-
-
Save praveenrewar/a97820ecef7a79ef13b2f7125421c723 to your computer and use it in GitHub Desktop.
Gatekeeper release updated
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
labels: | |
admission.gatekeeper.sh/ignore: no-self-managing | |
control-plane: controller-manager | |
gatekeeper.sh/system: "yes" | |
annotations: | |
kapp.k14s.io/change-group: "ns" | |
name: gatekeeper-system | |
--- | |
apiVersion: v1 | |
kind: ResourceQuota | |
metadata: | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-critical-pods | |
namespace: gatekeeper-system | |
spec: | |
hard: | |
pods: 100 | |
scopeSelector: | |
matchExpressions: | |
- operator: In | |
scopeName: PriorityClass | |
values: | |
- system-cluster-critical | |
--- | |
apiVersion: apiextensions.k8s.io/v1 | |
kind: CustomResourceDefinition | |
metadata: | |
annotations: | |
controller-gen.kubebuilder.io/version: v0.5.0 | |
creationTimestamp: null | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: configs.config.gatekeeper.sh | |
spec: | |
group: config.gatekeeper.sh | |
names: | |
kind: Config | |
listKind: ConfigList | |
plural: configs | |
singular: config | |
scope: Namespaced | |
versions: | |
- name: v1alpha1 | |
schema: | |
openAPIV3Schema: | |
description: Config is the Schema for the configs API | |
properties: | |
apiVersion: | |
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | |
type: string | |
kind: | |
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | |
type: string | |
metadata: | |
type: object | |
spec: | |
description: ConfigSpec defines the desired state of Config | |
properties: | |
match: | |
description: Configuration for namespace exclusion | |
items: | |
properties: | |
excludedNamespaces: | |
items: | |
type: string | |
type: array | |
processes: | |
items: | |
type: string | |
type: array | |
type: object | |
type: array | |
readiness: | |
description: Configuration for readiness tracker | |
properties: | |
statsEnabled: | |
type: boolean | |
type: object | |
sync: | |
description: Configuration for syncing k8s objects | |
properties: | |
syncOnly: | |
description: If non-empty, only entries on this list will be replicated into OPA | |
items: | |
properties: | |
group: | |
type: string | |
kind: | |
type: string | |
version: | |
type: string | |
type: object | |
type: array | |
type: object | |
validation: | |
description: Configuration for validation | |
properties: | |
traces: | |
description: List of requests to trace. Both "user" and "kinds" must be specified | |
items: | |
properties: | |
dump: | |
description: Also dump the state of OPA with the trace. Set to `All` to dump everything. | |
type: string | |
kind: | |
description: Only trace requests of the following GroupVersionKind | |
properties: | |
group: | |
type: string | |
kind: | |
type: string | |
version: | |
type: string | |
type: object | |
user: | |
description: Only trace requests from the specified user | |
type: string | |
type: object | |
type: array | |
type: object | |
type: object | |
status: | |
description: ConfigStatus defines the observed state of Config | |
type: object | |
type: object | |
served: true | |
storage: true | |
status: | |
acceptedNames: | |
kind: "" | |
plural: "" | |
conditions: [] | |
storedVersions: [] | |
--- | |
apiVersion: apiextensions.k8s.io/v1 | |
kind: CustomResourceDefinition | |
metadata: | |
annotations: | |
controller-gen.kubebuilder.io/version: v0.5.0 | |
creationTimestamp: null | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: constraintpodstatuses.status.gatekeeper.sh | |
spec: | |
group: status.gatekeeper.sh | |
names: | |
kind: ConstraintPodStatus | |
listKind: ConstraintPodStatusList | |
plural: constraintpodstatuses | |
singular: constraintpodstatus | |
scope: Namespaced | |
versions: | |
- name: v1beta1 | |
schema: | |
openAPIV3Schema: | |
description: ConstraintPodStatus is the Schema for the constraintpodstatuses API | |
properties: | |
apiVersion: | |
