Created
March 16, 2021 14:46
-
-
Save garethahealy/011aaf377063c11c93b491e94f8ebe07 to your computer and use it in GitHub Desktop.
3.3.0 gatekeeper
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
labels: | |
admission.gatekeeper.sh/ignore: no-self-managing | |
control-plane: controller-manager | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-system | |
--- | |
apiVersion: apiextensions.k8s.io/v1beta1 | |
kind: CustomResourceDefinition | |
metadata: | |
annotations: | |
controller-gen.kubebuilder.io/version: v0.3.0 | |
creationTimestamp: null | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: configs.config.gatekeeper.sh | |
spec: | |
group: config.gatekeeper.sh | |
names: | |
kind: Config | |
listKind: ConfigList | |
plural: configs | |
singular: config | |
scope: Namespaced | |
validation: | |
openAPIV3Schema: | |
description: Config is the Schema for the configs API | |
properties: | |
apiVersion: | |
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | |
type: string | |
kind: | |
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | |
type: string | |
metadata: | |
type: object | |
spec: | |
description: ConfigSpec defines the desired state of Config | |
properties: | |
match: | |
description: Configuration for namespace exclusion | |
items: | |
properties: | |
excludedNamespaces: | |
items: | |
type: string | |
type: array | |
processes: | |
items: | |
type: string | |
type: array | |
type: object | |
type: array | |
readiness: | |
description: Configuration for readiness tracker | |
properties: | |
statsEnabled: | |
type: boolean | |
type: object | |
sync: | |
description: Configuration for syncing k8s objects | |
properties: | |
syncOnly: | |
description: If non-empty, only entries on this list will be replicated into OPA | |
items: | |
properties: | |
group: | |
type: string | |
kind: | |
type: string | |
version: | |
type: string | |
type: object | |
type: array | |
type: object | |
validation: | |
description: Configuration for validation | |
properties: | |
traces: | |
description: List of requests to trace. Both "user" and "kinds" must be specified | |
items: | |
properties: | |
dump: | |
description: Also dump the state of OPA with the trace. Set to `All` to dump everything. | |
type: string | |
kind: | |
description: Only trace requests of the following GroupVersionKind | |
properties: | |
group: | |
type: string | |
kind: | |
type: string | |
version: | |
type: string | |
type: object | |
user: | |
description: Only trace requests from the specified user | |
type: string | |
type: object | |
type: array | |
type: object | |
type: object | |
status: | |
description: ConfigStatus defines the observed state of Config | |
type: object | |
type: object | |
version: v1alpha1 | |
versions: | |
- name: v1alpha1 | |
served: true | |
storage: true | |
status: | |
acceptedNames: | |
kind: "" | |
plural: "" | |
conditions: [] | |
storedVersions: [] | |
--- | |
apiVersion: apiextensions.k8s.io/v1beta1 | |
kind: CustomResourceDefinition | |
metadata: | |
annotations: | |
controller-gen.kubebuilder.io/version: v0.3.0 | |
creationTimestamp: null | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: constraintpodstatuses.status.gatekeeper.sh | |
spec: | |
group: status.gatekeeper.sh | |
names: | |
kind: ConstraintPodStatus | |
listKind: ConstraintPodStatusList | |
plural: constraintpodstatuses | |
singular: constraintpodstatus | |
scope: Namespaced | |
validation: | |
openAPIV3Schema: | |
description: ConstraintPodStatus is the Schema for the constraintpodstatuses API | |
properties: | |
apiVersion: | |
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | |
type: string | |
kind: | |
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | |
type: string | |
metadata: | |
type: object | |
status: | |
description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus | |
properties: | |
constraintUID: | |
description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch | |
type: string | |
enforced: | |
type: boolean | |
errors: | |
items: | |
description: Error represents a single error caught while adding a constraint to OPA | |
properties: | |
code: | |
type: string | |
location: | |
type: string | |
message: | |
type: string | |
required: | |
- code | |
- message | |
type: object | |
type: array | |
