m7Us2Q#a`Qdf^_;(MPyp6(ue+&`|I{s0v5Su*W=S!Nw_HhdY|U|%aLgCKWG6CvW? ztO<}!u{LVblcx>ShsrN>8VaL8TBe#!S%k| zUgfLCtkoNt4yG+v7!Vo|RGSgHJr@Xn%_L_V6t4H37K&ztcCl3(7rF~7H8ITAjbmt7 z-I9pnwLITsTN6?2>9LqB=h<{=DWrKBEOJk;%Zo0{&8np2%(@V%yW%v=cvzZR@ds*Y&K174rzb}U~8kFCs1v8*u7bwv z;7MqUN}gtZ49(Fkq(^0?Q&B!$hG|?Oq@E=hFW0`2ki6VXjlg`C@IIttFHoM;-KJCb z>eVU|`wnE5nk4T51o; zVm>~Ho~2pS655k2Z)Srx(TY4*Rzr zc;^hmi&eS19*uTFGk-K(mAj2fw(=NhsGgl!cg|Rrdea8|mAZOd6JJzsdUwjtri^Q? zdaYt9-=R`;KBo=}&Tq7c*~wm9LE4xzZ&NGV9666gLwiTdsSV9-Rjbchi(8)XqtNJ9 zt7R+r_~t6widFYi)wSiR%vascsk4|Gw}QIfSf#sATenj0R-FmYN7Y+#shp?wt*lc_lnqOO^E^D(g1ABi@4k$215q zXGtufah3#QG{X>R9{u0h*(}iiH*fk&`hPD;d3m3%gTXt{bN#&Zc8?AWCFi~0AqU;m z zcJib7w`jp8DIY|~b%q?ARmtX@;!BIA+mioQ_kUyhZ^Dcz7jUUI`#%X4aIPzmdGvpM zr|AD}duwZH|9LN|!2jn$>KA>!rKX|BZmA!Re7ZYfVahpy)&s7rUT~)GgmE=w(x)-1 zV3kWDJH4v7o2s@Jw;Z{GJ}cjWZYWOg#*#v>;j@uv?MLmYrl$1YGX0E($i|+Oe>d?1 zHHZFhz1bA;dX)u{)x?PdpnDPm{Vm!(3D zc4R3Jf^tjRHEN+L{n2S>Y@A+(nCm|-s#{AZ0a#SX#<=Fm-GAtIUSxj3;JviUY*%9wDj0?*o8n5jWAL zfoqvfHMywJ?G^!C@HviA0n`acE^k@tUN6nZu&!nV*r?o9WOMQH<$eX zeWX_T|0Ux;lksmVC%XF!LRCxJGUra{&K#w37N;JRqUt$%gsLx-0q5FM2`zXv%?#ZPJl{oA)c06xTqrV*}v1!nAp( z3r|#FFm-TLhH$ubn1dz3eV*wy^nWhlH)*c^cfA<@VP~ViP&^0f zM5NhKaG2Nq?YXOEW>m6K$Mpnl!`z z_D!{x8GOsTJy#r)-VTqVG#O9yaOfyMjb|t#h-tvrP&`2qVld2{Iu{CD zB0v8nq~k)7DOT~@@?T@h#E7yB$bv!!qnB6tPf!TxPx9Z4xH|oq#dY9o+=n4bbF9~S zRLYT^$-N{}V|S z_y4&eV=Lc;Yp;w8-RJfC`H?U2bK|ewxeER!`yczr{@dskz?}WRv0jS*wY9yqwEwx6 zG-EGort$}~;VJXfi}`lwIDWIOx6FwUG50DwUu$2@TU(pzmw;@Hg!VXHC|tOw^K_as za*T`TzcU}t?pV^HxX!6dexqkLl^7((L9(&hlkeXH!Rs#@Ko@-B>)q44g`N6|9fU8+6*ok$^+3l9@6U>Gj& z@=vGw^M8G_|E9?QZ*1(WFVFw`NTo=ITpSoQs}nyx>1JI3&YR-KyE_2x9xNB|E)X71M0WtX-gdVl zU%%lq-kQ4upm~hM_Yn$EuzH3@lp#;6{mrw@s#CUZg!DSKo~0&6$17=ovCHTbKSCv31@*|LldAHfWksVP^hPwJU-h7;q9S_DbPL z7wjW#U}iTZD3(K>X7`u#Dp!v!?0IyG z*agD^IXRV~iRKt%tt^j zC||`6_f&=QKJVV=?(II(-Mi4ns)0OMd~?mA2dXnKr>}HtFSq7=7`M1JOR=SL{y3ag z+Y6y(=6>s_OS+x<2<-KN)?Ke)o;OQxm3t0(-*?xPldfQ-3)jnPru>oK93{N(#kXj4 zB>f0rpKYJwSg4eUZNa?6@dBiCwa*{@ck1Lv|FqtJDtx1XCQN2K=UA)>MGD^aKs#zogK}a$b7Fy8?(J0-R1tOdcwclX1Q&4CoWxPfHZr; zuPoiFAMr1Op~cRtrPrAhNp9anM zssG6>u%$An;h~qo>j9NPvzE(Z%AlsLw5SYPYHsdAb29^xEog2Uw|wWCnMcpBE2a1b3-Mxz_F79*pF0`?p zo8n@*HCt3%m{ymHi<>GgifqioNbc_U67$&f5DDTSN5mri?JKO0h#arw_8sq86^gkl|B)R!pgcjdn%xQN~S^k|qiYUwY@8m(m z4{D;hsk|IIS~+x;Y$(V7u=cg^~#Gq=vv z`QE81U%`%@zvcPGld=Rp3kIbliMZkzd%gYREk8DG=(F0A_|$c4R^tUY@h2#P$_=BK zATW#}gAo#l@gW#t6b5No8Y8lMbnw@vuHwqRV@6}d1TKp6BgDBpiz~(CT(F|{u*inE z#UW$xs*r;Pib}<81?||hlsRjx288IU>T}JQb%J3?FHmrd#^|z91KJ-*>ZeZsbRFWJ zzb(gc28s12Ep5?>7}US;@Q1y)(U0^Wg$kHI%*;PRG|mF=18 zP61hA@Gfm5&G~-2eoeDAT{|62F%8v<{`{>Q@o{$`tFMA?fCR)L?+(DXu7W2Sf7L*d zMf8X7-@oKKHUa4a+50zD7+eEP;zabA@OjVJmi|v{|?@n zHk}EYcD{b;oueza9Wzo{DQz;1oF6y^mBi_lDZT>!1^P~AfJR>pRC&xW5u;b#E1G~P z;leg%cOLlXw7UvEo0h(;lo8|Nv^bMh+t*5CWEGH*dQ)x!_;Ymi#i@%fW8@1B_1Q44 zs35@(-o2B1-^qOe0;+a_@|~$}@6H|vn5)bHjW9vMDxge$f&`!_7FT6Lk#?4A<$t}i za{Fx8G4xe+`Kq$Ys)o_Z90V)M5B~d~Q;E`lfq)`CUJeE3qboZXNlnnDMZ5B7t(sr0 z9&alP;-Qc3R#GkhXC%3v&jPM)_%~w#=kR}T);G5b{NMV@K|5uzc@-l@VPriqPq&Z8lmzpt=*A-Da~p3 zOZjnAZlOH=*Gxb7QoE@duo7$yw0_^eyE@NC+RVzXnrKUJX-m`gB4{?TrjFbn?~*FQ z`iAdBQr4r%qmb&yAoC^ju70Os>E_yNP%1und-(p@-58O zeHP3%?5-?be2P&r<$hUiA!o6jRm~f0OQtdoubkiB$oV0GvF5C!3M=OdtjJo`#?5_q zFV&bf-_o$T&a8QkQFEn9^Q<}6STgr(lzFo5kE6wV=)3JQ%}=%RAERkW*$heZZy*Ai z=l_3eW4kE-dDCC||G$^?!VuiC0Ixzsz^jnb^CSk{x=VI9^~Nr5YhBQl|6f@Fec*ln z-g%+O!9PYcAxefFU|%>H90{A*wNbgt8ppL=&heOZ!3c&NEnFRj@dVmN4&bd_9ipsS0lSu|UXN&SVuIz>wKiL$yH-}?wlXl=Si=FL%NUZ1 zCs`@X_HBV?qpZQ>Ar0{8>I8{f%=1t-Pg=|DP4*E3^&M_O;i$}O1(2YWD90T2a7 zytjLFU}K9pCGiMMApZkh*`8ksdZP3;ptoYm{r?Js%M}qUaeJ1>_pDzgPUqKE@DFr} zx!`h#n>KSJdWHUz7Ex2njU-hAcCCsZ>>a=705W8?g*|Yjt}DPCK05j%Weo9{Dv_S7 zqHkG1UsG*S9V-%Zo!L_aYVP!$9}i8G?=dwy|6?BC*!%zd_+LByqW}N(Hyg|NU-y#k z;`}e%;l?37gQ0!F6!X~CEWL0H&|l3YcD>&r2VE_rN{R7N_Uc~WcDpNSizA3b&^?_X zV~~=DjZGEE6F5bRq?DQgyGIAUHxZrRML4 z#((Ypw>I>et>IqGkdYU*`2J&keY3w)djHX1?*Ds9?t>1>@{c-ZJp@^)EOuyEuNCK| z2Sa}ndv553V?)QP6_ps7L|ZREj4ZpbY?tn&8oUuncXl~@`9kDJ(*rE%^{MGDzwN7$ zoA=YAN2r-J1~ha6OqXZVCyn{`vRK&$ z!@fJhwYsRwaE^9nqUiYp zJvA9!_zbM{Ka)P~jrHOCDrRVeFHxY6tpByr1D{BE1t?K9 z<&Z#(7zi;zy-x4_$=4G>8S15Z{iQ~%Y&@AS_8W^3xd_QPbn zCjVo9@+n!%8ajjic@hJ8dE}kfJ$?~)UiZ%6dFORcL~-Z!|J!*1{(=nCgoA_k`@GXL zzV_W$1RyB~ks|M2OzUKF&_$GrXjX6H>||8MPVF8BYvq!(as z0?8PKbllkuL&+~IHK(t>axh{vQfks9=7J#@flo)f;J0+O7!~LR4nuH;01N^YNJ^sA zqjF1iIxk*;&qwBQzu^EuzyAezV57g$_xeA3>;2A)7caoBtlaUyzR?EBZZi{)F(QaT zK^edV3=L6IddOi%RaXW+Shet{dR7o*oP`|HP-~!_rS54d>(Hq&q73|w!U${vpGGkh zSm~p+owNrI=@bRZI9j*J0zQ;fNQqT!p<@)OVlvyBO$-$$$CaWjRj_L4DnoiT15>f% zG*KFC=5tZc9Y79_^(F=rNCL^jXO2?Ud^G&bKs3vk;=f}5AMfwJKiqF?^UvG=>)Sh< z+r{&LYjb@W|L0!P3wJN8g}*0Pi`uonApwq2Ou+#e(N1SL9Qu@Sd0mhkB49EL27$xn zgNYC^AFQp>7!h-c@!%K{A&=)tawe~M&Qen=lRM2B$GyYhu+#Z^f)Mze=6!i(8@Csx zfcjkhQ2+TV3$3l_6;Go`?zDjVNrZ^LuJyjESy^XVW}eQhUT6SV>8#>QO8d{DDKKOR z23J7eaf8l3)XS>0zDFu*e?H#-u)lk<|MlbU;rF=S zn`_5KK;{ME%c~dJj}>r+LV6*A>LALDW-hKwxd!O6UfvD5Ucc5KBx9hcJ~X&%yVPVIZiZ`h6?);9y2IVk57hx z`wYj`2Arrgxg3-g&!G{h3M*)HrSVPOKv9Orn846VepbQ71cwO7k;_ix#0|PrkzNlR z2>FE=YNS_(BlaoP09-OWP}KqiU6>QshXmkAtv!i3?af=3iK>v~K&26C90XKT5ru-% ze)-qCY{OJ66tn(rPP>YvdqXbd%^3ti&=~uCZMyMwx@qQ*DKS*R?A7#hnLJ4Puz!i7 zSjg#p%vRs2T@D%%FcCC@0{buwuK-6vqtrS1Mj;%7q30phTDFki&3b4&lw2rf0b+7~ zx|&9RTIgbe7|Lja+|vf3C|K1bC*f<&2c!<>&-#cB2|5-Q-s zGi)?Gr!UYM#{y}j6=B3Rx+1-QN0db_{XR-hj85k|`vsb$Yw#Xv`XJH&qa-UPmxqMPaPQ0N7$-;zF;W|GO@5yNBCf&k^Osg2-VElhRi^BHU%}hur5uS7%7gZQ z)3bI4`oQTL48MK9ADEYn{ABOy`J=up7#lQc1JT10s z+*T8q3pjRr*D%k0eD>)Y>?MpLBJ5=gOs&3uINj{6Z}j?2fZhn)j)`an?%c;`pRU31 zVDyoSBZfF4;#LHvG0d$&bq?m~$7i4J`}ou*Ia%-e_*7P2sfc54R3>mt!zWDJ?-J&f z;b#iHtH2Gw*sZ9yfi9QQ1OGEY1lYPTq-3nm+Tr{=z;IRT$zt7wl4m6ZKn`Na1fZk3 zMuv((g34DfCRn7gCE9?~9kS*X0Y7pKOMzwa6Q=kT4I{bWT~s`ybPa}buG)vwn*8(T z;BNr)0&nu8vMj?ly|WlqKKNHs3NQm=IXF5-Ir#v5!~`B;ABrculxx#9 z7%KlhZNR+<^Ym?3P4A}@l)eyCN^_1BafxXFxIaNbqSVQlxGgKWE%-M*dz#e$E=7v& z!@OC&E5|BMxgP=ScX@{99%s(zUBXORFg#Dr5FMO z0p8CiNtlDKicoaK@Dzt=jP|(?wY6?{pgriVg0Am4$m$M2H()gG4!~y^hF?}emmwH@ zBH`6BrQ%l{B5kugo&G|yDh+%>h6lR>S4ZAcbjw<>h4;Y zFV)>Gsk<9Nd#UZd6RGiBm@l>6pT7(Xz-nJ4^QXgcJgJ*fF5Ts^cPAp5X8`uQ5Xo4W z-;qe>$wU1vL^2lUcPx^5var8P+OibMRHvsSl3~b-*L)TnrM{dqNJP4buk2(OL`Y5YbXSR-a}(;M!E(=l7zP~sBznx5A&sMOo;hv*afL1|wKebbEWI(9`^2EyjpOo( zLDp6g=5qyR3(3n|_u)_O9_yyo@3bz==L*agm6tsau;1xApDQq1TweAZpx(N?tUCC@ z%-(M*FMG4xh-zKuaYKx&&Il3;0|Ay0d6 z&iE^UKecl>m)bm((>5*4=WEE*Q7pvxKXI_PY5-~5v@oBqAx}rKAmjg}q24CLpSEdX zK3_wgj^c)l|C5CMozj;18uD}$GZ}wl@VjLETVniowzoGo8nOPWq~-l#5@2ya1Y%Pd zHkg^*LnF0!h<~NkTNe}TPjo{7bLFq&d8KPG-0ZjcaM`DX3kER}e_^Uu1^*!F(2VXS z&?9(>qa*?^038`%Pt(fE9XJ#EJ`J7r+Zppiq-!wTXcOiNWWO>R?LmJsmpi`(r|?|s zX&F^v^6AL&ZY-!lK^hD~|MZ)*{g_kRT5|=Ky-7mOPw?LjpstDnF3ZXjImBE!>h<-# z%E5rl)i8er!*~M02tkoBw9>-B?>SwA;dX1}C4>4Q6#nE7Owj&X2fFSZpl1{1(5TX>2|GU;uep(U9A3UQb)RITYS7o%K} z8puDBbPa|FCLF`<+p26BEU%OQz5W2htbDfx}?h2zk0T3c%TwYZ%)DN7|l|P-QU-1%SlF6_FU! zT}KEKWpU5AiZ0`0<|ok<5#a)=cH+LIi--jHQtRY#!|>+k8vD#kJh61(Z}VRDK0bfF;N2 zMH-gUl;Gz$Ru?)a^pCSw&Qx$9H4NF4=HYlc1+#!K%ev^@!#Yp6pwSHF?KRNZj^0)i z7zIj2jdqU?Tv-mo<1u1+(sP)IM1@8|mlCXaYE1cuT34?hRD6o9%52yJA3vS$55U0) zT+zhD3RSL*R{ZMyh{%XCA1(ZBsBM^6Pjhzf+9afkYDff_ zR}VC8s0ZFt#MN`E3(C$7Z0ivH2=4`L->fvu_b&xv1cvXSfc3o_m?KjG1aoRU#nhq+ zNCx8HY~0*qLj?9OV@P<3Elfe21=>y3hbXP`26l}>4%fw5e&sdOC4)^Hz4`*gVb{~R5E+B@k1 zdsWjxFVj*HyaFM;Kuk^u9Pb{2giH1Yl0df!_KyApV#25pp^C77nh<3`p(9VySl|f% zt-aAIwE~QxkHu9_f!u4u=XnZpBpCMjFB&TI1T5F!P?wiO9JbL`8RoYTOx6*Z76$t$Qk!DQ0_1B2F1Hf76!*cC5xBH}{V%}0RuKH; zM8T={_kje#cZ{rB-QXi-*R1jh%63|p*GQ-*0Ty#14sHVVq9N-O zggCe>yGaf412U!I6a^m}dTBN&(2zAqkf27;pJb4>JPbCi1FFt=p5aG3ISWkS{a0#w zD^?VWT>R#JNIQHD<{)z>g-H+W<_0AhFT+E5+^2DwC6I?NCR#vbd!E^`;tOW?-U4Rs zBelMg@)Yx?t0|?9k8MSj2DV&PRjKV|71Hs0MDYA)SElz5bPNI{Al6_TQ6Nz!7f^u6 zGkrLI2QdGDrfB{%9nWE2YW|F&`mQRaU~lvVl*)W(4zmf164|LoE=82;S2CNx-8GcYX2c%e+`Cj zx3=0*4OYY47y?!<^vvwoJ6o#H8~Wcy+QXai?97umL=hqahUzmPfX_ew z{PUOZjasXOKPnhh=KI%?)1fbNk<+O)o-}rPnR@s+*bv|S<);AiBZfx!(ttjDm!K8U zvCVweP``%@C*|TJ66(Eaxp)1{jF;<4u%96ipg5#g+QD93OHV1at)DK#JRp3g+EmhZ z{m3jUm8a*2nUv+(Xg99G&^QVI6*GQ&U1=HSbAt)Z@&Gcre%|rYyQxgnhGG>TZ zde5<0dW&hE3~^%(_Of7zl)UGtv8PMF-Q5VP1v8Qj;(Edvxa<~jyd1^ z0{Z4>hKIJ#EerW(@m6Y8%+Czc#dJ52uM^tld!Hr1HO||!6XY4CwgtEb<~2gweD9?T zX9n<`DEHZ<_GPvj0tOZ`%P+OoJL9Y~|kTeX=ptdP_S%9|i=krpx^>rSc^(r1uV6r=fI8>gaa=o7xol{pl%`*NTqlAmp z1sZ^9dvGKWQ;r0u*nbM%H(TTJ(sjj_Abmr z3WHx@2#GISp541#=LbiUo+$M<9f1!{P21cp2lmL)H5j(0?sj3Wg;9Uc5sYN(T!}>l zbqsmz8#yp>q*c!%wJnNbXVC9yTbo9`n=lVbY%6O?a!g0y_?O+i1wA)Boz!A*6YZ+e zM1t8vOdODZBXy`1%%&5dhLr=D2pU0w{ajQI<6=!V z1xWxHeU`yjTeZWQjZMu$&IxUhjp?HaZ=kCwX@W*93UWAlUMU~s;3D^~*^|?52}zw7 zFTkE;J@Hwh%xU+OS6<%f7=P6ajr0qG&$(iPg5OaX$>L0Wc{LFt=7Y608YALqV>M5? zbn1<Ht0L;M| z2EgF5^piHKRr}Vc@eQAKB2%s#jxEgvESVn{Mw`;;RsNJkE3PoLdq66xbQr?@#vGO*>vry6h) z%82-A4f;Of+=Gdj5cS``*V0zKtX01DBI`FTV7gjKjTua^3CTiXA`tUYEV%Odo(C%D^&3>mp9NxsnPanjD2ral1D}wQM1ab*e(5zzG2%V2ORfOA#9ZMc9kH64_BxE5|Y^DC|3s^hnt5ZaU4p>TA~oeYI7Kf%X^LLO9dl= zGXD&d^kP~8BR&MLa1Zssg&e3HVA|A*j>+cOW9Q0dQ>1oOS#3dA=F@uXVjmSaJcsC~ z8OQs(?+^ETihKPt9y1sip41_j)AioQ_J4IcCjv6H{V*wIuY%7$Ov{yj&|~EaZxxz;KjpeaoikLk#m=Kmj`>Z8Bk3enubEri>8LVi37biWDpjCU6@P zmY%+AEB2&0Ly~F)X&9@Sm>5|quU+NyN(!IhJVj34H%AsyTZJ+}7od8U>QK_>O|HO+ gfFyt{;7j?yGA+|G{ZQ%u3jhHB|Cu4hLI6wx02|Jqy8r+H literal 0 HcmV?d00001 diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml new file mode 100644 index 0000000000..531cd37e2d --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/release-name: rancher-gatekeeper-crd +apiVersion: v1 +description: Installs the CRDs for rancher-gatekeeper. +name: rancher-gatekeeper-crd +type: application +version: 103.0.1+up3.12.0 diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md new file mode 100644 index 0000000000..26079c833e --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md @@ -0,0 +1,2 @@ +# rancher-gatekeeper-crd +A Rancher chart that installs the CRDs used by rancher-gatekeeper. diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml new file mode 100644 index 0000000000..ce98648baf --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml @@ -0,0 +1,757 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assign.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: Assign + listKind: AssignList + plural: assign + singular: assign + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml new file mode 100644 index 0000000000..bab801672a --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml @@ -0,0 +1,237 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assignimage.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignImage + listKind: AssignImageList + plural: assignimage + singular: assignimage + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignImage is the Schema for the assignimage API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignImageSpec defines the desired state of AssignImage. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].image`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assignDomain: + description: AssignDomain sets the domain component on an image string. The trailing slash should not be included. + type: string + assignPath: + description: AssignPath sets the domain component on an image string. + type: string + assignTag: + description: AssignImage sets the image component on an image string. It must start with a `:` or `@`. + type: string + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignImageStatus defines the observed state of AssignImage. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml new file mode 100644 index 0000000000..468b01fccd --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml @@ -0,0 +1,655 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assignmetadata.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignMetadata + listKind: AssignMetadataList + plural: assignmetadata + singular: assignmetadata + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects which objects are in scope. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects which objects are in scope. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects which objects are in scope. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml new file mode 100644 index 0000000000..57826ac09a --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml @@ -0,0 +1,105 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: configs.config.gatekeeper.sh +spec: + group: config.gatekeeper.sh + names: + kind: Config + listKind: ConfigList + plural: configs + singular: config + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Config is the Schema for the configs API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConfigSpec defines the desired state of Config. + properties: + match: + description: Configuration for namespace exclusion + items: + properties: + excludedNamespaces: + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + processes: + items: + type: string + type: array + type: object + type: array + readiness: + description: Configuration for readiness tracker + properties: + statsEnabled: + type: boolean + type: object + sync: + description: Configuration for syncing k8s objects + properties: + syncOnly: + description: If non-empty, only entries on this list will be replicated into OPA + items: + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + type: array + type: object + validation: + description: Configuration for validation + properties: + traces: + description: List of requests to trace. Both "user" and "kinds" must be specified + items: + properties: + dump: + description: Also dump the state of OPA with the trace. Set to `All` to dump everything. + type: string + kind: + description: Only trace requests of the following GroupVersionKind + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + user: + description: Only trace requests from the specified user + type: string + type: object + type: array + type: object + type: object + status: + description: ConfigStatus defines the observed state of Config. + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml new file mode 100644 index 0000000000..230a541bb7 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml @@ -0,0 +1,67 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: constraintpodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ConstraintPodStatus + listKind: ConstraintPodStatusList + plural: constraintpodstatuses + singular: constraintpodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintPodStatus is the Schema for the constraintpodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus. + properties: + constraintUID: + description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + enforced: + type: boolean + errors: + items: + description: Error represents a single error caught while adding a constraint to OPA. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml new file mode 100644 index 0000000000..737e3aff15 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml @@ -0,0 +1,357 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + labels: + gatekeeper.sh/system: "yes" + name: constrainttemplates.templates.gatekeeper.sh +spec: + group: templates.gatekeeper.sh + names: + kind: ConstraintTemplate + listKind: ConstraintTemplateList + plural: constrainttemplates + singular: constrainttemplate + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: false + properties: + legacySchema: + default: false + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: true + properties: + legacySchema: + default: true + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: true + properties: + legacySchema: + default: true + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml new file mode 100644 index 0000000000..271572bd7e --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml @@ -0,0 +1,66 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: constrainttemplatepodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ConstraintTemplatePodStatus + listKind: ConstraintTemplatePodStatusList + plural: constrainttemplatepodstatuses + singular: constrainttemplatepodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus. + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml new file mode 100644 index 0000000000..042249cf10 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml @@ -0,0 +1,73 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: expansiontemplate.expansion.gatekeeper.sh +spec: + group: expansion.gatekeeper.sh + names: + kind: ExpansionTemplate + listKind: ExpansionTemplateList + plural: expansiontemplate + singular: expansiontemplate + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ExpansionTemplate is the Schema for the ExpansionTemplate API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + enforcementAction: + description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + type: string + generatedGVK: + description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + templateSource: + description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml new file mode 100644 index 0000000000..1bb1933366 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml @@ -0,0 +1,676 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: modifyset.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: ModifySet + listKind: ModifySetList + plural: modifyset + singular: modifyset + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml new file mode 100644 index 0000000000..fd6a0f6dea --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml @@ -0,0 +1,65 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: mutatorpodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: MutatorPodStatus + listKind: MutatorPodStatusList + plural: mutatorpodstatuses + singular: mutatorpodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: MutatorPodStatus is the Schema for the mutationpodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml new file mode 100644 index 0000000000..95e66a8b8a --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml @@ -0,0 +1,78 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + labels: + gatekeeper.sh/system: "yes" + name: providers.externaldata.gatekeeper.sh +spec: + group: externaldata.gatekeeper.sh + names: + kind: Provider + listKind: ProviderList + plural: providers + singular: provider + preserveUnknownFields: false + scope: Cluster + versions: + - deprecated: true + deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1 instead. + name: v1alpha1 + schema: + openAPIV3Schema: + description: Provider is the Schema for the Provider API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the Provider specifications. + properties: + caBundle: + description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate. + type: string + timeout: + description: Timeout is the timeout when querying the provider. + type: integer + url: + description: URL is the url for the provider. URL is prefixed with https://. + type: string + type: object + type: object + served: true + storage: false + - name: v1beta1 + schema: + openAPIV3Schema: + description: Provider is the Schema for the providers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the Provider specifications. + properties: + caBundle: + description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate. + type: string + timeout: + description: Timeout is the timeout when querying the provider. + type: integer + url: + description: URL is the url for the provider. URL is prefixed with https://. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl new file mode 100644 index 0000000000..6a89079bcb --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl @@ -0,0 +1,22 @@ +# Rancher + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml new file mode 100644 index 0000000000..e5589e68c0 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml @@ -0,0 +1,126 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Chart.Name }}-create + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} + annotations: + "helm.sh/hook": post-install, post-upgrade, post-rollback + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded +spec: + template: + metadata: + name: {{ .Chart.Name }}-create + labels: + app: {{ .Chart.Name }} + spec: + serviceAccountName: {{ .Chart.Name }}-manager + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: create-crds + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent + command: + - /bin/kubectl + - apply + - -f + - /etc/config/crd-manifest.yaml + volumeMounts: + - name: crd-manifest + readOnly: true + mountPath: /etc/config + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + restartPolicy: OnFailure + volumes: + - name: crd-manifest + configMap: + name: {{ .Chart.Name }}-manifest +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Chart.Name }}-delete + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ .Chart.Name }}-delete + labels: + app: {{ .Chart.Name }} + spec: + serviceAccountName: {{ .Chart.Name }}-manager + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + initContainers: + - name: remove-finalizers + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent + command: + - /bin/kubectl + - apply + - -f + - /etc/config/crd-manifest.yaml + volumeMounts: + - name: crd-manifest + readOnly: true + mountPath: /etc/config + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + containers: + - name: delete-crds + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent + command: + - /bin/kubectl + - delete + - -f + - /etc/config/crd-manifest.yaml + volumeMounts: + - name: crd-manifest + readOnly: true + mountPath: /etc/config + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + restartPolicy: OnFailure + volumes: + - name: crd-manifest + configMap: + name: {{ .Chart.Name }}-manifest diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml new file mode 100644 index 0000000000..31016b6efa --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-manifest + namespace: {{ .Release.Namespace }} +data: + crd-manifest.yaml: | + {{- $currentScope := . -}} + {{- $crds := (.Files.Glob "crd-manifest/**.yaml") -}} + {{- range $path, $_ := $crds -}} + {{- with $currentScope -}} + {{ .Files.Get $path | nindent 4 }} + --- + {{- end -}}{{- end -}} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml new file mode 100644 index 0000000000..d1df389610 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml @@ -0,0 +1,76 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Chart.Name }}-manager + labels: + app: {{ .Chart.Name }}-manager +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: ['create', 'get', 'patch', 'delete'] +{{- if .Values.global.cattle.psp.enabled }} +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ .Chart.Name }}-manager +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Chart.Name }}-manager + labels: + app: {{ .Chart.Name }}-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Chart.Name }}-manager +subjects: +- kind: ServiceAccount + name: {{ .Chart.Name }}-manager + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }}-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-manager +--- +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ .Chart.Name }}-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-manager +spec: + privileged: false + allowPrivilegeEscalation: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' +{{- end }} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml new file mode 100644 index 0000000000..3304f097b3 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml @@ -0,0 +1,21 @@ +# Default values for rancher-gatekeeper-crd. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + +image: + repository: rancher/kubectl + tag: v1.20.2 + +enableRuntimeDefaultSeccompProfile: true + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore b/charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md b/charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md new file mode 100644 index 0000000000..c68d23c240 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md @@ -0,0 +1,15 @@ +# Changelog +All notable changes from the upstream OPA Gatekeeper chart will be added to this file + +## [Package Version 00] - 2020-09-10 +### Added +- Enabled the CRD chart generator in `package.yaml` + +### Modified +- Updated namespace to `cattle-gatekeeper-system` +- Updated for Helm 3 compatibility + - Moved crds to `crds` directory + - Removed `crd-install` hooks and templates from crds + +### Removed +- Removed `gatekeeper-system-namespace.yaml` as Rancher handles namespaces for chart installation diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml new file mode 100644 index 0000000000..a58afd353c --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: OPA Gatekeeper + catalog.cattle.io/kube-version: '>= 1.20.0-0' + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-gatekeeper + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: gatekeeper +apiVersion: v2 +appVersion: v3.12.0 +description: Modifies Open Policy Agent's upstream gatekeeper chart that provides + policy-based control for cloud native environments +home: https://github.com/open-policy-agent/gatekeeper +icon: https://charts.rancher.io/assets/logos/gatekeeper.svg +keywords: +- open policy agent +- security +name: rancher-gatekeeper +sources: +- https://github.com/open-policy-agent/gatekeeper.git +version: 103.0.1+up3.12.0 diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md b/charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md new file mode 100644 index 0000000000..155a813376 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md @@ -0,0 +1,210 @@ +# Gatekeeper Helm Chart + +## Get Repo Info + +```console +helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +# Helm install with gatekeeper-system namespace already created +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper + +# Helm install and create namespace +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +_See [parameters](#parameters) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Upgrade Chart + +**Upgrading from < v3.4.0** +Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices. + +Option 1: +A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. + +```console +$ helm uninstall gatekeeper +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +Option 2: +Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them. + +```console +$ helm_migrate.sh +$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper +``` + +**Upgrading from >= v3.4.0** +```console +$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper +``` + +_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._ + + +## Exempting Namespace + +The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook. + +_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._ + +## Parameters + +| Parameter | Description | Default | +| :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | +| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | +| postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | +| postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | +| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0` | +| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | +| postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | +| postInstall.probeWebhook.enabled | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer | `true` | +| postInstall.probeWebhook.image.repository | Image with curl to probe the webhook API | `curlimages/curl` | +| postInstall.probeWebhook.image.tag | Image tag | `7.83.1` | +| postInstall.probeWebhook.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postInstall.probeWebhook.image.pullSecrets | Image pullSecrets | `[]` | +| postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | `60` | +| postInstall.probeWebhook.httpTimeout | HTTP client timeout | `2` | +| postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | `false` | +| postInstall.affinity | The affinity to use for pod scheduling in postInstall hook jobs | `{}` | +| postInstall.tolerations | The tolerations to use for pod scheduling in postInstall hook jobs | `[]` | +| postInstall.nodeSelector | The node selector to use for pod scheduling in postInstall hook jobs | `kubernetes.io/os: linux` | +| postInstall.resources | The resource request/limits for the container image in postInstall hook jobs | `{}` | +| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | `false` | +| postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | +| postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | +| postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0` | +| postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` +| postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` | +| postUpgrade.tolerations | The tolerations to use for pod scheduling in postUpgrade hook jobs | `[]` | +| postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` | +| postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | +| postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.12.0` | +| preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | +| preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | +| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.12.0` | +| preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | +| preUninstall.deleteWebhooks.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | +| preUninstall.affinity | The affinity to use for pod scheduling in preUninstall hook jobs | `{}` | +| preUninstall.tolerations | The tolerations to use for pod scheduling in preUninstall hook jobs | `[]` | +| preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` | +| preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` | +| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| psp.enabled | Enabled PodSecurityPolicy | `true` | +| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | +| upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` | +| crds.affinity | The affinity to use for pod scheduling in crds hook jobs | `{}` | +| crds.tolerations | The tolerations to use for pod scheduling in crds hook jobs | `[]` | +| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` | +| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` | +| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | +| auditInterval | The frequency with which audit is run | `300` | +| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | +| auditFromCache | Take the roster of resources to audit from the audit cache | `false` | +| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` | +| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | +| disableValidatingWebhook | Disable the validating webhook | `false` | +| disableMutation | Disable mutation | `false` | +| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` | +| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | +| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | +| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | +| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | +| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | +| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | +| enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` | +| enableExternalData | Enable external data | `true` | +| enableGeneratorResourceExpansion | Enable generator resource expansion (alpha feature) | `false` | +| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | +| maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` | +| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` | +| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` | +| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | +| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | +| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | +| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | +| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | +| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | +| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | +| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | +| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | +| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | +| logDenies | Log detailed info on each deny | `false` | +| logLevel | Minimum log level | `INFO` | +| image.pullPolicy | The image pull policy | `IfNotPresent` | +| image.repository | Image repository | `openpolicyagent/gatekeeper` | +| image.release | The image release tag to use | Current release version: `v3.12.0` | +| image.pullSecrets | Specify an array of imagePullSecrets | `[]` | +| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` | +| controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` | +| controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` | +| controllerManager.healthPort | Health port for controller manager | `9090` | +| controllerManager.port | Webhook-server port for controller manager | `8443` | +| controllerManager.metricsPort | Metrics port for controller manager | `8888` | +| controllerManager.readinessTimeout | Timeout in seconds for the controller manager's readiness probe | `1` | +| controllerManager.livenessTimeout | Timeout in seconds for the controller manager's liveness probe | `1` | +| controllerManager.logLevel | The minimum log level for the controller manager, takes precedence over `logLevel` when specified | `null` +| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | +| controllerManager.podSecurityContext | Security context on pod level for controller manager | {fsGroup: 999, suplementalGroups: [999]} | +| controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` | +| controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` | +| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | +| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` | +| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` | +| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | +| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` | +| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` | +| audit.affinity | The node affinity to use for audit pod scheduling | `{}` | +| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` | +| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` | +| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | +| audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} | +| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | +| audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` | +| audit.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| audit.healthPort | Health port for audit | `9090` | +| audit.metricsPort | Metrics port for audit | `8888` | +| audit.readinessTimeout | Timeout in seconds for audit's readiness probe | `1` | +| audit.livenessTimeout | Timeout in seconds for the audit's liveness probe | `1` | +| audit.logLevel | The minimum log level for audit, takes precedence over `logLevel` when specified | `null` +| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | +| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | +| podLabels | The labels to add to the Gatekeeper pods | `{}` | +| podCountLimit | The maximum number of Gatekeeper pods to run | `100` | +| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | +| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | +| service.type | Service type | `ClusterIP` | +| service.loadBalancerIP | The IP address of LoadBalancer service | `` | +| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` | +| rbac.create | Enable the creation of RBAC resources | `true` | +| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` | +| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` | + +## Contributing Changes + +Please refer to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) for modifying the Helm chart. diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md b/charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md new file mode 100644 index 0000000000..dff688f517 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md @@ -0,0 +1,32 @@ +# Rancher OPA Gatekeeper + +This chart is based off of the upstream [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper/tree/master/charts/gatekeeper) chart. + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/opa-gatekeper/). + +The chart installs the following components: + +- OPA Gatekeeper Controller-Manager - OPA Gatekeeper is a policy engine for providing policy based governance for Kubernetes clusters. The controller installs as a [validating admission controller webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) on the cluster and intercepts all admission requests that create, update or delete a resource in the cluster. +- [Audit](https://github.com/open-policy-agent/gatekeeper#audit) - A periodic audit of the cluster resources against the enforced policies. Any existing resource that violates a policy will be recorded as violations. +- [Constraint Template](https://github.com/open-policy-agent/gatekeeper#constraint-templates) - A template is a CRD (`ConstraintTemplate`) that defines the schema and Rego logic of a policy to be applied to the cluster by Gatekeeper's admission controller webhook. This chart installs a few default `ConstraintTemplate` custom resources. +- [Constraint](https://github.com/open-policy-agent/gatekeeper#constraints) - A constraint is a custom resource that defines the scope of resources which a specific constraint template should apply to. The complete policy is defined by a combination of `ConstraintTemplates` (i.e. what the policy is) and `Constraints` (i.e. what resource to apply the policy to). + +For more information on how to configure the Helm chart, refer to the Helm README. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl new file mode 100644 index 0000000000..c71a8fb617 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl @@ -0,0 +1,113 @@ + +{{/* +Expand the name of the chart. +*/}} +{{- define "gatekeeper.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gatekeeper.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gatekeeper.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Adds additional pod labels to the common ones +*/}} +{{- define "gatekeeper.podLabels" -}} +{{- if .Values.podLabels }} +{{- toYaml .Values.podLabels | nindent 8 }} +{{- end }} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} + +{{/* +Output post install webhook probe container entry +*/}} +{{- define "gatekeeper.postInstallWebhookProbeContainer" -}} +- name: webhook-probe-post + image: "{{ template "system_default_registry" . }}{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}" + imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }} + command: + - "curl" + args: + - "--retry" + - "99999" + - "--retry-max-time" + - "{{ .Values.postInstall.probeWebhook.waitTimeout }}" + - "--retry-delay" + - "1" + - "--max-time" + - "{{ .Values.postInstall.probeWebhook.httpTimeout }}" + {{- if .Values.postInstall.probeWebhook.insecureHTTPS }} + - "--insecure" + {{- else }} + - "--cacert" + - /certs/ca.crt + {{- end }} + - "-v" + - "https://gatekeeper-webhook-service.{{ .Release.Namespace }}.svc/v1/admitlabel?timeout=2s" + resources: + {{- toYaml .Values.postInstall.resources | nindent 4 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postInstall.securityContext | nindent 4 }} + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true +{{- end -}} + +{{/* +Output post install webhook probe volume entry +*/}} +{{- define "gatekeeper.postInstallWebhookProbeVolume" -}} +- name: cert + secret: + secretName: {{ .Values.externalCertInjection.secretName }} +{{- end -}} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml new file mode 100644 index 0000000000..9abb84ecb3 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml @@ -0,0 +1,35 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8sallowedrepos +spec: + crd: + spec: + names: + kind: K8sAllowedRepos + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + repos: + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sallowedrepos + + violation[{"msg": msg}] { + container := input.review.object.spec.containers[_] + satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] + not any(satisfied) + msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } + + violation[{"msg": msg}] { + container := input.review.object.spec.initContainers[_] + satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] + not any(satisfied) + msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2c179e570d --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml @@ -0,0 +1,38 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-admin +spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - projected + - secret + - downwardAPI + - emptyDir +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml new file mode 100644 index 0000000000..4b68998cb4 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-admin + namespace: '{{ .Release.Namespace }}' diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml new file mode 100644 index 0000000000..a1adb6044b --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml @@ -0,0 +1,156 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-audit + namespace: '{{ .Release.Namespace }}' +spec: + replicas: 1 + selector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + template: + metadata: + annotations: + {{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + {{- end }} + labels: +{{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + affinity: + {{- toYaml .Values.audit.affinity | nindent 8 }} + automountServiceAccountToken: true + containers: + - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' + args: + - --audit-interval={{ .Values.auditInterval }} + - --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }} + - --constraint-violations-limit={{ .Values.constraintViolationsLimit }} + - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} + - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} + - --audit-from-cache={{ .Values.auditFromCache }} + - --audit-chunk-size={{ .Values.auditChunkSize }} + - --audit-match-kind-only={{ .Values.auditMatchKindOnly }} + - --emit-audit-events={{ .Values.emitAuditEvents }} + - --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }} + - --operation=audit + - --operation=status + {{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }} + - --logtostderr + - --health-addr=:{{ .Values.audit.healthPort }} + - --prometheus-port={{ .Values.audit.metricsPort }} + - --enable-external-data={{ .Values.enableExternalData }} + - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }} + + {{- range .Values.metricsBackends}} + - --metrics-backend={{ . }} + {{- end }} + + {{- if .Values.audit.logFile}} + - --log-file={{ .Values.audit.logFile }} + {{- end }} + - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }} + command: + - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTAINER_NAME + value: manager + imagePullPolicy: '{{ .Values.images.pullPolicy }}' + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.audit.healthPort }} + timeoutSeconds: {{ .Values.audit.livenessTimeout }} + name: manager + ports: + - containerPort: {{ .Values.audit.metricsPort }} + name: metrics + protocol: TCP + - containerPort: {{ .Values.audit.healthPort }} + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.audit.healthPort }} + timeoutSeconds: {{ .Values.audit.readinessTimeout }} + resources: + {{- toYaml .Values.audit.resources | nindent 10 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.audit.securityContext | nindent 10}} + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true + - mountPath: /tmp/audit + name: tmp-volume + dnsPolicy: {{ .Values.audit.dnsPolicy }} + hostNetwork: {{ .Values.audit.hostNetwork }} + imagePullSecrets: + {{- toYaml .Values.images.pullSecrets | nindent 8 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.audit.nodeSelector }} +{{ toYaml .Values.audit.nodeSelector | indent 8 }} +{{- end }} + {{- if .Values.audit.priorityClassName }} + priorityClassName: {{ .Values.audit.priorityClassName }} + {{- end }} + securityContext: + {{- toYaml .Values.audit.podSecurityContext | nindent 8 }} + serviceAccountName: gatekeeper-admin + terminationGracePeriodSeconds: 60 + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.audit.tolerations }} +{{ toYaml .Values.audit.tolerations | indent 8 }} +{{- end }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: gatekeeper-webhook-server-cert + {{- if .Values.audit.writeToRAMDisk }} + - emptyDir: + medium: Memory + {{ else }} + - emptyDir: {} + {{- end }} + name: tmp-volume diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml new file mode 100644 index 0000000000..5eb8c9b428 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml @@ -0,0 +1,169 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager + namespace: '{{ .Release.Namespace }}' +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + template: + metadata: + annotations: + {{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + {{- end }} + labels: +{{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + affinity: + {{- toYaml .Values.controllerManager.affinity | nindent 8 }} + automountServiceAccountToken: true + containers: + - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' + imagePullPolicy: '{{ .Values.images.pullPolicy }}' + args: + - --port={{ .Values.controllerManager.port }} + - --health-addr=:{{ .Values.controllerManager.healthPort }} + - --prometheus-port={{ .Values.controllerManager.metricsPort }} + - --logtostderr + - --log-denies={{ .Values.logDenies }} + - --emit-admission-events={{ .Values.emitAdmissionEvents }} + - --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }} + - --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }} + - --exempt-namespace={{ .Release.Namespace }} + - --operation=webhook + - --enable-external-data={{ .Values.enableExternalData }} + - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }} + - --log-mutations={{ .Values.logMutations }} + - --mutation-annotations={{ .Values.mutationAnnotations }} + - --disable-cert-rotation={{ .Values.controllerManager.disableCertRotation }} + - --max-serving-threads={{ .Values.maxServingThreads }} + - --tls-min-version={{ .Values.controllerManager.tlsMinVersion }} + {{ if ne .Values.controllerManager.clientCertName "" }}- --client-cert-name={{ .Values.controllerManager.clientCertName }}{{- end }} + + {{- range .Values.metricsBackends}} + - --metrics-backend={{ . }} + {{- end }} + {{ if .Values.enableTLSHealthcheck}}- --enable-tls-healthcheck{{- end }} + {{ if not .Values.disableMutation}}- --operation=mutation-webhook{{- end }} + + {{- range .Values.disabledBuiltins}} + - --disable-opa-builtin={{ . }} + {{- end }} + + {{- range .Values.controllerManager.exemptNamespaces}} + - --exempt-namespace={{ . }} + {{- end }} + + {{- range .Values.controllerManager.exemptNamespacePrefixes}} + - --exempt-namespace-prefix={{ . }} + {{- end }} + + {{- range .Values.controllerManager.exemptNamespaceSuffixes}} + - --exempt-namespace-suffix={{ . }} + {{- end }} + + {{- if .Values.controllerManager.logFile}} + - --log-file={{ .Values.controllerManager.logFile }} + {{- end }} + command: + - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTAINER_NAME + value: manager + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.controllerManager.healthPort }} + timeoutSeconds: {{ .Values.controllerManager.livenessTimeout }} + name: manager + ports: + - containerPort: {{ .Values.controllerManager.port }} + name: webhook-server + protocol: TCP + - containerPort: {{ .Values.controllerManager.metricsPort }} + name: metrics + protocol: TCP + - containerPort: {{ .Values.controllerManager.healthPort }} + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.controllerManager.healthPort }} + timeoutSeconds: {{ .Values.controllerManager.readinessTimeout }} + resources: + {{- toYaml .Values.controllerManager.resources | nindent 10 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.controllerManager.securityContext | nindent 10}} + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true + dnsPolicy: {{ .Values.controllerManager.dnsPolicy }} + hostNetwork: {{ .Values.controllerManager.hostNetwork }} + imagePullSecrets: + {{- toYaml .Values.images.pullSecrets | nindent 8 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.controllerManager.nodeSelector }} +{{ toYaml .Values.controllerManager.nodeSelector | indent 8 }} +{{- end }} + {{- if .Values.controllerManager.priorityClassName }} + priorityClassName: {{ .Values.controllerManager.priorityClassName }} + {{- end }} + securityContext: + {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }} + serviceAccountName: gatekeeper-admin + terminationGracePeriodSeconds: 60 + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.controllerManager.tolerations }} +{{ toYaml .Values.controllerManager.tolerations | indent 8 }} +{{- end }} + topologySpreadConstraints: + {{- toYaml .Values.controllerManager.topologySpreadConstraints | nindent 8 }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: gatekeeper-webhook-server-cert diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml new file mode 100644 index 0000000000..e05213feb4 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml @@ -0,0 +1,30 @@ +{{- if .Values.controllerManager.networkPolicy.enabled -}} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + release: '{{ .Release.Name }}' + {{- with .Values.controllerManager.networkPolicy.ingress }} + {{- toYaml . | nindent 4 }} + {{- end }} + podSelector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' +{{- end -}} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml new file mode 100644 index 0000000000..424f6a67c4 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml @@ -0,0 +1,24 @@ +{{- $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} +{{- $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}} +apiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }} +kind: PodDisruptionBudget +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager + namespace: '{{ .Release.Namespace }}' +spec: + minAvailable: {{ .Values.pdb.controllerManager.minAvailable }} + selector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml new file mode 100644 index 0000000000..1546463669 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml @@ -0,0 +1,23 @@ +{{- if .Values.resourceQuota }} +apiVersion: v1 +kind: ResourceQuota +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-critical-pods + namespace: '{{ .Release.Namespace }}' +spec: + hard: + pods: {{ .Values.podCountLimit }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - {{ .Values.controllerManager.priorityClassName }} + - {{ .Values.audit.priorityClassName }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml new file mode 100644 index 0000000000..37ac19cc1f --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml @@ -0,0 +1,174 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-role +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - {{ .Values.mutatingWebhookName }} + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.gatekeeper.sh + resources: + - configs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.gatekeeper.sh + resources: + - configs/status + verbs: + - get + - patch + - update +- apiGroups: + - constraints.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - externaldata.gatekeeper.sh + resources: + - providers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mutations.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- if .Values.global.cattle.psp.enabled }} +- apiGroups: + - policy + resourceNames: + - gatekeeper-admin + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} +- apiGroups: + - status.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - templates.gatekeeper.sh + resources: + - constrainttemplates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - templates.gatekeeper.sh + resources: + - constrainttemplates/finalizers + verbs: + - delete + - get + - patch + - update +- apiGroups: + - templates.gatekeeper.sh + resources: + - constrainttemplates/status + verbs: + - get + - patch + - update +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - {{ .Values.validatingWebhookName }} + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml new file mode 100644 index 0000000000..1018dcdb66 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-role + namespace: '{{ .Release.Namespace }}' +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- with .Values.controllerManager.extraRules }} + {{- toYaml . | nindent 0 }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml new file mode 100644 index 0000000000..1fb9f6c87a --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-manager-role +subjects: +- kind: ServiceAccount + name: gatekeeper-admin + namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml new file mode 100644 index 0000000000..fbe9580d57 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-rolebinding + namespace: '{{ .Release.Namespace }}' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gatekeeper-manager-role +subjects: +- kind: ServiceAccount + name: gatekeeper-admin + namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..0bc3bc43eb --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -0,0 +1,60 @@ +{{- if not .Values.disableMutation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: {{- toYaml .Values.mutatingWebhookAnnotations | trim | nindent 4 }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: '{{ .Values.mutatingWebhookName }}' +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/mutate + failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }} + matchPolicy: Exact + name: mutation.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: admission.gatekeeper.sh/ignore + operator: DoesNotExist + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace }} + + {{- range $key, $value := .Values.mutatingWebhookExemptNamespacesLabels}} + - key: {{ $key }} + operator: NotIn + values: + {{- range $value }} + - {{ . }} + {{- end }} + {{- end }} + objectSelector: {{ toYaml .Values.mutatingWebhookObjectSelector }} + reinvocationPolicy: {{ .Values.mutatingWebhookReinvocationPolicy }} + rules: + {{- if .Values.mutatingWebhookCustomRules }} + {{- toYaml .Values.mutatingWebhookCustomRules | nindent 2 }} + {{- else }} + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - '*' + {{- end }} + sideEffects: None + timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..f0dd85d5e5 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -0,0 +1,109 @@ +{{- if not .Values.disableValidatingWebhook }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: {{- toYaml .Values.validatingWebhookAnnotations | trim | nindent 4 }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: '{{ .Values.validatingWebhookName }}' +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/admit + failurePolicy: {{ .Values.validatingWebhookFailurePolicy }} + matchPolicy: Exact + name: validation.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: admission.gatekeeper.sh/ignore + operator: DoesNotExist + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace }} + + {{- range $key, $value := .Values.validatingWebhookExemptNamespacesLabels}} + - key: {{ $key }} + operator: NotIn + values: + {{- range $value }} + - {{ . }} + {{- end }} + {{- end }} + objectSelector: {{ toYaml .Values.validatingWebhookObjectSelector }} + rules: + {{- if .Values.validatingWebhookCustomRules }} + {{- toYaml .Values.validatingWebhookCustomRules | nindent 2 }} + {{- else }} + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + {{- if .Values.enableDeleteOperations }} + - DELETE + {{- end }} + resources: + - '*' + # Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper). + # You can find a rough list of subresources by doing a case-sensitive search in the Kubernetes codebase for 'Subresource("' + - 'pods/ephemeralcontainers' + - 'pods/exec' + - 'pods/log' + - 'pods/eviction' + - 'pods/portforward' + - 'pods/proxy' + - 'pods/attach' + - 'pods/binding' + - 'deployments/scale' + - 'replicasets/scale' + - 'statefulsets/scale' + - 'replicationcontrollers/scale' + - 'services/proxy' + - 'nodes/proxy' + # For constraints that mitigate CVE-2020-8554 + - 'services/status' + {{- end }} + sideEffects: None + timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/admitlabel + failurePolicy: {{ .Values.validatingWebhookCheckIgnoreFailurePolicy }} + matchPolicy: Exact + name: check-ignore-label.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace }} + rules: + - apiGroups: + - "" + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - namespaces + sideEffects: None + timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml new file mode 100644 index 0000000000..a841780a55 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml @@ -0,0 +1,14 @@ +{{- if not .Values.externalCertInjection.enabled }} +apiVersion: v1 +kind: Secret +metadata: + annotations: {{- toYaml .Values.secretAnnotations | trim | nindent 4 }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-webhook-server-cert + namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml new file mode 100644 index 0000000000..3c0f4453a1 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' +spec: + + ports: + - name: https-webhook-server + port: 443 + targetPort: webhook-server +{{- if .Values.service }} +{{- if .Values.service.healthzPort }} + - name: http-webhook-healthz + port: {{ .Values.service.healthzPort }} + targetPort: healthz + {{- end }} + {{- end }} + {{- if .Values.service }} + type: {{ .Values.service.type | default "ClusterIP" }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- end }} + selector: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml new file mode 100644 index 0000000000..4b4559df93 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml @@ -0,0 +1,165 @@ +{{- if .Values.postInstall.labelNamespace.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- if .Values.postInstall.labelNamespace.extraAnnotations }} + {{- toYaml .Values.postInstall.labelNamespace.extraAnnotations | trim | nindent 4 }} + {{- end }} +spec: + template: + metadata: + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.postInstall.labelNamespace.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-update-namespace-label + {{- if .Values.postInstall.probeWebhook.enabled }} + volumes: + {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} + initContainers: + {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} + {{- end }} + containers: + - name: kubectl-label + image: '{{ template "system_default_registry" . }}{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}' + imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} + args: + - label + - ns + - {{ .Release.Namespace }} + - admission.gatekeeper.sh/ignore=no-self-managing + {{- range .Values.postInstall.labelNamespace.podSecurity }} + - {{ . }} + {{- end }} + - --overwrite + resources: + {{- toYaml .Values.postInstall.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postInstall.securityContext | nindent 12 }} + {{- if .Values.postInstall.labelNamespace.extraNamespaces }} + - name: kubectl-label-extra + image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}" + imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} + args: + - label + - ns + {{- range .Values.postInstall.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - admission.gatekeeper.sh/ignore=extra-namespaces + - --overwrite + resources: + {{- toYaml .Values.postInstall.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postInstall.securityContext | nindent 12 }} + {{- end }} + {{- with .Values.postInstall }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - update + - patch + resourceNames: + - {{ .Release.Namespace }} + {{- range .Values.postInstall.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - apiGroups: + - management.cattle.io + resources: + - projects + verbs: + - updatepsa +{{- with .Values.postInstall.labelNamespace.extraRules }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-update-namespace-label +subjects: + - kind: ServiceAccount + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml new file mode 100644 index 0000000000..9e4a754548 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml @@ -0,0 +1,153 @@ +{{- if .Values.postUpgrade.labelNamespace.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + namespace: {{ .Release.Namespace | quote }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- if .Values.postUpgrade.labelNamespace.extraAnnotations }} + {{- toYaml .Values.postUpgrade.labelNamespace.extraAnnotations | trim | nindent 4 }} + {{- end }} +spec: + template: + metadata: + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.postUpgrade.labelNamespace.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-update-namespace-label-post-upgrade + containers: + - name: kubectl-label + image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}' + imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }} + args: + - label + - ns + - {{ .Release.Namespace }} + - admission.gatekeeper.sh/ignore=no-self-managing + {{- range .Values.postUpgrade.labelNamespace.podSecurity }} + - {{ . }} + {{- end }} + - --overwrite + resources: + {{- toYaml .Values.postUpgrade.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} + {{- if .Values.postUpgrade.labelNamespace.extraNamespaces }} + - name: kubectl-label-extra + image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}" + imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }} + args: + - label + - ns + {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - admission.gatekeeper.sh/ignore=extra-namespaces + - --overwrite + resources: + {{- toYaml .Values.postUpgrade.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} + {{- end }} + {{- with .Values.postUpgrade }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - update + - patch + resourceNames: + - {{ .Release.Namespace }} + {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - apiGroups: + - management.cattle.io + resources: + - projects + verbs: + - updatepsa +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-update-namespace-label-post-upgrade +subjects: + - kind: ServiceAccount + name: gatekeeper-update-namespace-label-post-upgrade + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml new file mode 100644 index 0000000000..c9f7065271 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml @@ -0,0 +1,46 @@ +{{- if not .Values.disableValidatingWebhook }} +{{- if and (not .Values.postInstall.labelNamespace.enabled) .Values.postInstall.probeWebhook.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-probe-webhook-post-install + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: Never + {{- if .Values.postInstall.probeWebhook.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + volumes: + {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} + containers: + {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} + {{- with .Values.postInstall }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml new file mode 100644 index 0000000000..e93e6a0a7d --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml @@ -0,0 +1,57 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8srequiredlabels +spec: + crd: + spec: + names: + kind: K8sRequiredLabels + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + message: + type: string + labels: + type: array + items: + type: object + properties: + key: + type: string + allowedRegex: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8srequiredlabels + + get_message(parameters, _default) = msg { + not parameters.message + msg := _default + } + + get_message(parameters, _default) = msg { + msg := parameters.message + } + + violation[{"msg": msg, "details": {"missing_labels": missing}}] { + provided := {label | input.review.object.metadata.labels[label]} + required := {label | label := input.parameters.labels[_].key} + missing := required - provided + count(missing) > 0 + def_msg := sprintf("you must provide labels: %v", [missing]) + msg := get_message(input.parameters, def_msg) + } + + violation[{"msg": msg}] { + value := input.review.object.metadata.labels[key] + expected := input.parameters.labels[_] + expected.key == key + # do not match if allowedRegex is not defined, or is an empty string + expected.allowedRegex != "" + not re_match(expected.allowedRegex, value) + def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex]) + msg := get_message(input.parameters, def_msg) + } diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml new file mode 100644 index 0000000000..28c2d6bb00 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml @@ -0,0 +1,116 @@ +{{- if .Values.upgradeCRDs.enabled }} +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-admin-upgrade-crds + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +rules: + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "create", "update", "patch"] +{{- with .Values.upgradeCRDs.extraRules }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-admin-upgrade-crds + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +subjects: + - kind: ServiceAccount + name: gatekeeper-admin-upgrade-crds + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: gatekeeper-admin-upgrade-crds + apiGroup: rbac.authorization.k8s.io +{{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + name: gatekeeper-admin-upgrade-crds + namespace: '{{ .Release.Namespace }}' + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-crds-hook + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gatekeeper.name" . }} + chart: {{ template "gatekeeper.name" . }} + gatekeeper.sh/system: "yes" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-weight: "1" + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" +spec: + backoffLimit: 0 + template: + metadata: + name: gatekeeper-update-crds-hook + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + serviceAccountName: gatekeeper-admin-upgrade-crds + restartPolicy: Never + {{- if .Values.images.pullSecrets }} + imagePullSecrets: + {{- toYaml .Values.images.pullSecrets | nindent 8 }} + {{- end }} + containers: + - name: crds-upgrade + image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}' + imagePullPolicy: '{{ .Values.images.pullPolicy }}' + args: + - apply + - -f + - crds/ + resources: + {{- toYaml .Values.crds.resources | nindent 10 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.crds.securityContext | nindent 10 }} + {{- with .Values.crds }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml new file mode 100644 index 0000000000..9c4f3a3c20 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml @@ -0,0 +1,24 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "mutations.gatekeeper.sh/v1/Assign" false -}} +# {{- set $found "mutations.gatekeeper.sh/v1alpha1/AssignImage" false -}} +# {{- set $found "mutations.gatekeeper.sh/v1/AssignMetadata" false -}} +# {{- set $found "config.gatekeeper.sh/v1alpha1/Config" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintPodStatus" false -}} +# {{- set $found "templates.gatekeeper.sh/v1/ConstraintTemplate" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintTemplatePodStatus" false -}} +# {{- set $found "expansion.gatekeeper.sh/v1alpha1/ExpansionTemplate" false -}} +# {{- set $found "mutations.gatekeeper.sh/v1/ModifySet" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/MutatorPodStatus" false -}} +# {{- set $found "externaldata.gatekeeper.sh/v1alpha1/Provider" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml new file mode 100644 index 0000000000..b57bc69894 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml @@ -0,0 +1,141 @@ +{{- if and (or (not .Values.disableValidatingWebhook) (not .Values.disableMutation)) .Values.preUninstall.deleteWebhookConfigurations.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets }} + imagePullSecrets: + {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-delete-webhook-configs + containers: + - name: kubectl-delete + image: '{{ template "system_default_registry" . }}{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}' + imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }} + args: + - delete + {{- if not .Values.disableValidatingWebhook }} + - validatingwebhookconfiguration/{{ .Values.validatingWebhookName }} + {{- end }} + {{- if not .Values.disableMutation }} + - mutatingwebhookconfiguration/{{ .Values.mutatingWebhookName }} + {{- end }} + resources: + {{- toYaml .Values.preUninstall.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.preUninstall.securityContext | nindent 10 }} + {{- with .Values.preUninstall }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .nodeSelector }} +{{ toYaml .nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .tolerations }} +{{ toYaml .tolerations | indent 8 }} +{{- end }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-delete-webhook-configs + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{- if not .Values.disableValidatingWebhook }} + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + resourceNames: + - {{ .Values.validatingWebhookName }} + verbs: + - delete + {{- end }} + {{- if not .Values.disableMutation }} + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - {{ .Values.mutatingWebhookName }} + verbs: + - delete + {{- end }} +{{- with .Values.preUninstall.deleteWebhookConfigurations.extraRules }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-delete-webhook-configs + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-delete-webhook-configs +subjects: + - kind: ServiceAccount + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml new file mode 100644 index 0000000000..d1029e24ae --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml @@ -0,0 +1,271 @@ +replicas: 3 +auditInterval: 60 +metricsBackends: ["prometheus"] +auditMatchKindOnly: false +constraintViolationsLimit: 20 +auditFromCache: false +disableMutation: false +disableValidatingWebhook: false +validatingWebhookName: gatekeeper-validating-webhook-configuration +validatingWebhookTimeoutSeconds: 3 +validatingWebhookFailurePolicy: Ignore +validatingWebhookAnnotations: {} +validatingWebhookExemptNamespacesLabels: {} +validatingWebhookObjectSelector: {} +validatingWebhookCheckIgnoreFailurePolicy: Fail +validatingWebhookCustomRules: {} +enableDeleteOperations: false +enableExternalData: true +enableGeneratorResourceExpansion: false +enableTLSHealthcheck: false +maxServingThreads: -1 +mutatingWebhookName: gatekeeper-mutating-webhook-configuration +mutatingWebhookFailurePolicy: Ignore +mutatingWebhookReinvocationPolicy: Never +mutatingWebhookAnnotations: {} +mutatingWebhookExemptNamespacesLabels: {} +mutatingWebhookObjectSelector: {} +mutatingWebhookTimeoutSeconds: 1 +mutatingWebhookCustomRules: {} +mutationAnnotations: false +auditChunkSize: 500 +logLevel: INFO +logDenies: false +logMutations: false +emitAdmissionEvents: false +emitAuditEvents: false +admissionEventsInvolvedNamespace: false +auditEventsInvolvedNamespace: false +resourceQuota: true +images: + gatekeeper: + repository: rancher/mirrored-openpolicyagent-gatekeeper + tag: v3.12.0 + gatekeepercrd: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + tag: v3.12.0 + pullPolicy: IfNotPresent + pullSecrets: [] +preInstall: + crdRepository: + image: + repository: null + tag: v3.12.0 +postUpgrade: + labelNamespace: + enabled: false + image: + repository: rancher/kubectl + tag: v1.20.2 + pullPolicy: IfNotPresent + pullSecrets: [] + extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] + extraAnnotations: {} + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +postInstall: + labelNamespace: + enabled: true + extraRules: [] + image: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + tag: v3.12.0 + pullPolicy: IfNotPresent + pullSecrets: [] + extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] + extraAnnotations: {} + probeWebhook: + enabled: true + image: + repository: rancher/mirrored-curlimages-curl + tag: 7.83.1 + pullPolicy: IfNotPresent + pullSecrets: [] + waitTimeout: 60 + httpTimeout: 2 + insecureHTTPS: false + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +preUninstall: + deleteWebhookConfigurations: + extraRules: [] + enabled: false + image: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + tag: v3.12.0 + pullPolicy: IfNotPresent + pullSecrets: [] + affinity: {} + tolerations: [] + nodeSelector: {} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +podAnnotations: {} +podLabels: {} +podCountLimit: "100" +secretAnnotations: {} +enableRuntimeDefaultSeccompProfile: true +controllerManager: + exemptNamespaces: [] + exemptNamespacePrefixes: [] + hostNetwork: false + dnsPolicy: ClusterFirst + port: 8443 + metricsPort: 8888 + healthPort: 9090 + readinessTimeout: 1 + livenessTimeout: 1 + priorityClassName: system-cluster-critical + disableCertRotation: false + tlsMinVersion: 1.3 + clientCertName: "" + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: gatekeeper.sh/operation + operator: In + values: + - webhook + topologyKey: kubernetes.io/hostname + weight: 100 + topologySpreadConstraints: [] + tolerations: [] + nodeSelector: {} + resources: + limits: + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 + podSecurityContext: + fsGroup: 999 + supplementalGroups: + - 999 + extraRules: [] + networkPolicy: + enabled: false + ingress: { } + # - from: + # - ipBlock: + # cidr: 0.0.0.0/0 +audit: + hostNetwork: false + dnsPolicy: ClusterFirst + metricsPort: 8888 + healthPort: 9090 + readinessTimeout: 1 + livenessTimeout: 1 + priorityClassName: system-cluster-critical + disableCertRotation: true + affinity: {} + tolerations: [] + nodeSelector: {} + resources: + limits: + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 + podSecurityContext: + fsGroup: 999 + supplementalGroups: + - 999 + writeToRAMDisk: false + extraRules: [] +crds: + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +pdb: + controllerManager: + minAvailable: 1 +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + kubectl: + repository: rancher/kubectl + tag: v1.20.2 +service: {} +disabledBuiltins: ["{http.send}"] +upgradeCRDs: + enabled: true + extraRules: [] +rbac: + create: true +externalCertInjection: + enabled: false + secretName: gatekeeper-webhook-server-cert diff --git a/index.yaml b/index.yaml index a9dd671e4b..4806207a91 100755 --- a/index.yaml +++ b/index.yaml @@ -7729,6 +7729,36 @@ entries: - assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz version: 0.1.400 rancher-gatekeeper: + - annotations: + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: OPA Gatekeeper + catalog.cattle.io/kube-version: '>= 1.20.0-0' + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-gatekeeper + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: gatekeeper + apiVersion: v2 + appVersion: v3.12.0 + created: "2023-08-23T14:27:25.623358276-03:00" + description: Modifies Open Policy Agent's upstream gatekeeper chart that provides + policy-based control for cloud native environments + digest: 5bbe2b29192147f8474fd173bb24bbd9d07a7ed35d17ffe3a9656c1547b4d4da + home: https://github.com/open-policy-agent/gatekeeper + icon: https://charts.rancher.io/assets/logos/gatekeeper.svg + keywords: + - open policy agent + - security + name: rancher-gatekeeper + sources: + - https://github.com/open-policy-agent/gatekeeper.git + urls: + - assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz + version: 103.0.1+up3.12.0 - annotations: catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match catalog.cattle.io/certified: rancher @@ -8102,6 +8132,20 @@ entries: - assets/rancher-gatekeeper/rancher-gatekeeper-3.1.100.tgz version: 3.1.100 rancher-gatekeeper-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/release-name: rancher-gatekeeper-crd + apiVersion: v1 + created: "2023-08-23T14:27:25.630009291-03:00" + description: Installs the CRDs for rancher-gatekeeper. + digest: 810f6c16f3dfb4fd3febcec6cd84299bf5e5be78ca1c3685e5ca7fbe20790213 + name: rancher-gatekeeper-crd + type: application + urls: + - assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz + version: 103.0.1+up3.12.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true"