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | |
type: string | |
kind: | |
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | |
type: string | |
metadata: | |
type: object | |
status: | |
description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus | |
properties: | |
constraintUID: | |
description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch | |
type: string | |
enforced: | |
type: boolean | |
errors: | |
items: | |
description: Error represents a single error caught while adding a constraint to OPA | |
properties: | |
code: | |
type: string | |
location: | |
type: string | |
message: | |
type: string | |
required: | |
- code | |
- message | |
type: object | |
type: array | |
id: | |
type: string | |
observedGeneration: | |
format: int64 | |
type: integer | |
operations: | |
items: | |
type: string | |
type: array | |
type: object | |
type: object | |
served: true | |
storage: true | |
status: | |
acceptedNames: | |
kind: "" | |
plural: "" | |
conditions: [] | |
storedVersions: [] | |
--- | |
apiVersion: apiextensions.k8s.io/v1 | |
kind: CustomResourceDefinition | |
metadata: | |
annotations: | |
controller-gen.kubebuilder.io/version: v0.5.0 | |
creationTimestamp: null | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: constrainttemplatepodstatuses.status.gatekeeper.sh | |
spec: | |
group: status.gatekeeper.sh | |
names: | |
kind: ConstraintTemplatePodStatus | |
listKind: ConstraintTemplatePodStatusList | |
plural: constrainttemplatepodstatuses | |
singular: constrainttemplatepodstatus | |
scope: Namespaced | |
versions: | |
- name: v1beta1 | |
schema: | |
openAPIV3Schema: | |
description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API | |
properties: | |
apiVersion: | |
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | |
type: string | |
kind: | |
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | |
type: string | |
metadata: | |
type: object | |
status: | |
description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus | |
properties: | |
errors: | |
items: | |
description: CreateCRDError represents a single error caught during parsing, compiling, etc. | |
properties: | |
code: | |
type: string | |
location: | |
type: string | |
message: | |
type: string | |
required: | |
- code | |
- message | |
type: object | |
type: array | |
id: | |
description: 'Important: Run "make" to regenerate code after modifying this file' | |
type: string | |
observedGeneration: | |
format: int64 | |
type: integer | |
operations: | |
items: | |
type: string | |
type: array | |
templateUID: | |
description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. | |
type: string | |
type: object | |
type: object | |
served: true | |
storage: true | |
status: | |
acceptedNames: | |
kind: "" | |
plural: "" | |
conditions: [] | |
storedVersions: [] | |
--- | |
apiVersion: apiextensions.k8s.io/v1 | |
kind: CustomResourceDefinition | |
metadata: | |
annotations: | |
controller-gen.kubebuilder.io/version: v0.5.0 | |
creationTimestamp: null | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: constrainttemplates.templates.gatekeeper.sh | |
spec: | |
group: templates.gatekeeper.sh | |
names: | |
kind: ConstraintTemplate | |
listKind: ConstraintTemplateList | |
plural: constrainttemplates | |
singular: constrainttemplate | |
scope: Cluster | |
versions: | |
- name: v1alpha1 | |
schema: | |
openAPIV3Schema: | |
description: ConstraintTemplate is the Schema for the constrainttemplates API | |
properties: | |
apiVersion: | |
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | |
type: string | |
kind: | |
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | |
type: string | |
metadata: | |
type: object | |
spec: | |
description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate | |
properties: | |
crd: | |
properties: | |
spec: | |
properties: | |
names: | |
properties: | |
kind: | |
type: string | |
shortNames: | |
items: | |
type: string | |
type: array | |
type: object | |