id: | |
type: string | |
observedGeneration: | |
format: int64 | |
type: integer | |
operations: | |
items: | |
type: string | |
type: array | |
type: object | |
type: object | |
version: v1beta1 | |
versions: | |
- name: v1beta1 | |
served: true | |
storage: true | |
status: | |
acceptedNames: | |
kind: "" | |
plural: "" | |
conditions: [] | |
storedVersions: [] | |
--- | |
apiVersion: apiextensions.k8s.io/v1beta1 | |
kind: CustomResourceDefinition | |
metadata: | |
annotations: | |
controller-gen.kubebuilder.io/version: v0.3.0 | |
creationTimestamp: null | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: constrainttemplatepodstatuses.status.gatekeeper.sh | |
spec: | |
group: status.gatekeeper.sh | |
names: | |
kind: ConstraintTemplatePodStatus | |
listKind: ConstraintTemplatePodStatusList | |
plural: constrainttemplatepodstatuses | |
singular: constrainttemplatepodstatus | |
scope: Namespaced | |
validation: | |
openAPIV3Schema: | |
description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API | |
properties: | |
apiVersion: | |
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | |
type: string | |
kind: | |
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | |
type: string | |
metadata: | |
type: object | |
status: | |
description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus | |
properties: | |
errors: | |
items: | |
description: CreateCRDError represents a single error caught during parsing, compiling, etc. | |
properties: | |
code: | |
type: string | |
location: | |
type: string | |
message: | |
type: string | |
required: | |
- code | |
- message | |
type: object | |
type: array | |
id: | |
description: 'Important: Run "make" to regenerate code after modifying this file' | |
type: string | |
observedGeneration: | |
format: int64 | |
type: integer | |
operations: | |
items: | |
type: string | |
type: array | |
templateUID: | |
description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. | |
type: string | |
type: object | |
type: object | |
version: v1beta1 | |
versions: | |
- name: v1beta1 | |
served: true | |
storage: true | |
status: | |
acceptedNames: | |
kind: "" | |
plural: "" | |
conditions: [] | |
storedVersions: [] | |
--- | |
apiVersion: apiextensions.k8s.io/v1beta1 | |
kind: CustomResourceDefinition | |
metadata: | |
creationTimestamp: null | |
labels: | |
controller-tools.k8s.io: "1.0" | |
gatekeeper.sh/system: "yes" | |
name: constrainttemplates.templates.gatekeeper.sh | |
spec: | |
group: templates.gatekeeper.sh | |
names: | |
kind: ConstraintTemplate | |
plural: constrainttemplates | |
scope: Cluster | |
subresources: | |
status: {} | |
validation: | |
openAPIV3Schema: | |
properties: | |
apiVersion: | |
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | |
type: string | |
kind: | |
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | |
type: string | |
metadata: | |
type: object | |
spec: | |
properties: | |
crd: | |
properties: | |
spec: | |
properties: | |
names: | |
properties: | |
kind: | |
type: string | |
shortNames: | |
items: | |
type: string | |
type: array | |
type: object | |
validation: | |
type: object | |
type: object | |
type: object | |
targets: | |
items: | |
properties: | |
libs: | |
items: | |
type: string | |
type: array | |
rego: | |
type: string | |
target: | |
type: string | |
type: object | |
type: array | |
type: object | |
status: | |
properties: | |
byPod: | |
items: | |
properties: | |
errors: | |
items: | |
properties: | |
code: | |
type: string | |
location: | |
type: string | |
message: | |
type: string | |
required: | |
- code | |
- message | |
type: object | |
type: array | |
id: | |
description: a unique identifier for the pod that wrote the status | |
type: string | |
observedGeneration: | |
format: int64 | |
type: integer | |
type: object | |
type: array | |
created: | |
type: boolean | |
type: object | |
version: v1beta1 | |
versions: | |
- name: v1beta1 | |
served: true | |
storage: true | |
- name: v1alpha1 | |
served: true | |
storage: false | |
status: | |
acceptedNames: | |
kind: "" | |
plural: "" | |
conditions: [] | |
storedVersions: [] | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-admin | |
namespace: gatekeeper-system | |
--- | |
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
annotations: | |
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-admin | |
spec: | |
allowPrivilegeEscalation: false | |
fsGroup: | |
ranges: | |
- max: 65535 | |
min: 1 | |
rule: MustRunAs | |
requiredDropCapabilities: | |
- ALL | |
runAsUser: | |
rule: MustRunAsNonRoot | |
seLinux: | |
rule: RunAsAny | |
supplementalGroups: | |
ranges: | |
- max: 65535 | |
min: 1 | |
rule: MustRunAs | |
volumes: | |
- configMap | |
- projected | |
- secret | |
- downwardAPI | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: Role | |
metadata: | |
creationTimestamp: null | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-manager-role | |
namespace: gatekeeper-system | |
rules: | |
- apiGroups: | |
- "" | |
resources: | |
- events | |
verbs: | |
- create | |
- patch | |
- apiGroups: | |
- "" | |
resources: | |
- secrets | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
creationTimestamp: null | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-manager-role | |
rules: | |
- apiGroups: | |
- '*' | |
resources: | |
- '*' | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- apiextensions.k8s.io | |
resources: | |
- customresourcedefinitions | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
- apiGroups: | |
- config.gatekeeper.sh | |
resources: | |
- configs | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
- apiGroups: | |
- config.gatekeeper.sh | |
resources: | |
- configs/status | |
verbs: | |
- get | |
- patch | |
- update | |
- apiGroups: | |
- constraints.gatekeeper.sh | |
resources: | |
- '*' | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
- apiGroups: | |
- mutations.gatekeeper.sh | |
resources: | |
- '*' | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
- apiGroups: | |
- policy | |
resourceNames: | |
- gatekeeper-admin | |
resources: | |
- podsecuritypolicies | |
verbs: | |
- use | |
- apiGroups: | |
- status.gatekeeper.sh | |
resources: | |
- '*' | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
- apiGroups: | |
- templates.gatekeeper.sh | |
resources: | |
- constrainttemplates | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
- apiGroups: | |
- templates.gatekeeper.sh | |
resources: | |
- constrainttemplates/finalizers | |
verbs: | |
- delete | |
- get | |
- patch | |
- update | |
- apiGroups: | |
- templates.gatekeeper.sh | |
resources: | |
- constrainttemplates/status | |
verbs: | |
- get | |
- patch | |
- update | |
- apiGroups: | |
- admissionregistration.k8s.io | |
resourceNames: | |
- gatekeeper-validating-webhook-configuration | |
resources: | |
- validatingwebhookconfigurations | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-manager-rolebinding | |
namespace: gatekeeper-system | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: Role | |
name: gatekeeper-manager-role | |
subjects: | |
- kind: ServiceAccount | |
name: gatekeeper-admin | |
namespace: gatekeeper-system | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-manager-rolebinding | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: gatekeeper-manager-role | |
subjects: | |
- kind: ServiceAccount | |
name: gatekeeper-admin | |
namespace: gatekeeper-system | |
--- | |
apiVersion: v1 | |
kind: Secret | |
metadata: | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-webhook-server-cert | |
namespace: gatekeeper-system | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-webhook-service | |
namespace: gatekeeper-system | |
spec: | |
ports: | |
- port: 443 | |
targetPort: 8443 | |
selector: | |
control-plane: controller-manager | |
gatekeeper.sh/operation: webhook | |
gatekeeper.sh/system: "yes" | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
control-plane: audit-controller | |
gatekeeper.sh/operation: audit | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-audit | |
namespace: gatekeeper-system | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
control-plane: audit-controller | |
gatekeeper.sh/operation: audit | |
gatekeeper.sh/system: "yes" | |
template: | |
metadata: | |
annotations: | |
container.seccomp.security.alpha.kubernetes.io/manager: runtime/default | |
labels: | |
control-plane: audit-controller | |
gatekeeper.sh/operation: audit | |
gatekeeper.sh/system: "yes" | |
spec: | |
automountServiceAccountToken: true | |
containers: | |
- args: | |
- --operation=audit | |
- --operation=status | |
- --logtostderr | |
command: | |
- /manager | |
env: | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.name | |
image: openpolicyagent/gatekeeper:v3.3.0 | |
imagePullPolicy: Always | |
livenessProbe: | |
httpGet: | |
path: /healthz | |
port: 9090 | |
name: manager | |
ports: | |
- containerPort: 8888 | |
name: metrics | |
protocol: TCP | |
- containerPort: 9090 | |
name: healthz | |
protocol: TCP | |
readinessProbe: | |
httpGet: | |
path: /readyz | |
port: 9090 | |
resources: | |
limits: | |
cpu: 1000m | |
memory: 512Mi | |
requests: | |
cpu: 100m | |
memory: 256Mi | |
securityContext: | |
allowPrivilegeEscalation: false | |
capabilities: | |
drop: | |
- all | |
readOnlyRootFilesystem: true | |
runAsGroup: 999 | |
runAsNonRoot: true | |
runAsUser: 1000 | |
nodeSelector: | |
kubernetes.io/os: linux | |
serviceAccountName: gatekeeper-admin | |
terminationGracePeriodSeconds: 60 | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
control-plane: controller-manager | |
gatekeeper.sh/operation: webhook | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-controller-manager | |
namespace: gatekeeper-system | |
spec: | |
replicas: 3 | |
selector: | |
matchLabels: | |
control-plane: controller-manager | |
gatekeeper.sh/operation: webhook | |
gatekeeper.sh/system: "yes" | |
template: | |
metadata: | |
annotations: | |
container.seccomp.security.alpha.kubernetes.io/manager: runtime/default | |
labels: | |
control-plane: controller-manager | |
gatekeeper.sh/operation: webhook | |
gatekeeper.sh/system: "yes" | |
spec: | |
affinity: | |
podAntiAffinity: | |
preferredDuringSchedulingIgnoredDuringExecution: | |
- podAffinityTerm: | |
labelSelector: | |
matchExpressions: | |
- key: gatekeeper.sh/operation | |
operator: In | |
values: | |
- webhook | |
topologyKey: kubernetes.io/hostname | |
weight: 100 | |
automountServiceAccountToken: true | |
containers: | |
- args: | |
- --port=8443 | |
- --logtostderr | |
- --exempt-namespace=gatekeeper-system | |
- --operation=webhook | |
command: | |
- /manager | |
env: | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.name | |
image: openpolicyagent/gatekeeper:v3.3.0 | |
imagePullPolicy: Always | |
livenessProbe: | |
httpGet: | |
path: /healthz | |
port: 9090 | |
name: manager | |
ports: | |
- containerPort: 8443 | |
name: webhook-server | |
protocol: TCP | |
- containerPort: 8888 | |
name: metrics | |
protocol: TCP | |
- containerPort: 9090 | |
name: healthz | |
protocol: TCP | |
readinessProbe: | |
httpGet: | |
path: /readyz | |
port: 9090 | |
resources: | |
limits: | |
cpu: 1000m | |
memory: 512Mi | |
requests: | |
cpu: 100m | |
memory: 256Mi | |
securityContext: | |
allowPrivilegeEscalation: false | |
capabilities: | |
drop: | |
- all | |
readOnlyRootFilesystem: true | |
runAsGroup: 999 | |
runAsNonRoot: true | |
runAsUser: 1000 | |
volumeMounts: | |
- mountPath: /certs | |
name: cert | |
readOnly: true | |
nodeSelector: | |
kubernetes.io/os: linux | |
serviceAccountName: gatekeeper-admin | |
terminationGracePeriodSeconds: 60 | |
volumes: | |
- name: cert | |
secret: | |
defaultMode: 420 | |
secretName: gatekeeper-webhook-server-cert | |
--- | |
apiVersion: admissionregistration.k8s.io/v1beta1 | |
kind: ValidatingWebhookConfiguration | |
metadata: | |
creationTimestamp: null | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-validating-webhook-configuration | |
webhooks: | |
- clientConfig: | |
caBundle: Cg== | |
service: | |
name: gatekeeper-webhook-service | |
namespace: gatekeeper-system | |
path: /v1/admit | |
failurePolicy: Ignore | |
name: validation.gatekeeper.sh | |
namespaceSelector: | |
matchExpressions: | |
- key: admission.gatekeeper.sh/ignore | |
operator: DoesNotExist | |
rules: | |
- apiGroups: | |
- '*' | |
apiVersions: | |
- '*' | |
operations: | |
- CREATE | |
- UPDATE | |
resources: | |
- '*' | |
sideEffects: None | |
timeoutSeconds: 3 | |
- clientConfig: | |
caBundle: Cg== | |
service: | |
name: gatekeeper-webhook-service | |
namespace: gatekeeper-system | |
path: /v1/admitlabel | |
failurePolicy: Fail | |
name: check-ignore-label.gatekeeper.sh | |
rules: | |
- apiGroups: | |
- "" | |
apiVersions: | |
- '*' | |
operations: | |
- CREATE | |
- UPDATE | |
resources: | |
- namespaces | |
sideEffects: None | |
timeoutSeconds: 3 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment