From fdaedeaa1625066e1b7e534d4a1b0e8f9ef14983 Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Wed, 23 Aug 2023 17:22:27 -0300 Subject: [PATCH 1/2] updating rancher-gatekeeper support for k8s 1.27 For k8s 1.27 support - apps and feature charts removing doNotRelease: true changing kube-version to support 1.27 adding rancher-gatekeeper with version to release.yaml make prepare make patch make clean --- .../generated-changes/patch/Chart.yaml.patch | 2 +- .../generated-changes/patch/templates/_helpers.tpl.patch | 4 ++-- packages/rancher-gatekeeper/package.yaml | 3 +-- release.yaml | 4 ++++ 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch index 5145ffc36c..622b464d57 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch @@ -5,7 +5,7 @@ + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: OPA Gatekeeper -+ catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.27.0-0' ++ catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch index 00f5072fa5..dcd1cbdeef 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch @@ -12,7 +12,7 @@ +{{- end -}} +{{- end -}} + - {{/* ++{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} @@ -27,7 +27,7 @@ +kubernetes.io/os: linux +{{- end -}} + -+{{/* + {{/* Output post install webhook probe container entry */}} {{- define "gatekeeper.postInstallWebhookProbeContainer" -}} diff --git a/packages/rancher-gatekeeper/package.yaml b/packages/rancher-gatekeeper/package.yaml index 5ef8e2d996..c953f4990a 100644 --- a/packages/rancher-gatekeeper/package.yaml +++ b/packages/rancher-gatekeeper/package.yaml @@ -1,9 +1,8 @@ url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.12.0.tgz -version: 103.0.0 +version: 103.0.1 additionalCharts: - workingDir: charts-crd crdOptions: templateDirectory: crd-template crdDirectory: crd-manifest addCRDValidationToMainChart: true -doNotRelease: true \ No newline at end of file diff --git a/release.yaml b/release.yaml index be10169264..536fd0fd74 100644 --- a/release.yaml +++ b/release.yaml @@ -22,3 +22,7 @@ rancher-eks-operator: - 103.0.0+up1.3.0-rc1 rancher-eks-operator-crd: - 103.0.0+up1.3.0-rc1 +rancher-gatekeeper: + - 103.0.1+up3.12.0 +rancher-gatekeeper-crd: + - 103.0.1+up3.12.0 \ No newline at end of file From 0bcd6212ba89bf1a13f9c58981cbb698c8298682 Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Wed, 23 Aug 2023 17:23:14 -0300 Subject: [PATCH 2/2] gatekeeper chart update make charts --- ...ancher-gatekeeper-crd-103.0.1+up3.12.0.tgz | Bin 0 -> 13235 bytes .../rancher-gatekeeper-103.0.1+up3.12.0.tgz | Bin 0 -> 17287 bytes .../103.0.1+up3.12.0/Chart.yaml | 10 + .../103.0.1+up3.12.0/README.md | 2 + .../assign-customresourcedefinition.yaml | 757 ++++++++++++++++++ .../assignimage-customresourcedefinition.yaml | 237 ++++++ ...signmetadata-customresourcedefinition.yaml | 655 +++++++++++++++ .../config-customresourcedefinition.yaml | 105 +++ ...intpodstatus-customresourcedefinition.yaml | 67 ++ ...ainttemplate-customresourcedefinition.yaml | 357 +++++++++ ...atepodstatus-customresourcedefinition.yaml | 66 ++ ...siontemplate-customresourcedefinition.yaml | 73 ++ .../modifyset-customresourcedefinition.yaml | 676 ++++++++++++++++ ...torpodstatus-customresourcedefinition.yaml | 65 ++ .../provider-customresourcedefinition.yaml | 78 ++ .../103.0.1+up3.12.0/templates/_helpers.tpl | 22 + .../103.0.1+up3.12.0/templates/jobs.yaml | 126 +++ .../103.0.1+up3.12.0/templates/manifest.yaml | 14 + .../103.0.1+up3.12.0/templates/rbac.yaml | 76 ++ .../templates/validate-psp-install.yaml | 7 + .../103.0.1+up3.12.0/values.yaml | 21 + .../103.0.1+up3.12.0/.helmignore | 21 + .../103.0.1+up3.12.0/CHANGELOG.md | 15 + .../103.0.1+up3.12.0/Chart.yaml | 26 + .../103.0.1+up3.12.0/README.md | 210 +++++ .../103.0.1+up3.12.0/app-readme.md | 32 + .../103.0.1+up3.12.0/templates/_helpers.tpl | 113 +++ .../templates/allowedrepos.yaml | 35 + .../gatekeeper-admin-podsecuritypolicy.yaml | 38 + .../gatekeeper-admin-serviceaccount.yaml | 11 + .../gatekeeper-audit-deployment.yaml | 156 ++++ ...ekeeper-controller-manager-deployment.yaml | 169 ++++ ...per-controller-manager-network-policy.yaml | 30 + ...ontroller-manager-poddisruptionbudget.yaml | 24 + ...atekeeper-critical-pods-resourcequota.yaml | 23 + .../gatekeeper-manager-role-clusterrole.yaml | 174 ++++ .../gatekeeper-manager-role-role.yaml | 37 + ...anager-rolebinding-clusterrolebinding.yaml | 20 + ...eeper-manager-rolebinding-rolebinding.yaml | 21 + ...guration-mutatingwebhookconfiguration.yaml | 60 ++ ...ration-validatingwebhookconfiguration.yaml | 109 +++ ...gatekeeper-webhook-server-cert-secret.yaml | 14 + .../gatekeeper-webhook-service-service.yaml | 38 + .../templates/namespace-post-install.yaml | 165 ++++ .../templates/namespace-post-upgrade.yaml | 153 ++++ .../templates/probe-webhook-post-install.yaml | 46 ++ .../templates/requiredlabels.yaml | 57 ++ .../templates/upgrade-crds-hook.yaml | 116 +++ .../templates/validate-install-crd.yaml | 24 + .../templates/validate-psp-install.yaml | 7 + .../templates/webhook-configs-pre-delete.yaml | 141 ++++ .../103.0.1+up3.12.0/values.yaml | 271 +++++++ index.yaml | 44 + 53 files changed, 5814 insertions(+) create mode 100644 assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz create mode 100644 assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml diff --git a/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz b/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..5ed680d1124cae6c1b3d66f5b4f51060ac069e08 GIT binary patch literal 13235 zcmch8RahNM(=P5#aQEO2!3h@J-QC?GI0Ojp?i$?Pg1fszSh%~h4rK4|KlWdotFtbq zXS%wo-s+jBdZyl9MBy->Kt6szY7kljaYZI0aTyM24=#2?R#hfrC3XuNBD*#?NfHkz&PER2M*VHqBSxo0Egb_}=*V{Sd0+$tc;V>UC{0sq`E-h0_##EzT2@1%B&tkJnsLmAUGi`o6>Ia6eUWnMC4#i8 z>=b2fax=i5J(VF%0`L6Ay-6Nhq><=NMl6;c=f;iyJam2Rf3Sba)7R^GT~SW@|mnF40rQ2U}&u6oNr zW(WAUY%|Js{Iuj=#oeT2VaM?ZdD=OG+z3B#3$MMAG-zvXlU#nXK+ZpzR-3$-B_(o0 ztSs)2=Me*eDid>Yx$0v=^aX|8p(3eFWZ}85tgD%lGSPf;%-&gZ)Ii`j>Bf0*9suxq zHhu@=_52Zb#TPk##C104$lk}^so7~f{vhH-k9k>xNrtSnL_xXS;pX|Ayn4f*)46-7 zSgu!|r8ISP3xPNOxT0Z|n247$oBtFAZ5B2>6G>#YzDO)zUS(WS2+9eQ5sY0R1>S-0 z3t5T0=TL<~lO1qmCba<7$yWk(5FJ;yDw$A>&NK~C3H92Z>kAn=2Syy?Hi2_+xN-LH zY#Mms0aDD(2BF31gkQuN%q>?mq;UFPJop&`6(}pI5Q%C;pW@8`_H4K<`?=x~N8QF2 zLm{?BOCAOyl_Q&|hKSg`XacL6Y_)z~PsT<5$D|2}aHAn!PtJ{ZnzI_yv+ez5bWv6M z3K_AZhj_VFgCMm!0nxa>qS=$EWm&sADZS;)d?5)lUA3Z|na+O=`$(lLuBXiN9aObjJcargZt zXs@eQgUcNWEE%;@X!|sxl^Qx5?r7^8-P>8N)mjxa#Y4V{It-85{(2>UV1A6c`VyaI z;fj5QYQEcH0}IuEgblq{e|q(k*oe&<^ZEM|E< zTM*lS1YWZPfzzzK!0$2jj<&Y*Cs;mNcZ!Wtv+dEXr)664HfDfmf-XfMrm14BNEf{5 z$j~y76x2O8e33pZ^ebyWFJ zDeZpiu4ku^$Yt7tSZX6iBKhD?Ec}5u>hS#B<+x5>U(fxgWOQ5~UEulU^ucl|@csek z$(M*caZvz)ef&mS{0(o3x%+l=Tl!ZF!kztTMW}|}^43YeEgsJ#UEPxPFR`lqO{v&I zd4xA(B6cZ+hLKpP;ulF{7Gnmr6l!|RHxhgwhw5Qhm=*)ayosU7wuSS?HaS-_>2#oC zX>ZG;0Y?40-l`mzQX=;_)Tc<662QKW)$aM5CJ9p3H{E?dx(wmL&CV&Z8q;ucb4afKw87QBpDLRp3Cwd0|Y_~RJxp^H0dwM@a)p0T5mf2 z9n)n>-W+u*ru%d{7Iv(z8_A0_RWmUy!(I$-!?JsU>AkSCb8hF7BIj$;jbWEY_fu`P zibO%^7&V;h(_BuuH+V&MKiVt#+uJ=AyzN~)6nH=LvIyqIYMB||yA<85#^IT{4KA@& zxyN~z0|I&XhtW37EO6@}rPw0jW1Dn$E4?k9Q{skewuW)I#%#hMU){xI-xpG!M&Tjl zWp-D&d5_*{XM}p<>TdWX<*{6n<#CxT9iT{!JWGcbrbcuJ?As5e;x{*8BSMAo;1bDK z|Ks2%eY2N+^Z7R(ZV#V`r%mAkyR}B9S-@%v1z=S@^q7t!kfXss5UTLiT@Y$-bGFzR zqG+5m{e+F*iInY;!(AaP4q>8-VV$xd04R)sqwJO!*uZCg!B*uU=^+huz8_&uVO_>m$FD#!C<5n{ z8v9d(J!$3Py-~Dp@00KI)ytpTQGL|)Z+P#k@5O^L``dTt7lcLNJL0q{qeD^%BJTN?`BK?DXN`$Q$qk;#J^1 zODE}O`W6Dn{kDCNgMp+(Z(+MlnB=HoB2uV>reQVY%@dT?ahG2V(P$=5_Y~~Ez=_dv z=t-pfdi3XHhmwLKnOPXAk7rdku3XMh{M-a@wlF=FFs@P1sIj`~^b4D?Py3Ka5?Rl| z?N|IjYC#QE&w%oUaZ5@AssHKpBB2!I>4Y1l2JKbA(C5+f{Omk{X~Nii$%jrVY1 z#fT=OPLvRtR51yg{_sI(mzf0PA-yowp0>e86(*3=SCcey1RYSQM6E~(Ul1l!n5xL7 zURK|r_1T8uY_0LAwU2ZWoU}+aFpjQ)s+5Utk69)ZvUxFGFk)9}cH zNhIDD85*~)FZSdb-vr(S!Yz1?v1^rI7RO?s&Pp@rW7|dsSRd7^fcQH8$%Fvs7jEi` z?(ds1Q$=w9tWhs3vzoKaM(Y8;sAObkZJCi#rtvGmStA`B>hUs-@jNm5>(^eIGa6iY zc#?B;_@52tG(LUwPgI!Q5sX88T$(bJ0mU{EmM5B=7?n0v?Iu&zEGA>Fk zk1xYWl9gV~B0bX*Co55PgLx&IOmD~DMXLXnft`cY8XIOsfdZ;0##7tflCV- z0w-iCEJ3rJ;7cxqmMAk`1g-zE`S8(=1m0{FUBaU{zCfP@?Mu)+IJU-5c}MLzPTCbY4js(l1z(%#SgW`M4)SCjK-y}MvJ;3X@;8wc*&VAbXuuXESkOMWqs zsU^7Ugzt55Q*+la{Jx1enERAvx+^U5?rA&Ea)P$zvy)0O;POPAFM3^ni>=mE5 zd0;%U)M;yEzY_B$KnRJmr{qzqBxaOJ4Sq4>$jTAjQ_l#4qmvd84&R+B_y~F?gTov+OOS(wWDM))2Y9R@H_8eu0;%k$$svzg$iG5 z8OS%OsEvb~(GD7{3nkJ|;jnU!J35!dtnMk%}U+FY?na=Jcj*PwGvH5kre zUlDCxiWJu_LSsYailuSOoVstcm-;OXD8!U|_e@-|uLo~8!$r;Rzr=o7{2kN}NTaX7 zwr|S(A}?;Nno>v5u7Hi=NI2L@5R0N3V`XEsRF&Xe*4}7n2RU>K)-#$k62NT6^<$Yd zykw7a4F2W^^T74|*3ugBMBCysO_UCP1J+BrMi3hn8Y-7(Xedmj*XCh4>WsH|!OryROf2H+e`fOsEEZTbT2EHb zs0jOO89eqiI47BXlTflIi@QnYE`+DxAmKDK*;cI`+fYfWF=ZI{uuKZZp-7S0xV}S= z^hi)M*dI5kmD_-^dHeo|x`t@V%K)Kd7Zgl&zhEFWAhv$n(<^VXODkRwM>}!mX8cnFSDv(!n&KfAxP#&$6!n2uBdN+ggh z){1dyp5qJucOCRioYJDoYEdg#F)mGf&P>kjZCVNS;5=Iu-;`j4mB8FI&Yds>=qaK_bdk<5tj!3LdxR~J<_Mn zeLrqt6(QXT@IGaPh#^9Y0kUMn;-0xlBrl9%Smy?Vw{7S2@x(&! zo0%#uyJPx=W&^grZ9ITRMyO#d{wZ$KU1+E1Y`5ciBN-RS{5Fm8e&mndxs;q7%P$st zTZLg|rpIb@!t9IAY=&g#f)s1NPKnLSY*38*+Gng#q{~)Et~GaUDL%2&ye%VZ)B9a+ zVQ*)#7QR4v<_AtWZmJT_QW~aq5|kP> zAB0sb3>%NH#;wMSx5d`+eV}}ex-S8LS@b3*)Obv>Q>K-$t3Z6>!&1Bn?7XL zJ1DSZN`%^zOG_HL@VGczojjF=4JmkE{hz7bg-k)??4eLnE*(v&b^XP~u z+g)_q#Z+zHdoug<9mZ@e!C-Z=Js_I^htce3%&C&?(s*iC{vV$9?)vsCUQGu$PN!?a zJvn4DSDOAmE;jbgMrxh37!GYen5j-?Mudmq-5LZ;n>aQbS#W8V{Vx5wf5B)FPNGij%I+2sgYYbl{yi>Cp=s@t;xuk4yR$Z7k2UYgxDp&ea_+hV&lSF!gehsG-3BS8dS zF|{^I3Ji@4*#RmKryV6u1dQ8~EJTO;{8F3N#Bm`R0ZJy=9$6tiTI$>=469Q_;^*yx zmMqK8gxM^$8c2CsE-W04*1BhTiy|nAKBKY@QC=Yh)Vcht6ET)sN0buBp=QqrG@{|^x>3z zSO3S;dw*FS0_yf{3ks_4aM(wu-2g`VhxZG`cTeOZLH9JR^rUOPzFuVF4?!0Hg}llR z?{5Gy|GN5XGUB;p)bAh5FHSN4MDq~=4CqQ}?>lrDd1$VW2IVizPU@&qC-7qlwSe@*e?{2S;7OLZuW9XZ^GH#=k8e>5-J6#jz!&opM5gu+x!{s_I0 zRQ)@Ftd&baA2^cHNP9>~NZZw>p@oA4x^Ji?{+8Me4lh0@On?2Hza2p7HIl$zZAz#& zg@dR0JUEFsg(2vGnBYAq}LE(geR{((l-|Z#|p%XTLE(0FV(cTAWu{k3;7PxyOF3j8YRq zU$H0D(X`FbIfmV>%XO4m?4C?N;YS5bM+Igy_w*Ma%)R`kQ8zQLHXcba<0z_^uI#c!^>rcdIlikp3Ny)S`o<_GHTk&mm>_x zh*hNL*9Q4o9t3?S6a{JtM*Hsaab(qJ;p08(_}4P4@0}OY8St{x(M_q%_fHEOTia%o zE#2~D2F#3NB!F$8E*oFJ1eBv1M-p2>Xe8HqX%JiCU91sVbSR9m_Ea3B^;AeLYtjle zv-eb>+Um@1=%L%{@OtppyZF9TA=|CugRO-D`FOc;2?#5;e6xuNvx(pCNoKMkfa!y} zJ`6C`U5!Y(<#~Ruqfo>bdD^ZR@Ye>fz==N{+X#@|k?P#MkhE((MW_Z8!Y6P8aZ+B`}ucwm``(xm$&t%-3 zks3B2E~=4zqnziuo!)X2j0_B$dT$SVFBl&8Z!fPQZh*GYs9f>_-ENq)$JoLt7ep56#V7w_7+%pW3n?cU z-VWA_n~g4(pIa;t$t2C?nd7%xEF#_{NAL=IF&Eb7$6Twzb69zuD7OuWT%k`wb6CNT zhAE7}kGAs$2-p2gn@EmKV_3ajsJB0UF^YJ9yp`&6wtU3zPGsc&F&%m(+@T+$?O~J; zGe3S+CA$4Jl-G&N^4Cx3ljTs*$B=)oN@YTyXiSb7)lhHe*ZwN0Ncc+5B?F_D#Hy=c zXFs&nSd%|oRwe#b++N<$d$2}U(EAWAasY@w;A8KF8+2mtwW)+Ke<0);>SoeIxEB2< znjimtrvHoZJ=1>#n%Aki@qgkgBSHTsh`(sdI7p7l5-Pg1Md#F<{wk?ayf!H4$uYe` z#urF@F>_RR6bfPChB0B&o(hsno%vhl=RjaB?C+5yk*D55p?&8g*A@oM*>E$nGJXT| zr_FbPz0-C1J5(W5RFlYZve^Wg_yRZtd^}uUZ$S}+0idZf%KSJs>kF3qopH(mifCz$ zMgU5C=lxiF&JZ3DP;y57ht1aQuAva$Vgw!VIUS7=%#l9(fw>ZlB5w`wT&@r;*}upfH{iBgW$U$6=avGeq)yhwNgPGd|(_y2wz@5|Nn(88KYtz|j8_xerL(9liMO%GYGzL`ATzNfJ zFn?s#;`|Y~BfZcj>GrZyW4vlKcVX9AbMxo9{IE>sM!f@{ z7KyMH+~!ouH$>Z%s8rQY>-GVuKNe_X&Jx4ZX%BH4?FHYcZ!!>A`T-zp?V#2#fxMI) z0^3i#*R&&;6|-fY6R5PH6er8+YEVAy+>C-mm0IT~3Jr*>)0Lmv3>-@g1RmE|TZNiX z!IG*CA=XL`l>2I$*&U&_0J6uNX%)WWZIdNxnQ)yIbr@N^jZ$X$bF;wxo>(Q+Ws;>KoTW1$9v=@kZ^aWZ z>f2xl*$t3Sz6^(Jvv`-g=FCp^`0dNVQ=DE zYlPfx1Q$f18e%r65Q_Lfis)|&=?@AWIPL@o)_gNY7R|U{sb@^@vQ5M1J`1Mz2h^|n z4o*hNMX8>4^`gEroN=AR&*w~EHb&mA-yiD!Dpl}mYOONFhYbu%Hc;jC^UycY%rr z?m9=DyotD4T(M+EtLYRSzePCM&+Nw&T{F64Pjg*5R$B4iqEKXZBMxOEI&8GTRDMlo zv`8`1HID0IR9M~wYG1+)ZPBOy1ce>H%jg>&@#kAx&0qpsRExF436Ww3@n$UO$}uO- z1>5p`l5T;@TkCmuWbB_^#EEOOxw-R!VGR+Hz<>ghCu zy)0OI+xj`z1pD;@!)Rgu=}HEmdH!+H=IbRy%&PUxM$&qPQO{d_e~F;Pb2H|A=HU`r~I(}q`S;7 z#@uU|o2!kYD|1TfZXQ#dr6+IlgWdr9K;QK)A7v3+lOy>!ikD3sGF}#rjRe-zbBB`9 zwL*BsW*JS4{Z|=sZ)WU8Bud*FGS2Ib%uyRhepf~+NaMOmY}@E8Au4R{?kU({StjRz z*scWh@_C_GYyRp5RoK?wQ;@+7OwRtO&i=cwI{F7-!dTd?zenCr`E%hBX0rPs7oHWH zCP9H;Kl-O27sgGU{ck^in}Spw3H?yK9rycaa^WL#;OXT4)qj`D9)MlHTZwsdWT+k# zTk=^xw0$@qKLb5(1s(&OZ{Mo&r|XRRd<8_F0xmXJH-HTsTmq|n`ntkLoygYoX2{C! z+0WezS3W=QgDPA)?|*`B;01?3ySra-ogr#z#k;W~adv*QZsV!p?CAYM`E6u8LYKa`%45%%=Ip>hv`&u}N$<%tY<}&4=M_ z1?{nUp#cidmXBz~#=I$aeId`;8Opn&qU0>4s)5vdoHecJ^2&Q0)bZ9Azs#ca-{EzqLg}%66YOV_z=_3>JI7#PO9*L{77hEgpVrs$!b33wQ`^ zQuets$EGg;9c0Qb#bR^N@SP(;n3HO*YUOXu9aXH)aBmNE*MHh!*V_mt3=H5|DLN}U zhm^YUSlVG#XH>i1Cy^SFXnx_#?b4OTww$SB=lXloP5qM)&kqOvK%M<4t`G7dVD~k6NOVs-IOM zh2S>wYr(=sFP2^}_9(@AoVkzyQmYGTzPG0;`slh%P?$-L-LEXpF5;b?=}(trqhl9 z&6JA`7yYyykP4Wg@5R=XbjFejE#&BK#*jpl^#2fCl7*Gx@Qmux@rhImT!M*cBq4SR z-JIW@(%$cH2<|LICYFoFl!rstMEKrAKxwn@?p4bmdea}J()|e@P^Adb=ZP7oUj@ud z){jV4KCZ1;yTetWiLC6E-P8?C;P`|DeVrU0N6rZ;jLoiD0Xvp`APjA&-P}i+y;GI#s=^0&>Q56rV^SQ#wOG<@kLNv z;+LqC80)Q3={cfZbL#h0)~Iz`zlJK%IS$iP(C9#eG=S$SMi8dlYMZ^-?kV|Xs$8HD zf{;Hs^xM%;-;Iq26q+Ipn({uU??*R3&dDyLmQ;m{GYX2|y@HXhy^Boq2zZeG{N~jc zxRMCRCSx)v=E9YO!T)#e>4y=XY`KbOqc!1c$R%`{X%LB&i$}LcZuv>2oD$Mz8>1B^ zCXWF$5uCpkq9XwSnxqqxUb1tdR1Cb0yL?|1(<*DAtf84E;`8Wh+p}wGcu-3!2scXj zT1rw!x$Mk!Us{?>b20y~;tWKahrH4vCznI){fXGgDh8cQQ`sGQ8vVR%YbyGZp#@ad4bZh+R8OVIrClmJ9_EgoLNn>5Ap7Gy zn04~-%Vx>nRT#F4MLuJqX8~N>J28;NWR3oSO8)PZlXLTbLpgyv|D~Kt{7}eB4X&@c z?G}9*F*Db9GA8j`rQRu@FwkRAdj%(?7F$FZJ0hr{jKLbaZ{$H308Lh$J6e-XnyL!* zC3jnV6kQHA%m}V)>M=|WY4$Dy-5jm^2tCB8al}9E-#e;UnyI9n8q`&yYj|(!RbY_y zvrC;R%*3ysPPG|SJm!S_oFX1LiI*~w%CE2`EC)6}m?lNHP_R^rx&s07+|lw9OAoP-EL)V1iO>PgwnCMGJUM@vpg zYD*Vh4NUw#x&(DH4e>ryrc%4KsdbDbVrF|0ui#;9RyWARD+YKy$; z$cm9o<xlXk(rCSjpdQ&nDXB&PjYxtP@%sJOhi7dysDcYTIs<9 zMDP{kJ65Rku5;oVJ(gJH*x%*6f5HDtGpS4dtz-Ns34BG4=HJg%==Dc!DUQzrbjpUJ z@#6HvlVn@V>)elcm|Z3IGCd>&aiH13xL`LhaHG_wJjMDd(4mqcpRk342~Dgk%(&aN z%MCD8+O^va=xeVHupkXJot_JeC94kRMQOTMfcE#(Q z+`9=*2hGGZixRTM9gEqtm}2W)I~~v2c9H8L@^&c<{Um_6u6kmaNjbIvJ4myMv~|Bl zU7n|G3L8Gu1pdJ6jvE6n6`Zbb8sGHDnFT(+j=f@fUMupxhMcFCw&i$4epTbILgXh4 zlc*yLr#29yHj@|%ZFGp&kDlqXf8RxOk%m(w1Nn)zXCnbQdDT%4&wb=b$eB*o4>&NS zy;h0u0Plfl$X;mwVw$oo0;dLd_Op3TM9Q~*HKI+pcR;E|abrU3A2Q_#OIaXWl%Js^laMqWnV*N+xL&> zL^t;FA~dj!_777eYux)22^Y`*WWFvv&CI5?o_k`cp}Mc{?^Q$^RW-FTJT<7makSxE zH%#gDL=iYQOs~$oR)jpasjl1>@5>meq8BO{duz*9IO>Wsl{I##KfP7jyS~>VOY_8& zsRP5igzdFwNmuwHN@^`(n0nPiQVor3=}0=)nh+U^t4);u)LWMbHO$_D8Px3=e80pa zl1YNVq?X?}qit`}Dkr*4J31@dIzcGwI2bJ|O)dU$^O;b9OF&!Ky@Fnezy9+ad7M`% zeD&gK21VijLY^=*|A@2_)ot$pp{F!t1|Maf<;bCyA|0x=>sDrwa+05}z}ao9-8NvH zx9u7mFJeT)vuFHeQM(+n*Vyg|0~!V+FXHzn`8z!-DKsjVdOQkO=+IXYBvMC|*g%Hu z$BRWL{)m4%?B5BI4uP?!2WFHEl_#!SS^WCkRsPx7x_dhqc7^6{<$ASQ(-A^BJT;{ugyX$GGZdNC&O?RzlZS7<8f zzt-8&QUAL57@~&$cUU-1D1N!bUmID-|3dJh`~QsdJPO|{z+#o$0&OA{KMCI{Hv&lr z2N8>HTdC;AUn`;{lc64{V zdbt4HEKd(##!pXQ&*o46-?Rp7jimX=^0#rcFB2Djz3IIKf|_wyOb2%BIeLJ=P9-rI zu;v=N+OSNIFGdpj%6}vVjEt1hN4#e_^SA8Z_x)>ssiM`E9uXWzE;n@&gOVzWKs~q+ zq>Ya+`TYh%Q|QLah8oZ^DQ-jP1~9;D>d;kT+g2G%e9OJNrL{9FbfC1*{+5Md%?qlx z?HNoU)LwJZy#lw%rPLiRdaTAU!Jn5&6MV8UHAm}xO?BTWPx$AY52uhJ?z&7WNRmt$ zH+N=r>EzxHi*wayywN@#W6c<7Yy9A=n%*?Ja$4>5oC$Kr{Ie6StTDgWCdoP-@%y(> zhs^$!;0v1?#V*_D`odXn>ls(8`f((iIzc=&kLcNf$(!7#!G)r(&i9WFr!&WvlJ$M1 zkk|Vccjsn9U}lsUmH9`dD&VB6ck2P^E;~DehN&Kpoj@?UVn9!70vG*aq@mjI>2c7C zQcrd|tS}k#_NMMadubxg0}DrI_yE=9>j9Bt>j0MBZARxYBe>D$xG5t@xuJ^gfJ`!Tz=Rg>MW)F>W>YQQ}^ zq43ir-OoR`!oP4O9c=5Cmzi?IGP4jg45ib5p_QeD2;!}5ba{T$&4~X=n-)`+T$L#V zufWqDYS>~BCzs4I_hS;x(*0a`vi)LRg`BO!Pj(^YD}8I(9y}$>`t;~MM>3XSWlRI! zTPAbM4f=-CoQQCTP}XpBpdYfG-s1o(&i)@(y9u*ue~~vyW`RM@ts!rM>$T*rS|i|4 vlgXN(J$N@_feGRcQ~=)4VzqzHC^R~ybjn%Qo8HI&bATW`U-Lj{z(M{8FnYid literal 0 HcmV?d00001 diff --git a/assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz b/assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..6df178060afaa64528d7a96d71d19cee1db85c14 GIT binary patch literal 17287 zcmV*RKwiHeiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POvHbK5x5FpAH=KYa?k%5EjjW6JV18U3E@DUais@jG$iV|(T~ zZ>3TZOhOXYB)|ng*`7G(v!B9^1TUf}o4!Wat%*h4yMacdyV1=c@h6CRV<^x$LNQ`% zdlSe+?+QlYPwk|Bzu({4+EV}a`~Bj-8~v@FpVqgw-mGu!Y;SCB{?uRJdb73u6X>_p ze{D**fb6IKt@|oY?ujHw2o+FZO8B4yfDZ)>>A2@ZAwtx{bPXngdYEtl!*Bq~%f<6q z@GgSFpHx=&5fgZXQIOWHEEZrMhw#cHFhT?H>1Y@HmiACt;XFA*-V`y8DH(v5|9S`3 zdmH^;-|K__mVdsLf4;1&D*NCu^w9w5kM3;v6&EO~tVj6(gqS3kmANru5fsE>yuuyli(8xuLfWQLykH=C0sCwiTDfCP%{`GaD>GGZ1i=# zUm1<|pg%#jPJlT)3(;Ys8Ir>1zhH<1C@>lS4?3GrdT#Tl#f*=NK01ebR>Hf`MLd1F zCQS8IZsHV2h$i9$`Bcq&vs~m?h{J>-eI^aS!I)51F_>M4!2;jDmkaD)q9_(0EmOij zz%vxiDEsN`-^dpyC`7)Xth&tJ1o`KBG=(9`pB3d3E@*U|gh+Rah=lfg6e58>#faIl zYhdf#{Y!xuf#G{7-~b4g*o@y0ku@kgM*1+?zl4YID0q?DMBDEf7W7p=-z-^&=HQEY=ju9qP>Z=B9$&YA?Sg~LcyM^o;+!jh! zV75@AxFkz}DIzj5`zSX?4QRFh_9h8AKf!;a0od;MJ0Tr^KvNVBz`@5~Kgpl(5y2>} z6VkEWnb~THu-FYE%q52Rr;>5XWyx;xpJBfA0h!Wpih_?BPwtFxP8nv_*#Di-bQ$6Z zj*+^`WGh7e0)U~Iax5sjN_nTX2s1_*3OvahY1T+_MtL?E00GAtgX%Wzv*1>(%i9yL z>LO0UFkPdgk5n8n#3di7vrdrDkc8^zFP)g719Lx<%s2~`GJxo49(|U z_c7(-&v?vWpsIy()n?FFHS{(PEGlZdvG9<0Hecj>RJXPb^QmUiHrt)J8powzFxz11 z_m~DJhF?~v77aYhKlkJ~7(oJYeZdW|c*hWzN1Z@Hchz(^x01bfy$hj0Tr{e90U24e zGg;>*eIYWU%twoMXR4(=N*rx<9dH+k9sqDO!bE{u{S-9J&JBeSLIdOww|s}`m08xc zo7y&Q2f0UyK$k+VFBpdO;)vlX4$&Cxb03B|mO+;BVGPf3hy~X4K&F7v*#7N--47qk z-i3;HIi^(nibJGj0EVEb0twmWzcHG`1Mu_DKWE=QQX(rAi~h+Gleeh8-b&8ytldg! zBMQofkel^9cXKU7Y)a&2x%-~*?u!{cLzXF?v80->A3tHCK1J1^?s|FCd%M|Nzxi^x zfLItdMqMxDw}}vO`b{4Mm?+qw-%n4EPO>fCB9VFOM1`S03C^fWpqO>b2D;p@8Ds@P zxyb?k05oP%q(93eBq;9rm+X8L-|cV(#$rW{_2YyH9HIAU1d~wS zD0~{lM~seeh|EBYkTgW>5E3}nOf)K7XABAopN|+C;mb64Lb>>e#06#N8EgZ>?K0TY z!sK5u&;6hK9Swa<5a%f&kwhxQQ&jpG zGfdT52qEYCDyebhS)sPiu)sc)gwIGG_7D@tR1}tn2>BrH*`jIf6tO7F zl1XtK=?2MV0ig6Y`Q2Us`LgwMbmd;RdwjA+tyrK`8~~js_u@fSwiYgy`_X-w z8+E+m!&g^ zP^3uY_WH&lHl*M`3F27^KTgzeq8T-wICaV~d$~D`iY@Xajzbh7B4DVpcs5jBrgTmb zO*jm#n0auKv0T9e@C|%7ExrIA7%`e|h8LV5JtV^*9iuVkLM~l(oC6T^bXFy5WQ1I^rGl;$ zEGGlwh)uDN6duf04t_~+D6m3n_nW*b^*AEI_wJWYqUCdY$L|%ii#NW)!eM97*U~`* zh2`;(k>X2&aX|i!e9KsrCZ(CllH}bA+~vq6DMCyvRmD#$Rp@^Oiee?_So=CbVT>5> ziTF0E;5qhRI~!XY1^w@v&CQ*q{`Wpo=i9fn*Bzy$3xJp)Ao*!PN9u27ztZcxUi<#N z^X;1l0yM$|fv$5Kkj1;e%L+(>33}RwP!bH#`%Bvs$daF?h%p=>a4jhi@xjif`V&Vd z$!LTxLD$O~LnKgt>mlwb$^~HB$0!NIEAXELhRVJSz&KWe?{)qM>DE}H0C$cOiW58qNuk<0WNSDf-?jXF2~6MRD(C8t%I&CmWMDNr2w^=DNt>hnFSg_J>*$S z|4=g+ylakFXPhZ8bSu4M4JlnY9c%9E!UK#MCSnA-|K#33dAHD-?st);HtX-)5_E7Y zH;ob0O1vukn#H0^soQrwj#a_#%o(`=*MA$41Gtv#MF@Qay8qP$-LKsn?5f>BuK6Iq z^5}=5WNG!7xnBKpNk;L{|OMFH0WCQIfhM{bK{RI5x+W_nKJ zdQL`2)OBrTC8w-}Jp)r$en6uU^2GpjKT;#$Lh^GaGwSY3g5I5tYiAhT+;8+4W?XS9 zVEic&aUwuWxd29pZUs+Tm0~FuVgM1ruI8-!RKaHi@JF(ZJ==tZkT%-19JA`jlXW{* z?hd-&z5&a7)hy~B`2PLdH)rRh{r6l&P*1hm%Wfdx`}aZfdIFBY_wQXhx+6z!-@K7b z+AsGnP_zURV=>`@uAi__2}s$Pryo6!Avsa|`)8TDgrJ% zPzbYr*PZ+u_2y`{(%wpBaTfes6_^H|8H&xx+EY}dDEw2d$F&gYVyaeCn@F*VkYWVWCcu|4ZokzuQpsASY0&JOwgv zq-C8GVM`CWLPSx3>wGnbojlJgKdk0TnYridcM5=;GycLL%d?o$Fp1D1O^6nmc_5O1 zA3-r07^JDuXu_fH)~@ix+~IFR-gM75r)__!`gy`;#-{}Z0}I+zXyELZN~uFHD_lJ4 zANq#$yi@J{Uy1!tpw5t6*n`h||F!w1aR1-vZ}t1j`~Q6;_d!mI`20(xwdwj95^%k9 zj!7^8nHKHTlzJbx|=`V@?G76GG{co z)_U1hfW82dmyDp|ishAM7()glBoO06eXmc;(ioB5ql3RTbrn|+88gX-y3%W%)C7tO zOMO5<#^6;U2MZKc=r?r*E*K``4gdnOF%l`$qkj%SY8~403tsA{snwztExW2c&>SojW?|)AJ1tyRKNB|~k5ox|wk5gu^0s}vda3u)( z=d`;DK4+tn3w0HgMp-?{FWJz(-vv4_!D4TTk{hGsp(*d5jj2srFpdY{Wln-p(o*!m_wO&Yu6hEQSfG5K zAF}%D?iJ$t-aJ7J3nj#P>0XXc^o2QX#^?$PrOc)0Wy(Aiw_VCT%~!))(*xZdBx98F z7!kbG8uD#xkAaCcG68@kAsT?ggp1>Z?DCE_=D-XE?-`Bv3YvYZ$c*#f-``6b0&+zILiV1A0L&APaVn4%BZH z#p3EcX08bOp?7QhX)*e5BtX#jX+j$N2$@6w``i8XBK=?QFW>*(OUgN9uyowetzC`g z91;IvXs)@I>i34Fx>n@*@~M-A#`|AAxd~7l(kn@;7ZC@|dH=t;+21bg|ILjh|93yh z-TyF-`C3W@-lw>JAOc_v_`EoT1Py>*ftgib1(8VY(oN|HrXywu&FF~b@iK=D>xy-9 z4fmC~{s#vEi=tq0Bs4=qBSg$cMPp<%K!=^3ft<5~71)Y*5m2R^bKl)qg^?{-HehfI zYx9euF@sy*QNU%JN{xW{VG_(VuIRZ9EsFh{;J@h#Xt)NNtbzsBL4%c$7dFGfyPHaE zssZ2 zNOkwRnum=~5HCGkO9PqVJfzrcN~YfBsZ>6X3n&uqkPLZH5Gv9x3%-lKf6v#qzF0in zQ0V|jw~(M*1c4!7vCq$-hzUFw3KE40?arbclCwMw3ee5wB6;-4KK}0@NRnnF* zmXqtHJAdYgZa$b<{gt|UTod2>^zn4};N$*r<@5)jh|iK~-^()Vkh9^-*arJrQ5gie zQKr}lcrRE=d;wy$c97>08#LQRo-CvXOwPj4WuFvCgo;MFZQ2d$1O6F5hGZnL^pw`Q|xVsl6XGyq#0{XD^H`j)q5VdWpJXT#0(rtWYe z6yPKpfJ5a1AZ<5ix}K}6-=bG8vkC(9&_eVloSN!?GI5`07^vpTpn3kEH#XiB^gr8g zc9!pd?v7Ok=S=2v(zMcFX|;#Nul~Yb;%r`?9DWNWneYe`qk8(rvcQ?Ckqp+I#F}A zGR;hp-aLBUhsA(ZDHWGh>ZHF~3rUIR9BE~>V=i7mW1YloL{=#$iUWg}+Om|4J)r|X ztLheO4bJAQpo}Amx{86iPdZ?yu-n%F0c7fLO>F*jUMP=^XRwRM0S32FX zf=f?4zZCQFIrJ>enwHR>WO*|iyoq+yY{ta^QuLKJW6jbSdS|-G!fL;Khh>x&9pg5k zQFqwC^}su47+$Q(-Sud+6Po#>;i}wiRI-)FNJI7P%(`>NvecV4=&#h(uMa)k2;tJBnoOzpC+2+W3EE?K7T25_fZmU{-)>_>1 zgdc@Qw^}V*!N)gO(N?Uwr>d?kPi4O9c21qe)VLMY^~NgQh1$B6dbjFKcs{D$ic94@ zwQqfuIZI-86obWZFteR%R6L~S`JvTfKTNuX{@282@aB4gnCJiDO}}5z|L$z>Y%cY` z_mSqGcWwlZ)NojN+*E4fk8Xa>MTDt|$yj+a!gOuA{y?ha`_%7R^^pxq($U0ol)Kn^ zI(S4?RGtd;txbz7@hsyvSLr3!!37qR#w)>0&mI@<0aW&NSYRhgb6={g7g1Ta=^gPF z^gpISfH_NI35~NP7^4}6K=bJT&dz3m{=a$CU()}3Ny^LnbR7)dfu8HQ?~pmTAPK-LLWS&iCF|V#{$2gy zke$>;QL&RB&A&wpHc9y)I<7P1;H*kE=M-OBEZvs;x4Qou(|;3YOu2wdwb}nksDN`_ zfy|@->pMmNZ`)g2OZ(4zNd^8t7gE3I^DQ+EJ$6g|aOBh72@6xs3A7$?W%YtHeJ6~o zA(K9hQ3b193fbvZ#obi3wYcTT74%v84s=6tdN-C7dJUhAJZnE{Pc=2A|CZ@zG(f9uUoQU0^_X5-D0{@+I`(*HB)_jHiJBK22UFcA~V@ZX9Ba>P2uHMm|E z$283Q1Xm4WN=|WvxPVbS03->+ALG1mcTR_?h>RT%z!+!FE&N&L7Gj0t9`BxGL7BsUa6JvBK5YboA(j+X16E0|EKdPu0xMCy@CUp4y+mBCA zyyW)1I6hVCk&R|8b&yhltWvL4eOX=9ybeoC`3|OT4S$u{(46taj81WY*xe%}HTZo1 z5G~>+x-@Vtv#BN*6}sIbfD1myF)DyM;mGAJOWo_G`54yKi~t*zyUOf`w92C%+}a2e z7~;Q6+n{1_^QpnDMshnsbgT2O#ur#&;91EAXI?wIcgD@@M*M$M#^0oQ@}JFqG5*iy z=K98x|G$saD*wM^{AV)$P31&)e?h2fNn7UJ3Ei2aRL zJXe@D?{wjb3Jj(Wj>-@Yw+?f#B)HEr-G=_pCHyAM)&H&+<3H?d^q2hqy`f-y1zYlwaknPS@n#mphT>7on@@epX+h+a;|RmWykDJEkd%GI#$tx zt?{i9L9d&CbO28Pj9U_gC=EOF7SCD;mCgzG;TBGx)i*mebXoJ1dAh!)=A$B5LL4Rx zRlG?pO!-&0phmp1jj}cOFQK0uZ&rC$QYoavZDwY5j;`D=-T4K8$AmHqhs+@BJw^N@ z75kT3WR^CQ4|H1PFd=K>BNeG#SC!$`OpizD>kI9*;~(efY8CuLHK9zjtAV>;aA=~9 zb4`T47 zO)FYpTY9)#sJ^GH3T6m8=U2&S+(uSC^PXD}@@D!>*G)z#E45`#bM}t+cTe}tk3Wyz z+aHBT{kDl5PB;$G{%E9_P4JNtxrS@J3KS-Lnk%^!@!nT*$obsZNA+6E**xGJ{%@zh zu~FpzcD9!M-@T;S{NG>F z24aGMQ97%KpP2XzK`ygG3IjliLyuN^W)S~}CcuXTj4%lR1dJx*i5?Ce<;QV$1p+Et zgTRLzc^nar1)d_n5oG=ZV4}wGN4iacPXlxYIRYcfz{``YwO8Gj7924R_!^2QC_)T| znN#ONflK7)zl3yLC^E$=ep~))Oqm!_b^%#X$YAvHD*p)z0sTq-n-N#1AG5d)e2x1s zL}`xoI*&>@5_4#jgcVt)k{owt{!yy0&y3=j2@Ue!UVvXIbIpZ;m_Pv{EU?5p*!yeW z+vsofy|>%jTcyVJ`nv7SrL?Kbcb6x4*eX70u@iT1g8cIXb;2!n_$tS-o<18r)p09_ z@I9QK>FH2Gox9yTyl|)R;CHfMmzV7yG&R-#S2*eNwAJ8zL*P00|Nfhe;`_ht^_}e} ze*b?Wsp9@WH)L$(n{e%waiROXUOzwbC4O%FwL4eA-(>$|AK8B!y#koC|2Ni4@xQjV zx0d!l_mXDpWzAInU^YBuo_aCg4jspDw)K`d5hCVZh39MSt9ff{Q~eTxzFW<{wfR`~pKrd|BEYAh~aq{Z&<~n^fL~(J~a?-T5e5rn^hE=f4vvgmU3w z!UYV&1z!H?RDb@jZ}#65`TvcLo&NItzmHUkWXQ#VL9;sX)01x21>g({f0C*D{x?0# zu??j|RzDJR!oFC+lXKQqAGO!uKM57+x!wp$fhM~X6h^X7NxQoP;O@b40q+9g@kDe7 zpzCdSEAsUlKI5&qI{=!;NPHim00paOXha$EwA$Z1+pIce>sH96V6Y;3SY;5*=B>=S z6z0xj%Y)r8nCH!7bcO{_y^k|6=fg(PWJnTOVTHk;h!Gb%jAOGErlLUPf28DUYHU7Oryj z*utJir-)rJERd5^8JcMB@l+X>XrmN9XjWjNTZbm94^A{UJkd-j&6##haH5T3NW2Bu zgUoyc~K$2DDU&`eeT}wBi+3VZLAu|gT*)39D1NS^K$x1xAt;t&WCY}TeB2f zD(8>GX|=r&T4wIIj=H4VsgJ;3A86h63g&sU^j5j&koSFeO*!cbM!ImltY*p|>CI8X z`(AvDHb>Hr0QTATDUO9oiP#p*OB^piI#>Jr(SN5-e)Lc4{inh=8fd~~wsVfv+KEBdbBay>(O2Auc{~f%Wan1W_RM! zWd=yIC;ZCNt@;uFA{biiyjptQdd_JP{ZA5)84MQj{HW6${m;h6)_O_*v$fR!+)Jvs zzW-^^e4qNC+yYxFgBl)s8N41)88mCTET#-<+DePcprz*KE;KhY5ZQv}rg6)6uDK~v zEAUW?i&~J>iau*=F0Qzki<{@6xR^1`$ECQigZ#myqjuW2P+Zg$xc|mRqw$#f52gskpeQ;-bjLJdEV-elIbPO)v2y;^3JmDHc7m9*dIVacdBM z$PICi>V!Oe+tn?U@5M_+!y`|%@_%K2n!Xsj@f(o&{(p<||IPl+GXBTCqy_!Inc|QH z;FViv{=1Qtg)E$JqhXl6YJXr=!TsvTm#;CNj!gd}vQLtmzeQ;A9mbq?7nSAT>7$6U zjQ>s^MEsy8noIug0a7jh$IyQg%ut}I>cVy(HqGPzw%!!uzxCfN^o*OMoi$MI6p$1%d@yrOwI)> zY7dKSh+7;o2CoV^SfHp>+*Z(zO-q@x#%e%_uBtxQj9DibhV%jj$7qZ$8#SQ)fuw%w z^iS6z?)lqt9A}`|kTD&A>$Hy;`sZ+rDwa;hHzD!WpyE}A-&J6h4RxS+#wwG)7hd38^>bCV)RjS6`gE=rTsW z&`_TZh|vJae%qX4A2M@6s!Wu>-j9;>V|(a7H|&#_hx-_tHA%QZ>+yr@_+Y{3O9a( z@x9~s+!e~1=PyaR355ClHss^kCTLZ1%_wTOGvynElva2TA(p%cnw7m$LO{}RS z_s6@Wim<-nJCT(2X!0ne`Z36S$-JxIX;`|sc4y{Fn7f|ZLavLJb}(;cH)qg4r=!sa z9APm~m$iD0PZKPIrDo`%G(-7^5FZ;-`$aTLO2NYy(;QV|zM`RNTrNMNiv>!`xYxdJP) zR<&_+-`z_!rp>oBY_2nFo@3NpY0^Avjy0Cd{TgMSto!3=@gDkayG-*_t^CJmT2eMc z()=5UfadxC-`dzN%75PUm;V3nCA}~NcPzlG5E1Yyr1U(ALAUOb-A%o*%iCHPbmjk7 zRzM$k-@kWWD01+R5lx7aVF%b3P6kK9W_E2y$$HCm~#KW!r*d61WVkWT@BS#4nt9I5LHFo%zh{zw@^ zJf=#dC#&dN7SPvJTU5u2#9U|g6oHyMJ?FLjX29;zL3-m&sgSXX2S+DIT*ra6^u-dNm{A`gNtk-w zJV~kf`=Rk)yZ@~Xy=H5;7c*q!g)P4SSYO}l@08wu^q2epUXuHugR=aij#&>uRw|1f z8rEyYdFjE>pTwRUdg0j6v1&ynMkdkL%MT;VE-c%nJE;b5MADsI&R)I{`O)+M3wnKO zy323-YUJkqwCE9PCXE3Noj^I;%$fU*y+ADnl-XWo7Helg4^fL_uBpeF5;W80+4Ma-FEc%bPls;60q9 zotY?l{y4&EN0Oh%A6<&Cn9IgfLHYtR^Rm2>gd&IUj z@w)T5>9lLk?go>tJ#6al-%sCy_eb9Kcj7*120(9WDqM4KS~>}OxKttk?a2kHePXuL z$2|Sd_IknoV|{ylYbpP|m-GT0K_L($90&?D*1^RD5pb5^P-$7s!(86$ya1;Y%mGj0 zm@>fupP(=V ze=q3;*qcByMj;({cEeEe%Sz4ZtFIi47>$&gG>N%j2u9%3(JuHcT`fihdV#|boFM>% z00okgDD|k^Qk~9=7vS@edE9R}K+x}h0Up@sZ}h$X&)#~!^Wwz|uq!KfJg{%HL9*M- z#AA#IVo*>9FabkDl$0KF*iqG$fe%(K{HdN51Q}-`hcwh0XlJQ=TFN?fYK$lYzoRe$ zo4}`03SMXH$0wq_GU#mRA{XiF8W8oJ7m zUd_N%>^M!72Ala@)N==rgJZpk!32^(^6;6XR5c$BKQj=`GN$;i*#F1-yYCP8+uHo| z_W%0!&gORU{NLJKU&jBrm-NEj%WC28$u? z%z{DSaQR>&M9c?kYcxj0Tw**pMnuTtd6JyTE1t8|)XL;ebH;J+a5(IAzMdciKBswK zUfIU&g(;vuS3lH$zRE&tD|*G#D3UuZpneh|qOWVcuWDA-nU$88 zb7%?-8G^wT(0AOR^AGj1Dy{F4irSx#_do3Kp6q}9xO=$&#VO!`rBfVh)j0?x-R_{Q?1s8S)j8HSB6e+BXzHVaO?9iq3LvTWIdnfR3~aq4GfivOB5j zTrLr13xtfRp=OXrGz{qlw+G2DhzoGUpf9j5+33!vSoO0$=RzvERw7tXO-Rk0y6X57<7&k4W*&NeuT#i z3e@A1A>cm4akT*_Dorj2WyN!71ggRc+FWUTQ#VkQ;V~vKw344ya52Fl0&?WC6FG5% z?o_1L0|!EWA%+_1)!~SJN;LqN3=dSb06`b##PuNoI8tj*VorPWmSv(UBsoxNgc=6{ z)l@{GptN89^)A~m6${0zznjypBI(|c3wd(}K@c>?K3|(|e4TEZ`D029RWN%s{ahvw zl0NKTq9_(}dLOgZcWRe|Mg&X*jiA6j48tqHk`BS+93C|K`07VH3@81z+kxRdi(i5Z8xz2upCg~cyN18rJ^#3SH z&RVId+i0tE4F=u<2`pItd89UHtzbUiA9fz&yFp+S6*D)vY!bLzoVTz(9x`2npZP|9MkX# z)AqZBd1d&SLhmYY12A?g>TRIQrS!o6Ob`LKE(|Fd>$7$^{|+!*)q1j6ccJ822?3CU z7%~CqsIHNrVvwNn)r$!hX>5r$;B<$qc}2jF9K%vzS^R`4enrDbE_fFe&nR7kp`5Gs z;j||IygB$Az`Vel{HQF;@J;XSW^cWPmEHj61qNlwx3tZ-%n2q0mV8SKZPmg20%CEB zBSaJ7_I^qQ41vIrGQ^ODQuf8A=7NGV(-O#FWyUBSl?8fGA3@zN^T4OP0yYt z^}kDzqWds!R`1HOic{`K0Q+5@p}EJIGkTXWm*s$c2l@j*{Td9|< zBhnZ_coRlT;gJ9=X3)XLN*Lo^rYtt+;l875jgvKwLIChBer@TI!DqOE$EFV)>9 z-G#cl7UoNJcT4K-M$leryYED5JQwCmZTIId!ve6{7s>qTa2!wSrj$!}dF4;<)vf?$L1;^=SsDW*bb3f9i zWA@2C?|}pDJBuT+s-Gz7=5k#O0p^n41dsr5Up3-h@Gvqj})&jajty3Xec%odlIJqM__ zE-$MNzA&@*o65_cGVJe^w#*fnE#+m8TVCb_AZ#)%>y5G;C-C{Ew%`958y6*6oDci! z%<0?ldkzw=jFU3QXKV8B=VYg((w)M*{Fu1Z`y9p}1`#F}>PoudI*@N;&<~K>W{4zM z8feJV-kUT23gA!e9L}XS59PE?3-kFJ@^lmnG5${+?5!F=+BPlB=WEE*Q7p*#KWV79 z$?&IbTA0t*kf)=#A>;ofVSlHzWxj?y9mPz>-x&NZ8UL0T|DEma&5cH^zba{Yf0zVV z91wxn6ow6ECil=t?H%G@Y4z5{1p5=+5Wrmd>v&%28Voo4Z9ZJ~DdB=aOvGQ9>Q%u% zNIEp5dkORiUg9W;zzaY}2H4ZIvT_H`guYKhr~P)u{1E9H3^&?@xdPd*j7EFVpUmaX zufZui*Lqq;RhWD_a=aT0YEX~{gU~Ba8hOc}eh7s>`2!Pmgw*%1O867x zpF0pXF1^n&3Al=dtwM=Nh6skCLt;1x&=k0*$6z33KDz<^=gvQs-jtN}yvL+}Mk41&zT3@X8jRVv)g;eiRqaQn8ZV4i5Q9YM*h@yRP)}xVKim38m^MP5u8jh4cI6tz_P~+0XCzcv%t8Sm zF>ysC26fjFf<#%|Gp?e`_?Y=gG(|)>!AxHAbaIrWn=m0E;#{`C6NWf|3;_Yp5s}mI zDG`i@U_vj7ed>4FIjxE|VyiM6_Q1za zr~3nNFalRJF|k6GE8|swh@>wH$X7IBxvR6JIb3L*$N?fUqRdANKO1Tr=GD`j-Mcmk zsiGPZ0p`^MO&jWg_Y`sUoa%zIa|7EtL_flNLEASg4fFj=ff#||dnjOi?*`_`Q~<%8 z8c#8`XabUf_%|Cj_t+4D{mU2Y>LVFbixpvbKk!PS{J2U z10~U!R(|-D_~xOJ55th>xD*pJ9;uj)0kWKYnd$BUZygwwyK?kDg<+x?k>5TY?*2bV z$Dj62dca=QbkNJRR0OX;NG}kR69UJ(halmSy@4dqZGyd{KY^GqDnzIv?4Kq?8BplR zlQb4M!hdUTv`Vc2W9VaX)l(q%+VFXvf*c8keg2Dv$~*zfH8|AeC0(IR$lHvz2kGgH ztn(c*Gyubx(FlnNO89UU47q^*dBE@#v7rv6s2<|^lJ$6uN2gBLVEDP4O{9ApyBq~` zCDv^wn5+~{9_AZ(euBxOXwpLLCW6UInAZx)>MxguTWM2 zcx(4mD)g)Ye+`BoktBz0v{i=rEd-NwM5cwoK8n<)Sh4{5T7k>0L@vdB@MHuo?O*>3 zFs~H^KRHows{MT+LGT?Tt5!ESOFLLP1D=&`uzl@d0p_(5$+l#Y4=Z830i4>FNk&-g z+NkjRa$nc2&1PdjbT!@34 zK)qyKcFd^|4hg9eu#;BG7{1;2%A@Y(&-uu4?h0-sWpR-$}puhz01oL zPMvgt___N<0HA%RXq9eSYkJpC(VCWj9;w#V;({1(VXoyY^Lx+MxveAM*uG(Yrl~zw zidi3BXm6oE-NDK}zfXhbqu8+c8e9 zFP!HL_F}qwG)$EF-w|b%{sOgeAc$r54A?)rbPa|-_kV8ZA$T>+<4S1T-i=KYb=YP1j)9j>&5^7D7Blts%iSw#31#hN^K;BQiFAg-Sx=*?3r0W-$^6 z$VUMpJ_1x86+_$25L`?UalC~*zGMR*RUeQHQ{~t!gq#=bhp)kr$pya5)~3VHon~Ky zp>{jwS)H2Cu)sdN!JEoiOiAiRxa3c+!hakkitEmn>hp&Fw~_YnW;{FdBo0x8h=8H` z%m?7}&p-eC<$I&nD&da`29^2#b>wvDi(KS%YK6Lb{SJ%>0N^R?>%P;|$tJWpcd2K4m9iB(RjP31hyha@PQduy4`6W(R=9@V=`IZj=`fVrUp3}fms z8lop287xb8e`FJV$m+wP5GLaqoJ?pE1^@z6%o^LwzQ4+Y+-C@iM|m^7S!(kTzsuAF z!Jk@j;uH5e;rFQF$<9*CgK5G;9XR2dsTi>i9 zU#DZv_r8F>`I+IN?Q_dQzFEALS{3s%gLE<74dm;Dw)x&?32=?`_Ur_CMyYK9u7P=t z&^F(D>B5--JSWP1HmQA?tp<5hsZ%D)(olZB@+&vp$pgGv`BlF6YFSoF&!6zkdUk4C zmZf3dG`P@Gmi4G*S%zrUSb62ARkZlhTjzPFwk^Ii%2VAQ0c6wo&{DzdO%+7ZobC5-9~4**Muz!6$A&Kiam<^^wS^}VNF!F~*ItJJnwH>SZJO^BEs9x~s%8!EDr#wdUb z`kcaa%CoPn0D2PUTs^35N?sPAE&Tbs)NOs82WP#C#}kuW3B;5m!728ig7?kVc)WC-vnlpbPh7qRWG3<)25&WLyVF zw}rh6^N_;e7Z^g~%a&*NF4y_Nk)$U|{Y^*UgHzKscgul2vUClGt*N_Rm}_Cw-*W^b z**aHZ5kVb89{WZPOdM&|vq)`=qSzVqd)n5fQSTo5jg&3cW*(@4NoVv z7~Dj=YBZ5x_7D>X@YPoBux4XZvygK_8)RepXu=!lYD$`*5sQKxj-FS_2RXRNy=(U5 zv|B<_=fw-KCs|K?mMC-DJ>`{`cRI#jHA5r)g5Yzmn4sWy6h^W*6JK6UgoycIZH>l= zc-mOaQ!br)V=N}gnY@{2^I5w_|L$z9Z~wHu zwe@CwYiE07YxAf6`u67b_D`VSM(6WV!UbeM^>5u*adJ;2y#U901%OXSyUy*s(@}?= z+Bg7na0WRF03D5N_?RT-f*}}z&-sek1~=Q;r%`#YyE|Mkgw`S`Zyjr@KknqN*uC5N zRc&pCls`=t8K#LSSM|oIOpeR=QeMrd5ltBQEXhYUG_&f}*c4$gAJ(QDy~{O3)@TgP zmXIS{=}B-P3k~fMRmX%H(J-VJD!dYnVoDGZe9-B51#oJ@sqXBaedtpvgE@fKd>4^1 zCdLyKqf;EnE=-=r#h6aziAjua=|57@ru7HQd+I*rNDI=DL)p`3_nAccxXvkVj*<*) zdGVWA|^!r_wTi|RWECmuf53nO$(T=R#IaI6Kq1VP?!kBd=v|= ze7(cf(T+uTKR8S1PWw<{<5mcx> zMq>&>I>x@@yY1|Z!Mm|<0pfQW1yg`lmFT;TrugCJ;Yb{Z60(*kM6uc&2IBHw zqxw?8NTAF=!z8_!R=|i4!7JQDJ#ZlhDhHT0wW4FPIriAOve^`=9aUCa(3SbL-n!UF z1rE<4`f0}T{_gw3{hs1p|BS~B28Jhf2AX70w^-W4pN%ACK(0Nx0dadZ9!pmNBv)x0V1!W^n5and1mv9hSUrzYqm*Tj zPL7=YRYnUYU<9X>X>!Fe8HWhy+3Ds7b(1ZRT8B5Wpwr<@44tc5qQGEV4M!sT=;TNe zeh45K%6pJ)Y6xDTDIyY_vV#Z`9pKpy5hNgqvq`SVMTAY9s1V5+r+ddbepRdFjL~yM z02h*|NPrdMLh;0(XyDpNNUDu246^Pbje`8j449a;I9x4EVHF_Z_f~omQYoyM#xMtC zBmftQf36R8%=O4tL9E9tNuea~a)_42m3z`9BNiB{-Q0|g?yA@6{25b{2C1rB$bwpH zM3J(JYQ}o)R4gyoN*N2e;wLa1Wn15}Df$q@JQq;F4oRC#*p;8r2em09M6?)0u9G4K zOM?mAhJ>Z3@7jtzY0i+O8bKPyY9=N|mda~a`Mi?CXE;xhllRS$h16D|4A2Fro~1gJ m^m&sja3UZHAPe|XKCn#7v`jx#`u_p|0RR88p<{ypOacH$qTLk$ literal 0 HcmV?d00001 diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml new file mode 100644 index 0000000000..531cd37e2d --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/release-name: rancher-gatekeeper-crd +apiVersion: v1 +description: Installs the CRDs for rancher-gatekeeper. +name: rancher-gatekeeper-crd +type: application +version: 103.0.1+up3.12.0 diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md new file mode 100644 index 0000000000..26079c833e --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md @@ -0,0 +1,2 @@ +# rancher-gatekeeper-crd +A Rancher chart that installs the CRDs used by rancher-gatekeeper. diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml new file mode 100644 index 0000000000..ce98648baf --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml @@ -0,0 +1,757 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assign.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: Assign + listKind: AssignList + plural: assign + singular: assign + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml new file mode 100644 index 0000000000..bab801672a --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml @@ -0,0 +1,237 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assignimage.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignImage + listKind: AssignImageList + plural: assignimage + singular: assignimage + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignImage is the Schema for the assignimage API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignImageSpec defines the desired state of AssignImage. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].image`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assignDomain: + description: AssignDomain sets the domain component on an image string. The trailing slash should not be included. + type: string + assignPath: + description: AssignPath sets the domain component on an image string. + type: string + assignTag: + description: AssignImage sets the image component on an image string. It must start with a `:` or `@`. + type: string + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignImageStatus defines the observed state of AssignImage. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml new file mode 100644 index 0000000000..468b01fccd --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml @@ -0,0 +1,655 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assignmetadata.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignMetadata + listKind: AssignMetadataList + plural: assignmetadata + singular: assignmetadata + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects which objects are in scope. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects which objects are in scope. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects which objects are in scope. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml new file mode 100644 index 0000000000..57826ac09a --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml @@ -0,0 +1,105 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: configs.config.gatekeeper.sh +spec: + group: config.gatekeeper.sh + names: + kind: Config + listKind: ConfigList + plural: configs + singular: config + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Config is the Schema for the configs API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConfigSpec defines the desired state of Config. + properties: + match: + description: Configuration for namespace exclusion + items: + properties: + excludedNamespaces: + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + processes: + items: + type: string + type: array + type: object + type: array + readiness: + description: Configuration for readiness tracker + properties: + statsEnabled: + type: boolean + type: object + sync: + description: Configuration for syncing k8s objects + properties: + syncOnly: + description: If non-empty, only entries on this list will be replicated into OPA + items: + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + type: array + type: object + validation: + description: Configuration for validation + properties: + traces: + description: List of requests to trace. Both "user" and "kinds" must be specified + items: + properties: + dump: + description: Also dump the state of OPA with the trace. Set to `All` to dump everything. + type: string + kind: + description: Only trace requests of the following GroupVersionKind + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + user: + description: Only trace requests from the specified user + type: string + type: object + type: array + type: object + type: object + status: + description: ConfigStatus defines the observed state of Config. + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml new file mode 100644 index 0000000000..230a541bb7 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml @@ -0,0 +1,67 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: constraintpodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ConstraintPodStatus + listKind: ConstraintPodStatusList + plural: constraintpodstatuses + singular: constraintpodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintPodStatus is the Schema for the constraintpodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus. + properties: + constraintUID: + description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + enforced: + type: boolean + errors: + items: + description: Error represents a single error caught while adding a constraint to OPA. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml new file mode 100644 index 0000000000..737e3aff15 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml @@ -0,0 +1,357 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + labels: + gatekeeper.sh/system: "yes" + name: constrainttemplates.templates.gatekeeper.sh +spec: + group: templates.gatekeeper.sh + names: + kind: ConstraintTemplate + listKind: ConstraintTemplateList + plural: constrainttemplates + singular: constrainttemplate + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: false + properties: + legacySchema: + default: false + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: true + properties: + legacySchema: + default: true + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: true + properties: + legacySchema: + default: true + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml new file mode 100644 index 0000000000..271572bd7e --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml @@ -0,0 +1,66 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: constrainttemplatepodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ConstraintTemplatePodStatus + listKind: ConstraintTemplatePodStatusList + plural: constrainttemplatepodstatuses + singular: constrainttemplatepodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus. + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml new file mode 100644 index 0000000000..042249cf10 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml @@ -0,0 +1,73 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: expansiontemplate.expansion.gatekeeper.sh +spec: + group: expansion.gatekeeper.sh + names: + kind: ExpansionTemplate + listKind: ExpansionTemplateList + plural: expansiontemplate + singular: expansiontemplate + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ExpansionTemplate is the Schema for the ExpansionTemplate API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + enforcementAction: + description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + type: string + generatedGVK: + description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + templateSource: + description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml new file mode 100644 index 0000000000..1bb1933366 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml @@ -0,0 +1,676 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: modifyset.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: ModifySet + listKind: ModifySetList + plural: modifyset + singular: modifyset + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml new file mode 100644 index 0000000000..fd6a0f6dea --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml @@ -0,0 +1,65 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: mutatorpodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: MutatorPodStatus + listKind: MutatorPodStatusList + plural: mutatorpodstatuses + singular: mutatorpodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: MutatorPodStatus is the Schema for the mutationpodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml new file mode 100644 index 0000000000..95e66a8b8a --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml @@ -0,0 +1,78 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + labels: + gatekeeper.sh/system: "yes" + name: providers.externaldata.gatekeeper.sh +spec: + group: externaldata.gatekeeper.sh + names: + kind: Provider + listKind: ProviderList + plural: providers + singular: provider + preserveUnknownFields: false + scope: Cluster + versions: + - deprecated: true + deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1 instead. + name: v1alpha1 + schema: + openAPIV3Schema: + description: Provider is the Schema for the Provider API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the Provider specifications. + properties: + caBundle: + description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate. + type: string + timeout: + description: Timeout is the timeout when querying the provider. + type: integer + url: + description: URL is the url for the provider. URL is prefixed with https://. + type: string + type: object + type: object + served: true + storage: false + - name: v1beta1 + schema: + openAPIV3Schema: + description: Provider is the Schema for the providers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the Provider specifications. + properties: + caBundle: + description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate. + type: string + timeout: + description: Timeout is the timeout when querying the provider. + type: integer + url: + description: URL is the url for the provider. URL is prefixed with https://. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl new file mode 100644 index 0000000000..6a89079bcb --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl @@ -0,0 +1,22 @@ +# Rancher + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml new file mode 100644 index 0000000000..e5589e68c0 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml @@ -0,0 +1,126 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Chart.Name }}-create + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} + annotations: + "helm.sh/hook": post-install, post-upgrade, post-rollback + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded +spec: + template: + metadata: + name: {{ .Chart.Name }}-create + labels: + app: {{ .Chart.Name }} + spec: + serviceAccountName: {{ .Chart.Name }}-manager + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: create-crds + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent + command: + - /bin/kubectl + - apply + - -f + - /etc/config/crd-manifest.yaml + volumeMounts: + - name: crd-manifest + readOnly: true + mountPath: /etc/config + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + restartPolicy: OnFailure + volumes: + - name: crd-manifest + configMap: + name: {{ .Chart.Name }}-manifest +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Chart.Name }}-delete + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ .Chart.Name }}-delete + labels: + app: {{ .Chart.Name }} + spec: + serviceAccountName: {{ .Chart.Name }}-manager + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + initContainers: + - name: remove-finalizers + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent + command: + - /bin/kubectl + - apply + - -f + - /etc/config/crd-manifest.yaml + volumeMounts: + - name: crd-manifest + readOnly: true + mountPath: /etc/config + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + containers: + - name: delete-crds + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent + command: + - /bin/kubectl + - delete + - -f + - /etc/config/crd-manifest.yaml + volumeMounts: + - name: crd-manifest + readOnly: true + mountPath: /etc/config + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + restartPolicy: OnFailure + volumes: + - name: crd-manifest + configMap: + name: {{ .Chart.Name }}-manifest diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml new file mode 100644 index 0000000000..31016b6efa --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-manifest + namespace: {{ .Release.Namespace }} +data: + crd-manifest.yaml: | + {{- $currentScope := . -}} + {{- $crds := (.Files.Glob "crd-manifest/**.yaml") -}} + {{- range $path, $_ := $crds -}} + {{- with $currentScope -}} + {{ .Files.Get $path | nindent 4 }} + --- + {{- end -}}{{- end -}} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml new file mode 100644 index 0000000000..d1df389610 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml @@ -0,0 +1,76 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Chart.Name }}-manager + labels: + app: {{ .Chart.Name }}-manager +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: ['create', 'get', 'patch', 'delete'] +{{- if .Values.global.cattle.psp.enabled }} +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ .Chart.Name }}-manager +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Chart.Name }}-manager + labels: + app: {{ .Chart.Name }}-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Chart.Name }}-manager +subjects: +- kind: ServiceAccount + name: {{ .Chart.Name }}-manager + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }}-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-manager +--- +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ .Chart.Name }}-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-manager +spec: + privileged: false + allowPrivilegeEscalation: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' +{{- end }} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml new file mode 100644 index 0000000000..3304f097b3 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml @@ -0,0 +1,21 @@ +# Default values for rancher-gatekeeper-crd. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + +image: + repository: rancher/kubectl + tag: v1.20.2 + +enableRuntimeDefaultSeccompProfile: true + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore b/charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md b/charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md new file mode 100644 index 0000000000..c68d23c240 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md @@ -0,0 +1,15 @@ +# Changelog +All notable changes from the upstream OPA Gatekeeper chart will be added to this file + +## [Package Version 00] - 2020-09-10 +### Added +- Enabled the CRD chart generator in `package.yaml` + +### Modified +- Updated namespace to `cattle-gatekeeper-system` +- Updated for Helm 3 compatibility + - Moved crds to `crds` directory + - Removed `crd-install` hooks and templates from crds + +### Removed +- Removed `gatekeeper-system-namespace.yaml` as Rancher handles namespaces for chart installation diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml new file mode 100644 index 0000000000..581fbe168e --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: OPA Gatekeeper + catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-gatekeeper + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: gatekeeper +apiVersion: v2 +appVersion: v3.12.0 +description: Modifies Open Policy Agent's upstream gatekeeper chart that provides + policy-based control for cloud native environments +home: https://github.com/open-policy-agent/gatekeeper +icon: https://charts.rancher.io/assets/logos/gatekeeper.svg +keywords: +- open policy agent +- security +name: rancher-gatekeeper +sources: +- https://github.com/open-policy-agent/gatekeeper.git +version: 103.0.1+up3.12.0 diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md b/charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md new file mode 100644 index 0000000000..155a813376 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md @@ -0,0 +1,210 @@ +# Gatekeeper Helm Chart + +## Get Repo Info + +```console +helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +# Helm install with gatekeeper-system namespace already created +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper + +# Helm install and create namespace +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +_See [parameters](#parameters) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Upgrade Chart + +**Upgrading from < v3.4.0** +Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices. + +Option 1: +A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. + +```console +$ helm uninstall gatekeeper +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +Option 2: +Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them. + +```console +$ helm_migrate.sh +$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper +``` + +**Upgrading from >= v3.4.0** +```console +$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper +``` + +_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._ + + +## Exempting Namespace + +The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook. + +_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._ + +## Parameters + +| Parameter | Description | Default | +| :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | +| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | +| postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | +| postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | +| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0` | +| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | +| postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | +| postInstall.probeWebhook.enabled | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer | `true` | +| postInstall.probeWebhook.image.repository | Image with curl to probe the webhook API | `curlimages/curl` | +| postInstall.probeWebhook.image.tag | Image tag | `7.83.1` | +| postInstall.probeWebhook.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postInstall.probeWebhook.image.pullSecrets | Image pullSecrets | `[]` | +| postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | `60` | +| postInstall.probeWebhook.httpTimeout | HTTP client timeout | `2` | +| postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | `false` | +| postInstall.affinity | The affinity to use for pod scheduling in postInstall hook jobs | `{}` | +| postInstall.tolerations | The tolerations to use for pod scheduling in postInstall hook jobs | `[]` | +| postInstall.nodeSelector | The node selector to use for pod scheduling in postInstall hook jobs | `kubernetes.io/os: linux` | +| postInstall.resources | The resource request/limits for the container image in postInstall hook jobs | `{}` | +| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | `false` | +| postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | +| postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | +| postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0` | +| postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` +| postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` | +| postUpgrade.tolerations | The tolerations to use for pod scheduling in postUpgrade hook jobs | `[]` | +| postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` | +| postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | +| postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.12.0` | +| preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | +| preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | +| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.12.0` | +| preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | +| preUninstall.deleteWebhooks.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | +| preUninstall.affinity | The affinity to use for pod scheduling in preUninstall hook jobs | `{}` | +| preUninstall.tolerations | The tolerations to use for pod scheduling in preUninstall hook jobs | `[]` | +| preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` | +| preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` | +| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| psp.enabled | Enabled PodSecurityPolicy | `true` | +| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | +| upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` | +| crds.affinity | The affinity to use for pod scheduling in crds hook jobs | `{}` | +| crds.tolerations | The tolerations to use for pod scheduling in crds hook jobs | `[]` | +| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` | +| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` | +| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | +| auditInterval | The frequency with which audit is run | `300` | +| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | +| auditFromCache | Take the roster of resources to audit from the audit cache | `false` | +| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` | +| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | +| disableValidatingWebhook | Disable the validating webhook | `false` | +| disableMutation | Disable mutation | `false` | +| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` | +| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | +| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | +| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | +| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | +| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | +| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | +| enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` | +| enableExternalData | Enable external data | `true` | +| enableGeneratorResourceExpansion | Enable generator resource expansion (alpha feature) | `false` | +| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | +| maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` | +| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` | +| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` | +| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | +| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | +| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | +| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | +| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | +| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | +| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | +| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | +| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | +| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | +| logDenies | Log detailed info on each deny | `false` | +| logLevel | Minimum log level | `INFO` | +| image.pullPolicy | The image pull policy | `IfNotPresent` | +| image.repository | Image repository | `openpolicyagent/gatekeeper` | +| image.release | The image release tag to use | Current release version: `v3.12.0` | +| image.pullSecrets | Specify an array of imagePullSecrets | `[]` | +| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` | +| controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` | +| controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` | +| controllerManager.healthPort | Health port for controller manager | `9090` | +| controllerManager.port | Webhook-server port for controller manager | `8443` | +| controllerManager.metricsPort | Metrics port for controller manager | `8888` | +| controllerManager.readinessTimeout | Timeout in seconds for the controller manager's readiness probe | `1` | +| controllerManager.livenessTimeout | Timeout in seconds for the controller manager's liveness probe | `1` | +| controllerManager.logLevel | The minimum log level for the controller manager, takes precedence over `logLevel` when specified | `null` +| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | +| controllerManager.podSecurityContext | Security context on pod level for controller manager | {fsGroup: 999, suplementalGroups: [999]} | +| controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` | +| controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` | +| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | +| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` | +| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` | +| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | +| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` | +| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` | +| audit.affinity | The node affinity to use for audit pod scheduling | `{}` | +| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` | +| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` | +| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | +| audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} | +| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | +| audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` | +| audit.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| audit.healthPort | Health port for audit | `9090` | +| audit.metricsPort | Metrics port for audit | `8888` | +| audit.readinessTimeout | Timeout in seconds for audit's readiness probe | `1` | +| audit.livenessTimeout | Timeout in seconds for the audit's liveness probe | `1` | +| audit.logLevel | The minimum log level for audit, takes precedence over `logLevel` when specified | `null` +| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | +| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | +| podLabels | The labels to add to the Gatekeeper pods | `{}` | +| podCountLimit | The maximum number of Gatekeeper pods to run | `100` | +| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | +| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | +| service.type | Service type | `ClusterIP` | +| service.loadBalancerIP | The IP address of LoadBalancer service | `` | +| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` | +| rbac.create | Enable the creation of RBAC resources | `true` | +| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` | +| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` | + +## Contributing Changes + +Please refer to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) for modifying the Helm chart. diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md b/charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md new file mode 100644 index 0000000000..dff688f517 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md @@ -0,0 +1,32 @@ +# Rancher OPA Gatekeeper + +This chart is based off of the upstream [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper/tree/master/charts/gatekeeper) chart. + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/opa-gatekeper/). + +The chart installs the following components: + +- OPA Gatekeeper Controller-Manager - OPA Gatekeeper is a policy engine for providing policy based governance for Kubernetes clusters. The controller installs as a [validating admission controller webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) on the cluster and intercepts all admission requests that create, update or delete a resource in the cluster. +- [Audit](https://github.com/open-policy-agent/gatekeeper#audit) - A periodic audit of the cluster resources against the enforced policies. Any existing resource that violates a policy will be recorded as violations. +- [Constraint Template](https://github.com/open-policy-agent/gatekeeper#constraint-templates) - A template is a CRD (`ConstraintTemplate`) that defines the schema and Rego logic of a policy to be applied to the cluster by Gatekeeper's admission controller webhook. This chart installs a few default `ConstraintTemplate` custom resources. +- [Constraint](https://github.com/open-policy-agent/gatekeeper#constraints) - A constraint is a custom resource that defines the scope of resources which a specific constraint template should apply to. The complete policy is defined by a combination of `ConstraintTemplates` (i.e. what the policy is) and `Constraints` (i.e. what resource to apply the policy to). + +For more information on how to configure the Helm chart, refer to the Helm README. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl new file mode 100644 index 0000000000..c71a8fb617 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl @@ -0,0 +1,113 @@ + +{{/* +Expand the name of the chart. +*/}} +{{- define "gatekeeper.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gatekeeper.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gatekeeper.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Adds additional pod labels to the common ones +*/}} +{{- define "gatekeeper.podLabels" -}} +{{- if .Values.podLabels }} +{{- toYaml .Values.podLabels | nindent 8 }} +{{- end }} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} + +{{/* +Output post install webhook probe container entry +*/}} +{{- define "gatekeeper.postInstallWebhookProbeContainer" -}} +- name: webhook-probe-post + image: "{{ template "system_default_registry" . }}{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}" + imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }} + command: + - "curl" + args: + - "--retry" + - "99999" + - "--retry-max-time" + - "{{ .Values.postInstall.probeWebhook.waitTimeout }}" + - "--retry-delay" + - "1" + - "--max-time" + - "{{ .Values.postInstall.probeWebhook.httpTimeout }}" + {{- if .Values.postInstall.probeWebhook.insecureHTTPS }} + - "--insecure" + {{- else }} + - "--cacert" + - /certs/ca.crt + {{- end }} + - "-v" + - "https://gatekeeper-webhook-service.{{ .Release.Namespace }}.svc/v1/admitlabel?timeout=2s" + resources: + {{- toYaml .Values.postInstall.resources | nindent 4 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postInstall.securityContext | nindent 4 }} + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true +{{- end -}} + +{{/* +Output post install webhook probe volume entry +*/}} +{{- define "gatekeeper.postInstallWebhookProbeVolume" -}} +- name: cert + secret: + secretName: {{ .Values.externalCertInjection.secretName }} +{{- end -}} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml new file mode 100644 index 0000000000..9abb84ecb3 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml @@ -0,0 +1,35 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8sallowedrepos +spec: + crd: + spec: + names: + kind: K8sAllowedRepos + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + repos: + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sallowedrepos + + violation[{"msg": msg}] { + container := input.review.object.spec.containers[_] + satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] + not any(satisfied) + msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } + + violation[{"msg": msg}] { + container := input.review.object.spec.initContainers[_] + satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] + not any(satisfied) + msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2c179e570d --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml @@ -0,0 +1,38 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-admin +spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - projected + - secret + - downwardAPI + - emptyDir +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml new file mode 100644 index 0000000000..4b68998cb4 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-admin + namespace: '{{ .Release.Namespace }}' diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml new file mode 100644 index 0000000000..a1adb6044b --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml @@ -0,0 +1,156 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-audit + namespace: '{{ .Release.Namespace }}' +spec: + replicas: 1 + selector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + template: + metadata: + annotations: + {{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + {{- end }} + labels: +{{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + affinity: + {{- toYaml .Values.audit.affinity | nindent 8 }} + automountServiceAccountToken: true + containers: + - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' + args: + - --audit-interval={{ .Values.auditInterval }} + - --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }} + - --constraint-violations-limit={{ .Values.constraintViolationsLimit }} + - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} + - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} + - --audit-from-cache={{ .Values.auditFromCache }} + - --audit-chunk-size={{ .Values.auditChunkSize }} + - --audit-match-kind-only={{ .Values.auditMatchKindOnly }} + - --emit-audit-events={{ .Values.emitAuditEvents }} + - --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }} + - --operation=audit + - --operation=status + {{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }} + - --logtostderr + - --health-addr=:{{ .Values.audit.healthPort }} + - --prometheus-port={{ .Values.audit.metricsPort }} + - --enable-external-data={{ .Values.enableExternalData }} + - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }} + + {{- range .Values.metricsBackends}} + - --metrics-backend={{ . }} + {{- end }} + + {{- if .Values.audit.logFile}} + - --log-file={{ .Values.audit.logFile }} + {{- end }} + - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }} + command: + - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTAINER_NAME + value: manager + imagePullPolicy: '{{ .Values.images.pullPolicy }}' + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.audit.healthPort }} + timeoutSeconds: {{ .Values.audit.livenessTimeout }} + name: manager + ports: + - containerPort: {{ .Values.audit.metricsPort }} + name: metrics + protocol: TCP + - containerPort: {{ .Values.audit.healthPort }} + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.audit.healthPort }} + timeoutSeconds: {{ .Values.audit.readinessTimeout }} + resources: + {{- toYaml .Values.audit.resources | nindent 10 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.audit.securityContext | nindent 10}} + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true + - mountPath: /tmp/audit + name: tmp-volume + dnsPolicy: {{ .Values.audit.dnsPolicy }} + hostNetwork: {{ .Values.audit.hostNetwork }} + imagePullSecrets: + {{- toYaml .Values.images.pullSecrets | nindent 8 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.audit.nodeSelector }} +{{ toYaml .Values.audit.nodeSelector | indent 8 }} +{{- end }} + {{- if .Values.audit.priorityClassName }} + priorityClassName: {{ .Values.audit.priorityClassName }} + {{- end }} + securityContext: + {{- toYaml .Values.audit.podSecurityContext | nindent 8 }} + serviceAccountName: gatekeeper-admin + terminationGracePeriodSeconds: 60 + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.audit.tolerations }} +{{ toYaml .Values.audit.tolerations | indent 8 }} +{{- end }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: gatekeeper-webhook-server-cert + {{- if .Values.audit.writeToRAMDisk }} + - emptyDir: + medium: Memory + {{ else }} + - emptyDir: {} + {{- end }} + name: tmp-volume diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml new file mode 100644 index 0000000000..5eb8c9b428 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml @@ -0,0 +1,169 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager + namespace: '{{ .Release.Namespace }}' +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + template: + metadata: + annotations: + {{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + {{- end }} + labels: +{{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + affinity: + {{- toYaml .Values.controllerManager.affinity | nindent 8 }} + automountServiceAccountToken: true + containers: + - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' + imagePullPolicy: '{{ .Values.images.pullPolicy }}' + args: + - --port={{ .Values.controllerManager.port }} + - --health-addr=:{{ .Values.controllerManager.healthPort }} + - --prometheus-port={{ .Values.controllerManager.metricsPort }} + - --logtostderr + - --log-denies={{ .Values.logDenies }} + - --emit-admission-events={{ .Values.emitAdmissionEvents }} + - --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }} + - --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }} + - --exempt-namespace={{ .Release.Namespace }} + - --operation=webhook + - --enable-external-data={{ .Values.enableExternalData }} + - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }} + - --log-mutations={{ .Values.logMutations }} + - --mutation-annotations={{ .Values.mutationAnnotations }} + - --disable-cert-rotation={{ .Values.controllerManager.disableCertRotation }} + - --max-serving-threads={{ .Values.maxServingThreads }} + - --tls-min-version={{ .Values.controllerManager.tlsMinVersion }} + {{ if ne .Values.controllerManager.clientCertName "" }}- --client-cert-name={{ .Values.controllerManager.clientCertName }}{{- end }} + + {{- range .Values.metricsBackends}} + - --metrics-backend={{ . }} + {{- end }} + {{ if .Values.enableTLSHealthcheck}}- --enable-tls-healthcheck{{- end }} + {{ if not .Values.disableMutation}}- --operation=mutation-webhook{{- end }} + + {{- range .Values.disabledBuiltins}} + - --disable-opa-builtin={{ . }} + {{- end }} + + {{- range .Values.controllerManager.exemptNamespaces}} + - --exempt-namespace={{ . }} + {{- end }} + + {{- range .Values.controllerManager.exemptNamespacePrefixes}} + - --exempt-namespace-prefix={{ . }} + {{- end }} + + {{- range .Values.controllerManager.exemptNamespaceSuffixes}} + - --exempt-namespace-suffix={{ . }} + {{- end }} + + {{- if .Values.controllerManager.logFile}} + - --log-file={{ .Values.controllerManager.logFile }} + {{- end }} + command: + - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTAINER_NAME + value: manager + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.controllerManager.healthPort }} + timeoutSeconds: {{ .Values.controllerManager.livenessTimeout }} + name: manager + ports: + - containerPort: {{ .Values.controllerManager.port }} + name: webhook-server + protocol: TCP + - containerPort: {{ .Values.controllerManager.metricsPort }} + name: metrics + protocol: TCP + - containerPort: {{ .Values.controllerManager.healthPort }} + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.controllerManager.healthPort }} + timeoutSeconds: {{ .Values.controllerManager.readinessTimeout }} + resources: + {{- toYaml .Values.controllerManager.resources | nindent 10 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.controllerManager.securityContext | nindent 10}} + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true + dnsPolicy: {{ .Values.controllerManager.dnsPolicy }} + hostNetwork: {{ .Values.controllerManager.hostNetwork }} + imagePullSecrets: + {{- toYaml .Values.images.pullSecrets | nindent 8 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.controllerManager.nodeSelector }} +{{ toYaml .Values.controllerManager.nodeSelector | indent 8 }} +{{- end }} + {{- if .Values.controllerManager.priorityClassName }} + priorityClassName: {{ .Values.controllerManager.priorityClassName }} + {{- end }} + securityContext: + {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }} + serviceAccountName: gatekeeper-admin + terminationGracePeriodSeconds: 60 + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.controllerManager.tolerations }} +{{ toYaml .Values.controllerManager.tolerations | indent 8 }} +{{- end }} + topologySpreadConstraints: + {{- toYaml .Values.controllerManager.topologySpreadConstraints | nindent 8 }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: gatekeeper-webhook-server-cert diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml new file mode 100644 index 0000000000..e05213feb4 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml @@ -0,0 +1,30 @@ +{{- if .Values.controllerManager.networkPolicy.enabled -}} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + release: '{{ .Release.Name }}' + {{- with .Values.controllerManager.networkPolicy.ingress }} + {{- toYaml . | nindent 4 }} + {{- end }} + podSelector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' +{{- end -}} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml new file mode 100644 index 0000000000..424f6a67c4 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml @@ -0,0 +1,24 @@ +{{- $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} +{{- $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}} +apiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }} +kind: PodDisruptionBudget +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager + namespace: '{{ .Release.Namespace }}' +spec: + minAvailable: {{ .Values.pdb.controllerManager.minAvailable }} + selector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml new file mode 100644 index 0000000000..1546463669 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml @@ -0,0 +1,23 @@ +{{- if .Values.resourceQuota }} +apiVersion: v1 +kind: ResourceQuota +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-critical-pods + namespace: '{{ .Release.Namespace }}' +spec: + hard: + pods: {{ .Values.podCountLimit }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - {{ .Values.controllerManager.priorityClassName }} + - {{ .Values.audit.priorityClassName }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml new file mode 100644 index 0000000000..37ac19cc1f --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml @@ -0,0 +1,174 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-role +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - {{ .Values.mutatingWebhookName }} + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.gatekeeper.sh + resources: + - configs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.gatekeeper.sh + resources: + - configs/status + verbs: + - get + - patch + - update +- apiGroups: + - constraints.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - externaldata.gatekeeper.sh + resources: + - providers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mutations.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- if .Values.global.cattle.psp.enabled }} +- apiGroups: + - policy + resourceNames: + - gatekeeper-admin + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} +- apiGroups: + - status.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - templates.gatekeeper.sh + resources: + - constrainttemplates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - templates.gatekeeper.sh + resources: + - constrainttemplates/finalizers + verbs: + - delete + - get + - patch + - update +- apiGroups: + - templates.gatekeeper.sh + resources: + - constrainttemplates/status + verbs: + - get + - patch + - update +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - {{ .Values.validatingWebhookName }} + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml new file mode 100644 index 0000000000..1018dcdb66 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-role + namespace: '{{ .Release.Namespace }}' +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- with .Values.controllerManager.extraRules }} + {{- toYaml . | nindent 0 }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml new file mode 100644 index 0000000000..1fb9f6c87a --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-manager-role +subjects: +- kind: ServiceAccount + name: gatekeeper-admin + namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml new file mode 100644 index 0000000000..fbe9580d57 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-rolebinding + namespace: '{{ .Release.Namespace }}' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gatekeeper-manager-role +subjects: +- kind: ServiceAccount + name: gatekeeper-admin + namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..0bc3bc43eb --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -0,0 +1,60 @@ +{{- if not .Values.disableMutation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: {{- toYaml .Values.mutatingWebhookAnnotations | trim | nindent 4 }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: '{{ .Values.mutatingWebhookName }}' +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/mutate + failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }} + matchPolicy: Exact + name: mutation.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: admission.gatekeeper.sh/ignore + operator: DoesNotExist + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace }} + + {{- range $key, $value := .Values.mutatingWebhookExemptNamespacesLabels}} + - key: {{ $key }} + operator: NotIn + values: + {{- range $value }} + - {{ . }} + {{- end }} + {{- end }} + objectSelector: {{ toYaml .Values.mutatingWebhookObjectSelector }} + reinvocationPolicy: {{ .Values.mutatingWebhookReinvocationPolicy }} + rules: + {{- if .Values.mutatingWebhookCustomRules }} + {{- toYaml .Values.mutatingWebhookCustomRules | nindent 2 }} + {{- else }} + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - '*' + {{- end }} + sideEffects: None + timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..f0dd85d5e5 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -0,0 +1,109 @@ +{{- if not .Values.disableValidatingWebhook }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: {{- toYaml .Values.validatingWebhookAnnotations | trim | nindent 4 }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: '{{ .Values.validatingWebhookName }}' +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/admit + failurePolicy: {{ .Values.validatingWebhookFailurePolicy }} + matchPolicy: Exact + name: validation.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: admission.gatekeeper.sh/ignore + operator: DoesNotExist + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace }} + + {{- range $key, $value := .Values.validatingWebhookExemptNamespacesLabels}} + - key: {{ $key }} + operator: NotIn + values: + {{- range $value }} + - {{ . }} + {{- end }} + {{- end }} + objectSelector: {{ toYaml .Values.validatingWebhookObjectSelector }} + rules: + {{- if .Values.validatingWebhookCustomRules }} + {{- toYaml .Values.validatingWebhookCustomRules | nindent 2 }} + {{- else }} + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + {{- if .Values.enableDeleteOperations }} + - DELETE + {{- end }} + resources: + - '*' + # Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper). + # You can find a rough list of subresources by doing a case-sensitive search in the Kubernetes codebase for 'Subresource("' + - 'pods/ephemeralcontainers' + - 'pods/exec' + - 'pods/log' + - 'pods/eviction' + - 'pods/portforward' + - 'pods/proxy' + - 'pods/attach' + - 'pods/binding' + - 'deployments/scale' + - 'replicasets/scale' + - 'statefulsets/scale' + - 'replicationcontrollers/scale' + - 'services/proxy' + - 'nodes/proxy' + # For constraints that mitigate CVE-2020-8554 + - 'services/status' + {{- end }} + sideEffects: None + timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/admitlabel + failurePolicy: {{ .Values.validatingWebhookCheckIgnoreFailurePolicy }} + matchPolicy: Exact + name: check-ignore-label.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace }} + rules: + - apiGroups: + - "" + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - namespaces + sideEffects: None + timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml new file mode 100644 index 0000000000..a841780a55 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml @@ -0,0 +1,14 @@ +{{- if not .Values.externalCertInjection.enabled }} +apiVersion: v1 +kind: Secret +metadata: + annotations: {{- toYaml .Values.secretAnnotations | trim | nindent 4 }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-webhook-server-cert + namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml new file mode 100644 index 0000000000..3c0f4453a1 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' +spec: + + ports: + - name: https-webhook-server + port: 443 + targetPort: webhook-server +{{- if .Values.service }} +{{- if .Values.service.healthzPort }} + - name: http-webhook-healthz + port: {{ .Values.service.healthzPort }} + targetPort: healthz + {{- end }} + {{- end }} + {{- if .Values.service }} + type: {{ .Values.service.type | default "ClusterIP" }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- end }} + selector: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml new file mode 100644 index 0000000000..4b4559df93 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml @@ -0,0 +1,165 @@ +{{- if .Values.postInstall.labelNamespace.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- if .Values.postInstall.labelNamespace.extraAnnotations }} + {{- toYaml .Values.postInstall.labelNamespace.extraAnnotations | trim | nindent 4 }} + {{- end }} +spec: + template: + metadata: + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.postInstall.labelNamespace.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-update-namespace-label + {{- if .Values.postInstall.probeWebhook.enabled }} + volumes: + {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} + initContainers: + {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} + {{- end }} + containers: + - name: kubectl-label + image: '{{ template "system_default_registry" . }}{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}' + imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} + args: + - label + - ns + - {{ .Release.Namespace }} + - admission.gatekeeper.sh/ignore=no-self-managing + {{- range .Values.postInstall.labelNamespace.podSecurity }} + - {{ . }} + {{- end }} + - --overwrite + resources: + {{- toYaml .Values.postInstall.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postInstall.securityContext | nindent 12 }} + {{- if .Values.postInstall.labelNamespace.extraNamespaces }} + - name: kubectl-label-extra + image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}" + imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} + args: + - label + - ns + {{- range .Values.postInstall.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - admission.gatekeeper.sh/ignore=extra-namespaces + - --overwrite + resources: + {{- toYaml .Values.postInstall.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postInstall.securityContext | nindent 12 }} + {{- end }} + {{- with .Values.postInstall }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - update + - patch + resourceNames: + - {{ .Release.Namespace }} + {{- range .Values.postInstall.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - apiGroups: + - management.cattle.io + resources: + - projects + verbs: + - updatepsa +{{- with .Values.postInstall.labelNamespace.extraRules }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-update-namespace-label +subjects: + - kind: ServiceAccount + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml new file mode 100644 index 0000000000..9e4a754548 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml @@ -0,0 +1,153 @@ +{{- if .Values.postUpgrade.labelNamespace.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + namespace: {{ .Release.Namespace | quote }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- if .Values.postUpgrade.labelNamespace.extraAnnotations }} + {{- toYaml .Values.postUpgrade.labelNamespace.extraAnnotations | trim | nindent 4 }} + {{- end }} +spec: + template: + metadata: + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.postUpgrade.labelNamespace.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-update-namespace-label-post-upgrade + containers: + - name: kubectl-label + image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}' + imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }} + args: + - label + - ns + - {{ .Release.Namespace }} + - admission.gatekeeper.sh/ignore=no-self-managing + {{- range .Values.postUpgrade.labelNamespace.podSecurity }} + - {{ . }} + {{- end }} + - --overwrite + resources: + {{- toYaml .Values.postUpgrade.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} + {{- if .Values.postUpgrade.labelNamespace.extraNamespaces }} + - name: kubectl-label-extra + image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}" + imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }} + args: + - label + - ns + {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - admission.gatekeeper.sh/ignore=extra-namespaces + - --overwrite + resources: + {{- toYaml .Values.postUpgrade.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} + {{- end }} + {{- with .Values.postUpgrade }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - update + - patch + resourceNames: + - {{ .Release.Namespace }} + {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - apiGroups: + - management.cattle.io + resources: + - projects + verbs: + - updatepsa +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-update-namespace-label-post-upgrade +subjects: + - kind: ServiceAccount + name: gatekeeper-update-namespace-label-post-upgrade + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml new file mode 100644 index 0000000000..c9f7065271 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml @@ -0,0 +1,46 @@ +{{- if not .Values.disableValidatingWebhook }} +{{- if and (not .Values.postInstall.labelNamespace.enabled) .Values.postInstall.probeWebhook.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-probe-webhook-post-install + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: Never + {{- if .Values.postInstall.probeWebhook.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + volumes: + {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} + containers: + {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} + {{- with .Values.postInstall }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml new file mode 100644 index 0000000000..e93e6a0a7d --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml @@ -0,0 +1,57 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8srequiredlabels +spec: + crd: + spec: + names: + kind: K8sRequiredLabels + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + message: + type: string + labels: + type: array + items: + type: object + properties: + key: + type: string + allowedRegex: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8srequiredlabels + + get_message(parameters, _default) = msg { + not parameters.message + msg := _default + } + + get_message(parameters, _default) = msg { + msg := parameters.message + } + + violation[{"msg": msg, "details": {"missing_labels": missing}}] { + provided := {label | input.review.object.metadata.labels[label]} + required := {label | label := input.parameters.labels[_].key} + missing := required - provided + count(missing) > 0 + def_msg := sprintf("you must provide labels: %v", [missing]) + msg := get_message(input.parameters, def_msg) + } + + violation[{"msg": msg}] { + value := input.review.object.metadata.labels[key] + expected := input.parameters.labels[_] + expected.key == key + # do not match if allowedRegex is not defined, or is an empty string + expected.allowedRegex != "" + not re_match(expected.allowedRegex, value) + def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex]) + msg := get_message(input.parameters, def_msg) + } diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml new file mode 100644 index 0000000000..28c2d6bb00 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml @@ -0,0 +1,116 @@ +{{- if .Values.upgradeCRDs.enabled }} +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-admin-upgrade-crds + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +rules: + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "create", "update", "patch"] +{{- with .Values.upgradeCRDs.extraRules }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-admin-upgrade-crds + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +subjects: + - kind: ServiceAccount + name: gatekeeper-admin-upgrade-crds + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: gatekeeper-admin-upgrade-crds + apiGroup: rbac.authorization.k8s.io +{{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + name: gatekeeper-admin-upgrade-crds + namespace: '{{ .Release.Namespace }}' + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-crds-hook + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gatekeeper.name" . }} + chart: {{ template "gatekeeper.name" . }} + gatekeeper.sh/system: "yes" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-weight: "1" + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" +spec: + backoffLimit: 0 + template: + metadata: + name: gatekeeper-update-crds-hook + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + serviceAccountName: gatekeeper-admin-upgrade-crds + restartPolicy: Never + {{- if .Values.images.pullSecrets }} + imagePullSecrets: + {{- toYaml .Values.images.pullSecrets | nindent 8 }} + {{- end }} + containers: + - name: crds-upgrade + image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}' + imagePullPolicy: '{{ .Values.images.pullPolicy }}' + args: + - apply + - -f + - crds/ + resources: + {{- toYaml .Values.crds.resources | nindent 10 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.crds.securityContext | nindent 10 }} + {{- with .Values.crds }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml new file mode 100644 index 0000000000..9c4f3a3c20 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml @@ -0,0 +1,24 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "mutations.gatekeeper.sh/v1/Assign" false -}} +# {{- set $found "mutations.gatekeeper.sh/v1alpha1/AssignImage" false -}} +# {{- set $found "mutations.gatekeeper.sh/v1/AssignMetadata" false -}} +# {{- set $found "config.gatekeeper.sh/v1alpha1/Config" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintPodStatus" false -}} +# {{- set $found "templates.gatekeeper.sh/v1/ConstraintTemplate" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintTemplatePodStatus" false -}} +# {{- set $found "expansion.gatekeeper.sh/v1alpha1/ExpansionTemplate" false -}} +# {{- set $found "mutations.gatekeeper.sh/v1/ModifySet" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/MutatorPodStatus" false -}} +# {{- set $found "externaldata.gatekeeper.sh/v1alpha1/Provider" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml new file mode 100644 index 0000000000..b57bc69894 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml @@ -0,0 +1,141 @@ +{{- if and (or (not .Values.disableValidatingWebhook) (not .Values.disableMutation)) .Values.preUninstall.deleteWebhookConfigurations.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets }} + imagePullSecrets: + {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-delete-webhook-configs + containers: + - name: kubectl-delete + image: '{{ template "system_default_registry" . }}{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}' + imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }} + args: + - delete + {{- if not .Values.disableValidatingWebhook }} + - validatingwebhookconfiguration/{{ .Values.validatingWebhookName }} + {{- end }} + {{- if not .Values.disableMutation }} + - mutatingwebhookconfiguration/{{ .Values.mutatingWebhookName }} + {{- end }} + resources: + {{- toYaml .Values.preUninstall.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.preUninstall.securityContext | nindent 10 }} + {{- with .Values.preUninstall }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .nodeSelector }} +{{ toYaml .nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .tolerations }} +{{ toYaml .tolerations | indent 8 }} +{{- end }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-delete-webhook-configs + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{- if not .Values.disableValidatingWebhook }} + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + resourceNames: + - {{ .Values.validatingWebhookName }} + verbs: + - delete + {{- end }} + {{- if not .Values.disableMutation }} + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - {{ .Values.mutatingWebhookName }} + verbs: + - delete + {{- end }} +{{- with .Values.preUninstall.deleteWebhookConfigurations.extraRules }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-delete-webhook-configs + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-delete-webhook-configs +subjects: + - kind: ServiceAccount + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml new file mode 100644 index 0000000000..d1029e24ae --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml @@ -0,0 +1,271 @@ +replicas: 3 +auditInterval: 60 +metricsBackends: ["prometheus"] +auditMatchKindOnly: false +constraintViolationsLimit: 20 +auditFromCache: false +disableMutation: false +disableValidatingWebhook: false +validatingWebhookName: gatekeeper-validating-webhook-configuration +validatingWebhookTimeoutSeconds: 3 +validatingWebhookFailurePolicy: Ignore +validatingWebhookAnnotations: {} +validatingWebhookExemptNamespacesLabels: {} +validatingWebhookObjectSelector: {} +validatingWebhookCheckIgnoreFailurePolicy: Fail +validatingWebhookCustomRules: {} +enableDeleteOperations: false +enableExternalData: true +enableGeneratorResourceExpansion: false +enableTLSHealthcheck: false +maxServingThreads: -1 +mutatingWebhookName: gatekeeper-mutating-webhook-configuration +mutatingWebhookFailurePolicy: Ignore +mutatingWebhookReinvocationPolicy: Never +mutatingWebhookAnnotations: {} +mutatingWebhookExemptNamespacesLabels: {} +mutatingWebhookObjectSelector: {} +mutatingWebhookTimeoutSeconds: 1 +mutatingWebhookCustomRules: {} +mutationAnnotations: false +auditChunkSize: 500 +logLevel: INFO +logDenies: false +logMutations: false +emitAdmissionEvents: false +emitAuditEvents: false +admissionEventsInvolvedNamespace: false +auditEventsInvolvedNamespace: false +resourceQuota: true +images: + gatekeeper: + repository: rancher/mirrored-openpolicyagent-gatekeeper + tag: v3.12.0 + gatekeepercrd: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + tag: v3.12.0 + pullPolicy: IfNotPresent + pullSecrets: [] +preInstall: + crdRepository: + image: + repository: null + tag: v3.12.0 +postUpgrade: + labelNamespace: + enabled: false + image: + repository: rancher/kubectl + tag: v1.20.2 + pullPolicy: IfNotPresent + pullSecrets: [] + extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] + extraAnnotations: {} + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +postInstall: + labelNamespace: + enabled: true + extraRules: [] + image: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + tag: v3.12.0 + pullPolicy: IfNotPresent + pullSecrets: [] + extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] + extraAnnotations: {} + probeWebhook: + enabled: true + image: + repository: rancher/mirrored-curlimages-curl + tag: 7.83.1 + pullPolicy: IfNotPresent + pullSecrets: [] + waitTimeout: 60 + httpTimeout: 2 + insecureHTTPS: false + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +preUninstall: + deleteWebhookConfigurations: + extraRules: [] + enabled: false + image: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + tag: v3.12.0 + pullPolicy: IfNotPresent + pullSecrets: [] + affinity: {} + tolerations: [] + nodeSelector: {} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +podAnnotations: {} +podLabels: {} +podCountLimit: "100" +secretAnnotations: {} +enableRuntimeDefaultSeccompProfile: true +controllerManager: + exemptNamespaces: [] + exemptNamespacePrefixes: [] + hostNetwork: false + dnsPolicy: ClusterFirst + port: 8443 + metricsPort: 8888 + healthPort: 9090 + readinessTimeout: 1 + livenessTimeout: 1 + priorityClassName: system-cluster-critical + disableCertRotation: false + tlsMinVersion: 1.3 + clientCertName: "" + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: gatekeeper.sh/operation + operator: In + values: + - webhook + topologyKey: kubernetes.io/hostname + weight: 100 + topologySpreadConstraints: [] + tolerations: [] + nodeSelector: {} + resources: + limits: + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 + podSecurityContext: + fsGroup: 999 + supplementalGroups: + - 999 + extraRules: [] + networkPolicy: + enabled: false + ingress: { } + # - from: + # - ipBlock: + # cidr: 0.0.0.0/0 +audit: + hostNetwork: false + dnsPolicy: ClusterFirst + metricsPort: 8888 + healthPort: 9090 + readinessTimeout: 1 + livenessTimeout: 1 + priorityClassName: system-cluster-critical + disableCertRotation: true + affinity: {} + tolerations: [] + nodeSelector: {} + resources: + limits: + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 + podSecurityContext: + fsGroup: 999 + supplementalGroups: + - 999 + writeToRAMDisk: false + extraRules: [] +crds: + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +pdb: + controllerManager: + minAvailable: 1 +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + kubectl: + repository: rancher/kubectl + tag: v1.20.2 +service: {} +disabledBuiltins: ["{http.send}"] +upgradeCRDs: + enabled: true + extraRules: [] +rbac: + create: true +externalCertInjection: + enabled: false + secretName: gatekeeper-webhook-server-cert diff --git a/index.yaml b/index.yaml index a9dd671e4b..89bbad4739 100755 --- a/index.yaml +++ b/index.yaml @@ -7729,6 +7729,36 @@ entries: - assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz version: 0.1.400 rancher-gatekeeper: + - annotations: + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: OPA Gatekeeper + catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-gatekeeper + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: gatekeeper + apiVersion: v2 + appVersion: v3.12.0 + created: "2023-08-23T17:22:58.94666364-03:00" + description: Modifies Open Policy Agent's upstream gatekeeper chart that provides + policy-based control for cloud native environments + digest: ee25ad45beb67bc91aa47dd7c576ba89cd00ade03db94341c463948901a3c0c6 + home: https://github.com/open-policy-agent/gatekeeper + icon: https://charts.rancher.io/assets/logos/gatekeeper.svg + keywords: + - open policy agent + - security + name: rancher-gatekeeper + sources: + - https://github.com/open-policy-agent/gatekeeper.git + urls: + - assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz + version: 103.0.1+up3.12.0 - annotations: catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match catalog.cattle.io/certified: rancher @@ -8102,6 +8132,20 @@ entries: - assets/rancher-gatekeeper/rancher-gatekeeper-3.1.100.tgz version: 3.1.100 rancher-gatekeeper-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/release-name: rancher-gatekeeper-crd + apiVersion: v1 + created: "2023-08-23T17:22:58.953726661-03:00" + description: Installs the CRDs for rancher-gatekeeper. + digest: d47fba3bc692cd330ea61d70de4c1fd8e4316cd13cdf7bf6f13b17df132bd74d + name: rancher-gatekeeper-crd + type: application + urls: + - assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz + version: 103.0.1+up3.12.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true"