validation: | |
properties: | |
openAPIV3Schema: | |
type: object | |
x-kubernetes-preserve-unknown-fields: true | |
type: object | |
type: object | |
type: object | |
targets: | |
items: | |
properties: | |
libs: | |
items: | |
type: string | |
type: array | |
rego: | |
type: string | |
target: | |
type: string | |
type: object | |
type: array | |
type: object | |
status: | |
description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate | |
properties: | |
byPod: | |
items: | |
description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller | |
properties: | |
errors: | |
items: | |
description: CreateCRDError represents a single error caught during parsing, compiling, etc. | |
properties: | |
code: | |
type: string | |
location: | |
type: string | |
message: | |
type: string | |
required: | |
- code | |
- message | |
type: object | |
type: array | |
id: | |
description: a unique identifier for the pod that wrote the status | |
type: string | |
observedGeneration: | |
format: int64 | |
type: integer | |
type: object | |
x-kubernetes-preserve-unknown-fields: true | |
type: array | |
created: | |
type: boolean | |
type: object | |
type: object | |
served: true | |
storage: false | |
subresources: | |
status: {} | |
- name: v1beta1 | |
schema: | |
openAPIV3Schema: | |
description: ConstraintTemplate is the Schema for the constrainttemplates API | |
properties: | |
apiVersion: | |
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | |
type: string | |
kind: | |
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | |
type: string | |
metadata: | |
type: object | |
spec: | |
description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate | |
properties: | |
crd: | |
properties: | |
spec: | |
properties: | |
names: | |
properties: | |
kind: | |
type: string | |
shortNames: | |
items: | |
type: string | |
type: array | |
type: object | |
validation: | |
properties: | |
openAPIV3Schema: | |
type: object | |
x-kubernetes-preserve-unknown-fields: true | |
type: object | |
type: object | |
type: object | |
targets: | |
items: | |
properties: | |
libs: | |
items: | |
type: string | |
type: array | |
rego: | |
type: string | |
target: | |
type: string | |
type: object | |
type: array | |
type: object | |
status: | |
description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate | |
properties: | |
byPod: | |
items: | |
description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller | |
properties: | |
errors: | |
items: | |
description: CreateCRDError represents a single error caught during parsing, compiling, etc. | |
properties: | |
code: | |
type: string | |
location: | |
type: string | |
message: | |
type: string | |
required: | |
- code | |
- message | |
type: object | |
type: array | |
id: | |
description: a unique identifier for the pod that wrote the status | |
type: string | |
observedGeneration: | |
format: int64 | |
type: integer | |
type: object | |
x-kubernetes-preserve-unknown-fields: true | |
type: array | |
created: | |
type: boolean | |
type: object | |
type: object | |
served: true | |
storage: true | |
subresources: | |
status: {} | |
status: | |
acceptedNames: | |
kind: "" | |
plural: "" | |
conditions: [] | |
storedVersions: [] | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-admin | |
namespace: gatekeeper-system | |
--- | |
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
annotations: | |
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-admin | |
spec: | |
allowPrivilegeEscalation: false | |
fsGroup: | |
ranges: | |
- max: 65535 | |
min: 1 | |
rule: MustRunAs | |
requiredDropCapabilities: | |
- ALL | |
runAsUser: | |
rule: MustRunAsNonRoot | |
seLinux: | |
rule: RunAsAny | |
supplementalGroups: | |
ranges: | |
- max: 65535 | |
min: 1 | |
rule: MustRunAs | |
volumes: | |
- configMap | |
- projected | |
- secret | |
- downwardAPI | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: Role | |
metadata: | |
creationTimestamp: null | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-manager-role | |
namespace: gatekeeper-system | |
rules: | |
- apiGroups: | |
- "" | |
resources: | |
- events | |
verbs: | |
- create | |
- patch | |
- apiGroups: | |
- "" | |
resources: | |
- secrets | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
creationTimestamp: null | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-manager-role | |
rules: | |
- apiGroups: | |
- '*' | |
resources: | |
- '*' | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: | |
- apiextensions.k8s.io | |
resources: | |
- customresourcedefinitions | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
- apiGroups: | |
- config.gatekeeper.sh | |
resources: | |
- configs | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
- apiGroups: | |
- config.gatekeeper.sh | |
resources: | |
- configs/status | |
verbs: | |
- get | |
- patch | |
- update | |
- apiGroups: | |
- constraints.gatekeeper.sh | |
resources: | |
- '*' | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
- apiGroups: | |
- mutations.gatekeeper.sh | |
resources: | |
- '*' | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
- apiGroups: | |
- policy | |
resourceNames: | |
- gatekeeper-admin | |
resources: | |
- podsecuritypolicies | |
verbs: | |
- use | |
- apiGroups: | |
- status.gatekeeper.sh | |
resources: | |
- '*' | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
- apiGroups: | |
- templates.gatekeeper.sh | |
resources: | |
- constrainttemplates | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
- apiGroups: | |
- templates.gatekeeper.sh | |
resources: | |
- constrainttemplates/finalizers | |
verbs: | |
- delete | |
- get | |
- patch | |
- update | |
- apiGroups: | |
- templates.gatekeeper.sh | |
resources: | |
- constrainttemplates/status | |
verbs: | |
- get | |
- patch | |
- update | |
- apiGroups: | |
- admissionregistration.k8s.io | |
resourceNames: | |
- gatekeeper-validating-webhook-configuration | |
resources: | |
- validatingwebhookconfigurations | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- update | |
- watch | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-manager-rolebinding | |
namespace: gatekeeper-system | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: Role | |
name: gatekeeper-manager-role | |
subjects: | |
- kind: ServiceAccount | |
name: gatekeeper-admin | |
namespace: gatekeeper-system | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-manager-rolebinding | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: gatekeeper-manager-role | |
subjects: | |
- kind: ServiceAccount | |
name: gatekeeper-admin | |
namespace: gatekeeper-system | |
--- | |
apiVersion: v1 | |
kind: Secret | |
metadata: | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-webhook-server-cert | |
namespace: gatekeeper-system | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-webhook-service | |
namespace: gatekeeper-system | |
spec: | |
ports: | |
- port: 443 | |
targetPort: 8443 | |
selector: | |
control-plane: controller-manager | |
gatekeeper.sh/operation: webhook | |
gatekeeper.sh/system: "yes" | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
control-plane: audit-controller | |
gatekeeper.sh/operation: audit | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-audit | |
namespace: gatekeeper-system | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
control-plane: audit-controller | |
gatekeeper.sh/operation: audit | |
gatekeeper.sh/system: "yes" | |
template: | |
metadata: | |
annotations: | |
container.seccomp.security.alpha.kubernetes.io/manager: runtime/default | |
labels: | |
control-plane: audit-controller | |
gatekeeper.sh/operation: audit | |
gatekeeper.sh/system: "yes" | |
spec: | |
automountServiceAccountToken: true | |
containers: | |
- args: | |
- --operation=audit | |
- --operation=status | |
- --logtostderr | |
command: | |
- /manager | |
env: | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.name | |
image: openpolicyagent/gatekeeper:v3.5.1 | |
imagePullPolicy: Always | |
livenessProbe: | |
httpGet: | |
path: /healthz | |
port: 9090 | |
name: manager | |
ports: | |
- containerPort: 8888 | |
name: metrics | |
protocol: TCP | |
- containerPort: 9090 | |
name: healthz | |
protocol: TCP | |
readinessProbe: | |
httpGet: | |
path: /readyz | |
port: 9090 | |
resources: | |
limits: | |
cpu: 1000m | |
memory: 512Mi | |
requests: | |
cpu: 100m | |
memory: 256Mi | |
securityContext: | |
allowPrivilegeEscalation: false | |
capabilities: | |
drop: | |
- all | |
readOnlyRootFilesystem: true | |
runAsGroup: 999 | |
runAsNonRoot: true | |
runAsUser: 1000 | |
nodeSelector: | |
kubernetes.io/os: linux | |
priorityClassName: system-cluster-critical | |
serviceAccountName: gatekeeper-admin | |
terminationGracePeriodSeconds: 60 | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
control-plane: controller-manager | |
gatekeeper.sh/operation: webhook | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-controller-manager | |
namespace: gatekeeper-system | |
annotations: | |
kapp.k14s.io/change-group: "deployment" | |
spec: | |
replicas: 3 | |
selector: | |
matchLabels: | |
control-plane: controller-manager | |
gatekeeper.sh/operation: webhook | |
gatekeeper.sh/system: "yes" | |
template: | |
metadata: | |
annotations: | |
container.seccomp.security.alpha.kubernetes.io/manager: runtime/default | |
labels: | |
control-plane: controller-manager | |
gatekeeper.sh/operation: webhook | |
gatekeeper.sh/system: "yes" | |
spec: | |
affinity: | |
podAntiAffinity: | |
preferredDuringSchedulingIgnoredDuringExecution: | |
- podAffinityTerm: | |
labelSelector: | |
matchExpressions: | |
- key: gatekeeper.sh/operation | |
operator: In | |
values: | |
- webhook | |
topologyKey: kubernetes.io/hostname | |
weight: 100 | |
automountServiceAccountToken: true | |
containers: | |
- args: | |
- --port=8443 | |
- --logtostderr | |
- --exempt-namespace=gatekeeper-system | |
- --operation=webhook | |
command: | |
- /manager | |
env: | |
- name: POD_NAMESPACE | |
valueFrom: | |
fieldRef: | |
apiVersion: v1 | |
fieldPath: metadata.namespace | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.name | |
image: openpolicyagent/gatekeeper:v3.5.1 | |
imagePullPolicy: Always | |
livenessProbe: | |
httpGet: | |
path: /healthz | |
port: 9090 | |
name: manager | |
ports: | |
- containerPort: 8443 | |
name: webhook-server | |
protocol: TCP | |
- containerPort: 8888 | |
name: metrics | |
protocol: TCP | |
- containerPort: 9090 | |
name: healthz | |
protocol: TCP | |
readinessProbe: | |
httpGet: | |
path: /readyz | |
port: 9090 | |
resources: | |
limits: | |
cpu: 1000m | |
memory: 512Mi | |
requests: | |
cpu: 100m | |
memory: 256Mi | |
securityContext: | |
allowPrivilegeEscalation: false | |
capabilities: | |
drop: | |
- all | |
readOnlyRootFilesystem: true | |
runAsGroup: 999 | |
runAsNonRoot: true | |
runAsUser: 1000 | |
volumeMounts: | |
- mountPath: /certs | |
name: cert | |
readOnly: true | |
nodeSelector: | |
kubernetes.io/os: linux | |
priorityClassName: system-cluster-critical | |
serviceAccountName: gatekeeper-admin | |
terminationGracePeriodSeconds: 60 | |
volumes: | |
- name: cert | |
secret: | |
defaultMode: 420 | |
secretName: gatekeeper-webhook-server-cert | |
--- | |
apiVersion: policy/v1beta1 | |
kind: PodDisruptionBudget | |
metadata: | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-controller-manager | |
namespace: gatekeeper-system | |
spec: | |
minAvailable: 1 | |
selector: | |
matchLabels: | |
control-plane: controller-manager | |
gatekeeper.sh/operation: webhook | |
gatekeeper.sh/system: "yes" | |
--- | |
apiVersion: admissionregistration.k8s.io/v1 | |
kind: ValidatingWebhookConfiguration | |
metadata: | |
labels: | |
gatekeeper.sh/system: "yes" | |
name: gatekeeper-validating-webhook-configuration | |
annotations: | |
kapp.k14s.io/change-rule: "upsert after upserting ns" | |
webhooks: | |
- admissionReviewVersions: | |
- v1 | |
- v1beta1 | |
clientConfig: | |
service: | |
name: gatekeeper-webhook-service | |
namespace: gatekeeper-system | |
path: /v1/admit | |
failurePolicy: Ignore | |
matchPolicy: Exact | |
name: validation.gatekeeper.sh | |
namespaceSelector: | |
matchExpressions: | |
- key: admission.gatekeeper.sh/ignore | |
operator: DoesNotExist | |
rules: | |
- apiGroups: | |
- '*' | |
apiVersions: | |
- '*' | |
operations: | |
- CREATE | |
- UPDATE | |
resources: | |
- '*' | |
sideEffects: None | |
timeoutSeconds: 3 | |
- admissionReviewVersions: | |
- v1 | |
- v1beta1 | |
clientConfig: | |
service: | |
name: gatekeeper-webhook-service | |
namespace: gatekeeper-system | |
path: /v1/admitlabel | |
failurePolicy: Fail | |
matchPolicy: Exact | |
name: check-ignore-label.gatekeeper.sh | |
rules: | |
- apiGroups: | |
- "" | |
apiVersions: | |
- '*' | |
operations: | |
- CREATE | |
- UPDATE | |
resources: | |
- namespaces | |
sideEffects: None | |
timeoutSeconds: 3 | |
--- | |
apiVersion: templates.gatekeeper.sh/v1beta1 | |
kind: ConstraintTemplate | |
metadata: | |
name: k8srequiredlabels | |
annotations: | |
kapp.k14s.io/change-rule: "upsert after upserting deployment" | |
spec: | |
crd: | |
spec: | |
names: | |
kind: K8sRequiredLabels | |
validation: | |
# Schema for the `parameters` field | |
openAPIV3Schema: | |
properties: | |
labels: | |
type: array | |
items: string | |
targets: | |
- target: admission.k8s.gatekeeper.sh | |
rego: | | |
package k8srequiredlabels | |
violation[{"msg": msg, "details": {"missing_labels": missing}}] { | |
provided := {label | input.review.object.metadata.labels[label]} | |
required := {label | label := input.parameters.labels[_]} | |
missing := required - provided | |
count(missing) > 0 | |
msg := sprintf("you must provide labels: %v", [missing]) | |
} | |
--- | |
apiVersion: apiextensions.k8s.io/v1 | |
kind: CustomResourceDefinition | |
metadata: | |
name: k8srequiredlabels.constraints.gatekeeper.sh | |
annotations: | |
kapp.k14s.io/exists: "" | |
kapp.k14s.io/change-rule: "upsert after upserting deployment" | |
spec: | |
group: constraints.gatekeeper.sh | |
versions: | |
- name: v1beta1 | |
names: | |
kind: K8sRequiredLabels | |
--- | |
apiVersion: constraints.gatekeeper.sh/v1beta1 | |
kind: K8sRequiredLabels | |
metadata: | |
name: ns-must-have-gk | |
spec: | |
match: | |
kinds: | |
- apiGroups: [""] | |
kinds: ["Namespace"] | |
parameters: | |
labels: ["gatekeeper"] | |
--- | |
apiVersion: templates.gatekeeper.sh/v1beta1 | |
kind: ConstraintTemplate | |
metadata: | |
name: k8spspprivilegedcontainer | |
annotations: | |
description: Controls running of privileged containers. | |
kapp.k14s.io/change-rule: "upsert after upserting deployment" | |
spec: | |
crd: | |
spec: | |
names: | |
kind: K8sPSPPrivilegedContainer | |
targets: | |
- target: admission.k8s.gatekeeper.sh | |
rego: | | |
package k8spspprivileged | |
violation[{"msg": msg, "details": {}}] { | |
c := input_containers[_] | |
c.securityContext.privileged | |
msg := sprintf("Privileged container is not allowed: %v, securityContext: %v", [c.name, c.securityContext]) | |
} | |
input_containers[c] { | |
c := input.review.object.spec.containers[_] | |
} | |
input_containers[c] { | |
c := input.review.object.spec.initContainers[_] | |
} | |
--- | |
apiVersion: apiextensions.k8s.io/v1 | |
kind: CustomResourceDefinition | |
metadata: | |
name: k8spspprivilegedcontainer.constraints.gatekeeper.sh | |
annotations: | |
kapp.k14s.io/exists: "" | |
kapp.k14s.io/change-rule: "upsert after upserting deployment" | |
spec: | |
group: constraints.gatekeeper.sh | |
versions: | |
- name: v1beta1 | |
names: | |
kind: K8sPSPPrivilegedContainer | |
--- | |
apiVersion: constraints.gatekeeper.sh/v1beta1 | |
kind: K8sPSPPrivilegedContainer | |
metadata: | |
name: psp-privileged-container | |
spec: | |
match: | |
kinds: | |
- apiGroups: [""] | |
kinds: ["Pod"] | |
excludedNamespaces: ["kube-system"] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment