From 6655457f38bba5de03197dc61bda4f6b9cf76925 Mon Sep 17 00:00:00 2001 From: Yi Rae Kim Date: Tue, 21 Nov 2023 10:48:15 -0500 Subject: [PATCH] Upgrade Gatekeeper image to v3.14.0 Signed-off-by: Yi Rae Kim --- .github/workflows/ci_tests.yaml | 4 +- .github/workflows/olm_tests.yaml | 2 +- .gitignore | 3 +- Makefile | 7 +- REPLACES_VERSION | 2 +- VERSION | 2 +- api/v1alpha1/gatekeeper_types.go | 12 + api/v1alpha1/zz_generated.deepcopy.go | 10 + bundle.Dockerfile | 2 +- ...keeper-operator.clusterserviceversion.yaml | 27 +- .../operator.gatekeeper.sh_gatekeepers.yaml | 10 + bundle/metadata/annotations.yaml | 2 +- .../operator.gatekeeper.sh_gatekeepers.yaml | 10 + ...nition_assign.mutations.gatekeeper.sh.yaml | 18 +- ...n_assignimage.mutations.gatekeeper.sh.yaml | 332 ++++++++ ...ssignmetadata.mutations.gatekeeper.sh.yaml | 24 +- ...finition_configs.config.gatekeeper.sh.yaml | 2 +- ...ainttemplates.templates.gatekeeper.sh.yaml | 66 +- ...nsiontemplate.expansion.gatekeeper.sh.yaml | 149 ++++ ...platepodstatuses.status.gatekeeper.sh.yaml | 73 ++ ...ion_modifyset.mutations.gatekeeper.sh.yaml | 18 +- ..._providers.externaldata.gatekeeper.sh.yaml | 10 +- .../apps_v1_deployment_gatekeeper-audit.yaml | 2 +- ...loyment_gatekeeper-controller-manager.yaml | 2 +- config/gatekeeper/kustomization.yaml | 2 + ...1_clusterrole_gatekeeper-manager-role.yaml | 19 + config/manager/kustomization.yaml | 2 +- config/manager/manager.yaml | 2 +- config/rbac/role.yaml | 13 + config/samples/gatekeeper_e2e_test.yaml | 4 +- .../samples/gatekeeper_with_all_values.yaml | 2 +- controllers/gatekeeper_controller.go | 107 ++- controllers/gatekeeper_controller_test.go | 85 +- deploy/gatekeeper-operator.yaml | 4 +- docs/upgrading-gatekeeper.md | 13 +- pkg/bindata/bindata.go | 755 +++++++++++++++++- 36 files changed, 1644 insertions(+), 153 deletions(-) create mode 100644 config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_assignimage.mutations.gatekeeper.sh.yaml create mode 100644 config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplatepodstatuses.status.gatekeeper.sh.yaml diff --git a/.github/workflows/ci_tests.yaml b/.github/workflows/ci_tests.yaml index c9eb73ec..48206966 100644 --- a/.github/workflows/ci_tests.yaml +++ b/.github/workflows/ci_tests.yaml @@ -130,7 +130,7 @@ jobs: - name: Set Up Environment Variables run: | - GATEKEEPER_VERSION=$(awk '/^GATEKEEPER_VERSION/ {print $3}' Makefile) + GATEKEEPER_VERSION=v$(cut -d '-' -f 1 VERSION) echo "GATEKEEPER_VERSION=${GATEKEEPER_VERSION}" >> ${GITHUB_ENV} # Checkout a local copy of Gatekeeper to use its bats e2e tests. @@ -145,7 +145,7 @@ jobs: # TODO: gatekeeper-operator does not --log-mutations nor --mutation-annotations - name: Remove unhandled gatekeeper bats tests run: | - sed -i -e '67,71d;80,83d' /home/runner/work/gatekeeper-operator/gatekeeper-operator/gatekeeper/test/bats/test.bats + sed -i -e '67,73d;82,85d' /home/runner/work/gatekeeper-operator/gatekeeper-operator/gatekeeper/test/bats/test.bats - name: Gatekeeper E2E Tests run: | diff --git a/.github/workflows/olm_tests.yaml b/.github/workflows/olm_tests.yaml index 9e4b6890..51e2f688 100644 --- a/.github/workflows/olm_tests.yaml +++ b/.github/workflows/olm_tests.yaml @@ -44,7 +44,7 @@ jobs: REGISTRY_PORT=5000 REPO=localhost:${REGISTRY_PORT} IMG=${REPO}/gatekeeper-operator:${GITHUB_SHA} - PREV_BUNDLE_INDEX_IMG=quay.io/gatekeeper/gatekeeper-operator-bundle-index:$(cat REPLACES_VERSION) + PREV_BUNDLE_INDEX_IMG=quay.io/gatekeeper/gatekeeper-operator-bundle-index:v$(cat REPLACES_VERSION) make build-and-push-bundle-images IMG=${IMG} REPO=${REPO} VERSION=${GITHUB_SHA} OPERATOR_VERSION=$(cat VERSION) - name: Deploy OLM diff --git a/.gitignore b/.gitignore index ec136637..c9f311fb 100644 --- a/.gitignore +++ b/.gitignore @@ -20,4 +20,5 @@ testbin/* ci-tools/ -.vscode/* +.vscode/ +gatekeeper/ diff --git a/Makefile b/Makefile index 57669adc..79ca794c 100644 --- a/Makefile +++ b/Makefile @@ -146,7 +146,7 @@ tidy: ## Run go mod tidy .PHONY: test test: manifests generate fmt vet envtest ## Run tests. - KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" GOFLAGS=$(GOFLAGS) go test $(go list ./... | grep -v /test/) -coverprofile cover.out + KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" GOFLAGS=$(GOFLAGS) go test $$(go list ./... | grep -v /test/) -coverprofile cover.out .PHONY: test-e2e test-e2e: e2e-dependencies generate fmt vet ## Run e2e tests, using the configured Kubernetes cluster in ~/.kube/config @@ -375,7 +375,7 @@ TMP_IMPORT_MANIFESTS_PATH := $(shell mktemp -d) .PHONY: import-manifests import-manifests: kustomize if [[ $(IMPORT_MANIFESTS_PATH) =~ https://* ]]; then \ - git clone --branch $(GATEKEEPER_VERSION) $(IMPORT_MANIFESTS_PATH) $(TMP_IMPORT_MANIFESTS_PATH) ; \ + git clone --branch v$(shell cut -d '-' -f 1 VERSION) $(IMPORT_MANIFESTS_PATH) $(TMP_IMPORT_MANIFESTS_PATH) ; \ cd $(TMP_IMPORT_MANIFESTS_PATH) && make patch-image ; \ $(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone $(TMP_IMPORT_MANIFESTS_PATH)/config/default -o $(MAKEFILE_DIR)/$(GATEKEEPER_MANIFEST_DIR); \ rm -rf "$${TMP_IMPORT_MANIFESTS_PATH}" ; \ @@ -443,9 +443,6 @@ $(OPERATOR_SDK): curl -L $(OPERATOR_SDK_URL) -o $(OPERATOR_SDK) || (echo "curl returned $$? trying to fetch operator-sdk"; exit 1) chmod +x $(OPERATOR_SDK) -# Current Gatekeeper version -GATEKEEPER_VERSION ?= v3.11.1 - # Default bundle index image tag BUNDLE_INDEX_IMG ?= $(IMAGE_TAG_BASE)-bundle-index:v$(VERSION) # Default previous bundle index image tag diff --git a/REPLACES_VERSION b/REPLACES_VERSION index a53741c0..7a826566 100644 --- a/REPLACES_VERSION +++ b/REPLACES_VERSION @@ -1 +1 @@ -0.2.6 \ No newline at end of file +3.11.1 \ No newline at end of file diff --git a/VERSION b/VERSION index 7a826566..12566ed7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.11.1 \ No newline at end of file +3.14.0 \ No newline at end of file diff --git a/api/v1alpha1/gatekeeper_types.go b/api/v1alpha1/gatekeeper_types.go index a77c8aee..dbc12a01 100644 --- a/api/v1alpha1/gatekeeper_types.go +++ b/api/v1alpha1/gatekeeper_types.go @@ -103,6 +103,8 @@ type AuditConfig struct { // +optional EmitAuditEvents *EmitEventsMode `json:"emitAuditEvents,omitempty"` // +optional + AuditEventsInvolvedNamespace *EventsInvolvedNsMode `json:"auditEventsInvolvedNamespace,omitempty"` + // +optional Resources *corev1.ResourceRequirements `json:"resources,omitempty"` } @@ -123,6 +125,8 @@ type WebhookConfig struct { // +optional EmitAdmissionEvents *EmitEventsMode `json:"emitAdmissionEvents,omitempty"` // +optional + AdmissionEventsInvolvedNamespace *EventsInvolvedNsMode `json:"admissionEventsInvolvedNamespace,omitempty"` + // +optional FailurePolicy *admregv1.FailurePolicyType `json:"failurePolicy,omitempty"` // +optional NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"` @@ -159,6 +163,14 @@ const ( EmitEventsDisabled EmitEventsMode = "Disabled" ) +// +kubebuilder:validation:Enum:=Enabled;Disabled +type EventsInvolvedNsMode string + +const ( + EventsInvolvedNsModeEnabled EventsInvolvedNsMode = "Enabled" + EventsInvolvedNsModeDisabled EventsInvolvedNsMode = "Disabled" +) + // GatekeeperStatus defines the observed state of Gatekeeper type GatekeeperStatus struct { // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 94565a92..b66df06a 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -66,6 +66,11 @@ func (in *AuditConfig) DeepCopyInto(out *AuditConfig) { *out = new(EmitEventsMode) **out = **in } + if in.AuditEventsInvolvedNamespace != nil { + in, out := &in.AuditEventsInvolvedNamespace, &out.AuditEventsInvolvedNamespace + *out = new(EventsInvolvedNsMode) + **out = **in + } if in.Resources != nil { in, out := &in.Resources, &out.Resources *out = new(v1.ResourceRequirements) @@ -297,6 +302,11 @@ func (in *WebhookConfig) DeepCopyInto(out *WebhookConfig) { *out = new(EmitEventsMode) **out = **in } + if in.AdmissionEventsInvolvedNamespace != nil { + in, out := &in.AdmissionEventsInvolvedNamespace, &out.AdmissionEventsInvolvedNamespace + *out = new(EventsInvolvedNsMode) + **out = **in + } if in.FailurePolicy != nil { in, out := &in.FailurePolicy, &out.FailurePolicy *out = new(admissionregistrationv1.FailurePolicyType) diff --git a/bundle.Dockerfile b/bundle.Dockerfile index d1529197..0f2fa494 100644 --- a/bundle.Dockerfile +++ b/bundle.Dockerfile @@ -5,7 +5,7 @@ LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ LABEL operators.operatorframework.io.bundle.package.v1=gatekeeper-operator -LABEL operators.operatorframework.io.bundle.channels.v1=stable,3.11 +LABEL operators.operatorframework.io.bundle.channels.v1=stable,3.14 LABEL operators.operatorframework.io.bundle.channel.default.v1=stable LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.31.0 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 diff --git a/bundle/manifests/gatekeeper-operator.clusterserviceversion.yaml b/bundle/manifests/gatekeeper-operator.clusterserviceversion.yaml index da5d808b..4f057f5a 100644 --- a/bundle/manifests/gatekeeper-operator.clusterserviceversion.yaml +++ b/bundle/manifests/gatekeeper-operator.clusterserviceversion.yaml @@ -16,10 +16,10 @@ metadata: } ] capabilities: Basic Install - olm.skipRange: "<3.11.0" + olm.skipRange: "<3.14.0" operators.operatorframework.io/builder: operator-sdk-v1.31.0 operators.operatorframework.io/project_layout: go.kubebuilder.io/v3 - name: gatekeeper-operator.v3.11.1 + name: gatekeeper-operator.v3.14.0 namespace: placeholder spec: apiservicedefinitions: {} @@ -196,6 +196,7 @@ spec: - apiGroups: - "" resources: + - events - namespaces verbs: - create @@ -205,6 +206,18 @@ spec: - patch - update - watch + - apiGroups: + - expansion.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - externaldata.gatekeeper.sh resources: @@ -377,8 +390,8 @@ spec: - /manager env: - name: RELATED_IMAGE_GATEKEEPER - value: openpolicyagent/gatekeeper:v3.11.1 - image: quay.io/gatekeeper/gatekeeper-operator:v3.11.1 + value: openpolicyagent/gatekeeper:v3.14.0 + image: quay.io/gatekeeper/gatekeeper-operator:v3.14.0 imagePullPolicy: Always livenessProbe: httpGet: @@ -514,7 +527,7 @@ spec: provider: name: Red Hat relatedImages: - - image: openpolicyagent/gatekeeper:v3.11.1 + - image: openpolicyagent/gatekeeper:v3.14.0 name: gatekeeper - replaces: gatekeeper-operator.v0.2.6 - version: "3.11.1" + replaces: gatekeeper-operator.v3.11.1 + version: "3.14.0" diff --git a/bundle/manifests/operator.gatekeeper.sh_gatekeepers.yaml b/bundle/manifests/operator.gatekeeper.sh_gatekeepers.yaml index 08e0edb4..d72c0a3a 100644 --- a/bundle/manifests/operator.gatekeeper.sh_gatekeepers.yaml +++ b/bundle/manifests/operator.gatekeeper.sh_gatekeepers.yaml @@ -863,6 +863,11 @@ spec: format: int64 minimum: 0 type: integer + auditEventsInvolvedNamespace: + enum: + - Enabled + - Disabled + type: string auditFromCache: description: Setting Automatic lets the Gatekeeper operator manage syncOnly in the config resource. It is not recommended to use @@ -1021,6 +1026,11 @@ spec: type: string webhook: properties: + admissionEventsInvolvedNamespace: + enum: + - Enabled + - Disabled + type: string disabledBuiltins: items: type: string diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml index b036cc96..020c3644 100644 --- a/bundle/metadata/annotations.yaml +++ b/bundle/metadata/annotations.yaml @@ -4,7 +4,7 @@ annotations: operators.operatorframework.io.bundle.manifests.v1: manifests/ operators.operatorframework.io.bundle.metadata.v1: metadata/ operators.operatorframework.io.bundle.package.v1: gatekeeper-operator - operators.operatorframework.io.bundle.channels.v1: "stable,3.11" + operators.operatorframework.io.bundle.channels.v1: "stable,3.14" operators.operatorframework.io.bundle.channel.default.v1: stable operators.operatorframework.io.metrics.builder: operator-sdk-v1.31.0 operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 diff --git a/config/crd/bases/operator.gatekeeper.sh_gatekeepers.yaml b/config/crd/bases/operator.gatekeeper.sh_gatekeepers.yaml index c7f323dd..cfcbe97f 100644 --- a/config/crd/bases/operator.gatekeeper.sh_gatekeepers.yaml +++ b/config/crd/bases/operator.gatekeeper.sh_gatekeepers.yaml @@ -863,6 +863,11 @@ spec: format: int64 minimum: 0 type: integer + auditEventsInvolvedNamespace: + enum: + - Enabled + - Disabled + type: string auditFromCache: description: Setting Automatic lets the Gatekeeper operator manage syncOnly in the config resource. It is not recommended to use @@ -1021,6 +1026,11 @@ spec: type: string webhook: properties: + admissionEventsInvolvedNamespace: + enum: + - Enabled + - Disabled + type: string disabledBuiltins: items: type: string diff --git a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_assign.mutations.gatekeeper.sh.yaml b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_assign.mutations.gatekeeper.sh.yaml index 1743b4c7..e1c6c3f0 100644 --- a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_assign.mutations.gatekeeper.sh.yaml +++ b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_assign.mutations.gatekeeper.sh.yaml @@ -85,7 +85,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -164,7 +164,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -223,7 +223,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -432,7 +432,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -511,7 +511,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -570,7 +570,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -779,7 +779,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -858,7 +858,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -917,7 +917,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: diff --git a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_assignimage.mutations.gatekeeper.sh.yaml b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_assignimage.mutations.gatekeeper.sh.yaml new file mode 100644 index 00000000..f9b07b45 --- /dev/null +++ b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_assignimage.mutations.gatekeeper.sh.yaml @@ -0,0 +1,332 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + labels: + gatekeeper.sh/system: "yes" + name: assignimage.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignImage + listKind: AssignImageList + plural: assignimage + singular: assignimage + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignImage is the Schema for the assignimage API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignImageSpec defines the desired state of AssignImage. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds + a mutation will be applied to. This is necessary because every mutation + implies part of an object schema and object schemas are associated + with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should + apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: + `spec.containers[name: main].image`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined match + criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. + If defined, a constraint only applies to resources not in a + listed namespace. ExcludedNamespaces also supports a prefix + or suffix based glob. For example, `excludedNamespaces: [kube-*]` + matches both `kube-system` and `kube-public`, and `excludedNamespaces: + [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or + end. Ex: "kube-*" will match "kube-system" or "kube-public", + "*-system" will match "kube-system" or "gatekeeper-system". The + asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups + and kinds fields that list the groups/kinds of objects to + which the mutation will apply. If multiple groups/kinds objects + are specified, only one match is needed for the resource to + be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong + to. '*' is all groups. If '*' is present, the length of + the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional + fields: `matchLabels` and `matchExpressions`. These two fields + provide different methods of selecting or excluding k8s objects + based on the label keys and values included in object metadata. All + selection expressions from both sections are ANDed to determine + if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will + match against objects with the specified name. Name also supports + a prefix or suffix glob. For example, `name: pod-*` would match + both `pod-a` and `pod-b`, and `name: *-pod` would match both + `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an + object's containing namespace or the object itself, if the object + is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, + a constraint only applies to resources in a listed namespace. Namespaces + also supports a prefix or suffix based glob. For example, `namespaces: + [kube-*]` matches both `kube-system` and `kube-public`, and + `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or + end. Ex: "kube-*" will match "kube-system" or "kube-public", + "*-system" will match "kube-system" or "gatekeeper-system". The + asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped + resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. + (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources + are matched. Accepts `Generated`|`Original`|`All` (defaults + to `All`). A value of `Generated` will only match generated + resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assignDomain: + description: AssignDomain sets the domain component on an image + string. The trailing slash should not be included. + type: string + assignPath: + description: AssignPath sets the domain component on an image + string. + type: string + assignTag: + description: AssignImage sets the image component on an image + string. It must start with a `:` or `@`. + type: string + pathTests: + items: + description: "PathTest allows the user to customize how the + mutation works if parent paths are missing. It traverses the + list in order. All sub paths are tested against the provided + condition, if the test fails, the mutation is not applied. + All `subPath` entries must be a prefix of `location`. Any + glob characters will take on the same value as was used to + expand the matching glob in `location`. \n Available Tests: + * MustExist - the path must exist or do not mutate * MustNotExist + - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either + MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignImageStatus defines the observed state of AssignImage. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of + MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught + while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error + for use by controller code. If not present, the error + should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, + such as when a mutator has been recreated after its CRD was + deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_assignmetadata.mutations.gatekeeper.sh.yaml b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_assignmetadata.mutations.gatekeeper.sh.yaml index 2f460f6a..da1ef765 100644 --- a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_assignmetadata.mutations.gatekeeper.sh.yaml +++ b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_assignmetadata.mutations.gatekeeper.sh.yaml @@ -44,7 +44,7 @@ spec: location: type: string match: - description: Match selects objects to apply mutations to. + description: Match selects which objects are in scope. properties: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. @@ -58,7 +58,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -137,7 +137,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -196,7 +196,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -343,7 +343,7 @@ spec: location: type: string match: - description: Match selects objects to apply mutations to. + description: Match selects which objects are in scope. properties: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. @@ -357,7 +357,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -436,7 +436,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -495,7 +495,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -642,7 +642,7 @@ spec: location: type: string match: - description: Match selects objects to apply mutations to. + description: Match selects which objects are in scope. properties: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. @@ -656,7 +656,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -735,7 +735,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -794,7 +794,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: diff --git a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_configs.config.gatekeeper.sh.yaml b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_configs.config.gatekeeper.sh.yaml index a480309d..36c58b00 100644 --- a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_configs.config.gatekeeper.sh.yaml +++ b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_configs.config.gatekeeper.sh.yaml @@ -47,7 +47,7 @@ spec: or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array processes: diff --git a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_constrainttemplates.templates.gatekeeper.sh.yaml b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_constrainttemplates.templates.gatekeeper.sh.yaml index cce29c77..84a15873 100644 --- a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_constrainttemplates.templates.gatekeeper.sh.yaml +++ b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_constrainttemplates.templates.gatekeeper.sh.yaml @@ -2,7 +2,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 + creationTimestamp: null labels: gatekeeper.sh/system: "yes" name: constrainttemplates.templates.gatekeeper.sh @@ -66,6 +67,27 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. + "Rego" can only be specified in one place (either here or + in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: + "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -169,6 +191,27 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. + "Rego" can only be specified in one place (either here or + in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: + "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -272,6 +315,27 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. + "Rego" can only be specified in one place (either here or + in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: + "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string diff --git a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplate.expansion.gatekeeper.sh.yaml b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplate.expansion.gatekeeper.sh.yaml index a27a83aa..c6d2b257 100644 --- a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplate.expansion.gatekeeper.sh.yaml +++ b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplate.expansion.gatekeeper.sh.yaml @@ -81,6 +81,155 @@ spec: generators, this is usually spec.template type: string type: object + status: + description: ExpansionTemplateStatus defines the observed state of ExpansionTemplate. + properties: + byPod: + items: + description: ExpansionTemplatePodStatusStatus defines the observed + state of ExpansionTemplatePodStatus. + properties: + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after + modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including + UUIDs. Because we don't ONLY use UUIDs, this is an alias + to string. Being a type captures intent and helps make sure + that UIDs and names do not get conflated. + type: string + type: object + type: array + type: object type: object served: true storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ExpansionTemplate is the Schema for the ExpansionTemplate API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds + of generator resources which will be expanded. + items: + description: ApplyTo determines what GVKs items the mutation should + apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + enforcementAction: + description: EnforcementAction specifies the enforcement action to + be used for resources matching the ExpansionTemplate. Specifying + an empty value will use the enforcement action specified by the + Constraint in violation. + type: string + generatedGVK: + description: GeneratedGVK specifies the GVK of the resources which + the generator resource creates. + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + templateSource: + description: TemplateSource specifies the source field on the generator + resource to use as the base for expanded resource. For Pod-creating + generators, this is usually spec.template + type: string + type: object + status: + description: ExpansionTemplateStatus defines the observed state of ExpansionTemplate. + properties: + byPod: + items: + description: ExpansionTemplatePodStatusStatus defines the observed + state of ExpansionTemplatePodStatus. + properties: + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after + modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including + UUIDs. Because we don't ONLY use UUIDs, this is an alias + to string. Being a type captures intent and helps make sure + that UIDs and names do not get conflated. + type: string + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplatepodstatuses.status.gatekeeper.sh.yaml b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplatepodstatuses.status.gatekeeper.sh.yaml new file mode 100644 index 00000000..7732c1d2 --- /dev/null +++ b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplatepodstatuses.status.gatekeeper.sh.yaml @@ -0,0 +1,73 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + labels: + gatekeeper.sh/system: "yes" + name: expansiontemplatepodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ExpansionTemplatePodStatus + listKind: ExpansionTemplatePodStatusList + plural: expansiontemplatepodstatuses + singular: expansiontemplatepodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ExpansionTemplatePodStatus is the Schema for the expansiontemplatepodstatuses + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: ExpansionTemplatePodStatusStatus defines the observed state + of ExpansionTemplatePodStatus. + properties: + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying + this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including + UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being + a type captures intent and helps make sure that UIDs and names do + not get conflated. + type: string + type: object + type: object + served: true + storage: true diff --git a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_modifyset.mutations.gatekeeper.sh.yaml b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_modifyset.mutations.gatekeeper.sh.yaml index 9ec815e8..bcd0b37a 100644 --- a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_modifyset.mutations.gatekeeper.sh.yaml +++ b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_modifyset.mutations.gatekeeper.sh.yaml @@ -86,7 +86,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -165,7 +165,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -224,7 +224,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -399,7 +399,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -478,7 +478,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -537,7 +537,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -712,7 +712,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -791,7 +791,7 @@ spec: a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -850,7 +850,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: diff --git a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_providers.externaldata.gatekeeper.sh.yaml b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_providers.externaldata.gatekeeper.sh.yaml index 69d3e527..8d1f7b57 100644 --- a/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_providers.externaldata.gatekeeper.sh.yaml +++ b/config/gatekeeper/apiextensions.k8s.io_v1_customresourcedefinition_providers.externaldata.gatekeeper.sh.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 creationTimestamp: null labels: gatekeeper.sh/system: "yes" @@ -50,12 +50,12 @@ spec: type: integer url: description: URL is the url for the provider. URL is prefixed with - http:// or https://. + https://. type: string type: object type: object served: true - storage: true + storage: false - name: v1beta1 schema: openAPIV3Schema: @@ -86,9 +86,9 @@ spec: type: integer url: description: URL is the url for the provider. URL is prefixed with - http:// or https://. + https://. type: string type: object type: object served: true - storage: false + storage: true diff --git a/config/gatekeeper/apps_v1_deployment_gatekeeper-audit.yaml b/config/gatekeeper/apps_v1_deployment_gatekeeper-audit.yaml index bf395328..430b7453 100644 --- a/config/gatekeeper/apps_v1_deployment_gatekeeper-audit.yaml +++ b/config/gatekeeper/apps_v1_deployment_gatekeeper-audit.yaml @@ -49,7 +49,7 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager - image: openpolicyagent/gatekeeper:v3.11.1 + image: openpolicyagent/gatekeeper:v3.14.0 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/config/gatekeeper/apps_v1_deployment_gatekeeper-controller-manager.yaml b/config/gatekeeper/apps_v1_deployment_gatekeeper-controller-manager.yaml index c5ad4c83..e222eab7 100644 --- a/config/gatekeeper/apps_v1_deployment_gatekeeper-controller-manager.yaml +++ b/config/gatekeeper/apps_v1_deployment_gatekeeper-controller-manager.yaml @@ -61,7 +61,7 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager - image: openpolicyagent/gatekeeper:v3.11.1 + image: openpolicyagent/gatekeeper:v3.14.0 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/config/gatekeeper/kustomization.yaml b/config/gatekeeper/kustomization.yaml index 37c393ad..72ed9d85 100644 --- a/config/gatekeeper/kustomization.yaml +++ b/config/gatekeeper/kustomization.yaml @@ -10,6 +10,7 @@ resources: - apiextensions.k8s.io_v1_customresourcedefinition_constrainttemplatepodstatuses.status.gatekeeper.sh.yaml - apiextensions.k8s.io_v1_customresourcedefinition_constrainttemplates.templates.gatekeeper.sh.yaml - apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplate.expansion.gatekeeper.sh.yaml +- apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplatepodstatuses.status.gatekeeper.sh.yaml - apiextensions.k8s.io_v1_customresourcedefinition_modifyset.mutations.gatekeeper.sh.yaml - apiextensions.k8s.io_v1_customresourcedefinition_mutatorpodstatuses.status.gatekeeper.sh.yaml - apiextensions.k8s.io_v1_customresourcedefinition_providers.externaldata.gatekeeper.sh.yaml @@ -25,6 +26,7 @@ resources: - v1_secret_gatekeeper-webhook-server-cert.yaml - v1_serviceaccount_gatekeeper-admin.yaml - v1_service_gatekeeper-webhook-service.yaml +- apiextensions.k8s.io_v1_customresourcedefinition_assignimage.mutations.gatekeeper.sh.yaml # Remove --disable-cert-rotation # Set a CPU limit patches: diff --git a/config/gatekeeper/rbac.authorization.k8s.io_v1_clusterrole_gatekeeper-manager-role.yaml b/config/gatekeeper/rbac.authorization.k8s.io_v1_clusterrole_gatekeeper-manager-role.yaml index 5359564b..0c7e7431 100644 --- a/config/gatekeeper/rbac.authorization.k8s.io_v1_clusterrole_gatekeeper-manager-role.yaml +++ b/config/gatekeeper/rbac.authorization.k8s.io_v1_clusterrole_gatekeeper-manager-role.yaml @@ -6,6 +6,13 @@ metadata: gatekeeper.sh/system: "yes" name: gatekeeper-manager-role rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch - apiGroups: - '*' resources: @@ -70,6 +77,18 @@ rules: - patch - update - watch +- apiGroups: + - expansion.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - externaldata.gatekeeper.sh resources: diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index c1be22a4..80f69dc7 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -15,4 +15,4 @@ generatorOptions: images: - name: controller newName: quay.io/gatekeeper/gatekeeper-operator - newTag: v3.11.1 + newTag: v3.14.0 diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 0de3d097..b2b89224 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -60,6 +60,6 @@ spec: memory: 20Mi env: - name: RELATED_IMAGE_GATEKEEPER - value: openpolicyagent/gatekeeper:v3.11.1 + value: openpolicyagent/gatekeeper:v3.14.0 serviceAccountName: gatekeeper-operator-controller-manager terminationGracePeriodSeconds: 10 diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 7888bab8..0409cb4f 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -85,6 +85,7 @@ rules: - apiGroups: - "" resources: + - events - namespaces verbs: - create @@ -94,6 +95,18 @@ rules: - patch - update - watch +- apiGroups: + - expansion.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - externaldata.gatekeeper.sh resources: diff --git a/config/samples/gatekeeper_e2e_test.yaml b/config/samples/gatekeeper_e2e_test.yaml index 02be656a..408f8edb 100644 --- a/config/samples/gatekeeper_e2e_test.yaml +++ b/config/samples/gatekeeper_e2e_test.yaml @@ -5,13 +5,13 @@ metadata: spec: audit: replicas: 1 - logLevel: INFO emitAuditEvents: Enabled + auditEventsInvolvedNamespace: Enabled validatingWebhook: Enabled mutatingWebhook: Enabled webhook: replicas: 3 - logLevel: INFO emitAdmissionEvents: Enabled + admissionEventsInvolvedNamespace: Enabled disabledBuiltins: - http.send diff --git a/config/samples/gatekeeper_with_all_values.yaml b/config/samples/gatekeeper_with_all_values.yaml index 7936693f..7cd40fe9 100644 --- a/config/samples/gatekeeper_with_all_values.yaml +++ b/config/samples/gatekeeper_with_all_values.yaml @@ -4,7 +4,7 @@ metadata: name: gatekeeper spec: image: - image: docker.io/openpolicyagent/gatekeeper:v3.11.1 + image: docker.io/openpolicyagent/gatekeeper:v3.14.0 imagePullPolicy: Always audit: replicas: 1 diff --git a/controllers/gatekeeper_controller.go b/controllers/gatekeeper_controller.go index ae9feb26..50852a43 100644 --- a/controllers/gatekeeper_controller.go +++ b/controllers/gatekeeper_controller.go @@ -50,42 +50,44 @@ import ( ) const ( - defaultGatekeeperCrName = "gatekeeper" - GatekeeperImageEnvVar = "RELATED_IMAGE_GATEKEEPER" - NamespaceFile = "v1_namespace_gatekeeper-system.yaml" - AssignCRDFile = "apiextensions.k8s.io_v1_customresourcedefinition_assign.mutations.gatekeeper.sh.yaml" - AssignMetadataCRDFile = "apiextensions.k8s.io_v1_customresourcedefinition_assignmetadata.mutations.gatekeeper.sh.yaml" - MutatorPodStatusCRDFile = "apiextensions.k8s.io_v1_customresourcedefinition_mutatorpodstatuses.status.gatekeeper.sh.yaml" - ModifySetCRDFile = "apiextensions.k8s.io_v1_customresourcedefinition_modifyset.mutations.gatekeeper.sh.yaml" - ProviderCRDFile = "apiextensions.k8s.io_v1_customresourcedefinition_providers.externaldata.gatekeeper.sh.yaml" - AuditFile = "apps_v1_deployment_gatekeeper-audit.yaml" - WebhookFile = "apps_v1_deployment_gatekeeper-controller-manager.yaml" - ClusterRoleFile = "rbac.authorization.k8s.io_v1_clusterrole_gatekeeper-manager-role.yaml" - ClusterRoleBindingFile = "rbac.authorization.k8s.io_v1_clusterrolebinding_gatekeeper-manager-rolebinding.yaml" - RoleFile = "rbac.authorization.k8s.io_v1_role_gatekeeper-manager-role.yaml" - RoleBindingFile = "rbac.authorization.k8s.io_v1_rolebinding_gatekeeper-manager-rolebinding.yaml" - ServerCertFile = "v1_secret_gatekeeper-webhook-server-cert.yaml" - ValidatingWebhookConfiguration = "admissionregistration.k8s.io_v1_validatingwebhookconfiguration_gatekeeper-validating-webhook-configuration.yaml" - MutatingWebhookConfiguration = "admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_gatekeeper-mutating-webhook-configuration.yaml" - ValidationGatekeeperWebhook = "validation.gatekeeper.sh" - CheckIgnoreLabelGatekeeperWebhook = "check-ignore-label.gatekeeper.sh" - MutationGatekeeperWebhook = "mutation.gatekeeper.sh" - AuditDeploymentName = "gatekeeper-audit" - WebhookDeploymentName = "gatekeeper-controller-manager" - managerContainer = "manager" - LogLevelArg = "--log-level" - AuditIntervalArg = "--audit-interval" - ConstraintViolationLimitArg = "--constraint-violations-limit" - AuditFromCacheArg = "--audit-from-cache" - AuditChunkSizeArg = "--audit-chunk-size" - EmitAuditEventsArg = "--emit-audit-events" - EmitAdmissionEventsArg = "--emit-admission-events" - ExemptNamespaceArg = "--exempt-namespace" - EnableMutationArg = "--enable-mutation" - OperationArg = "--operation" - OperationMutationStatus = "mutation-status" - OperationMutationWebhook = "mutation-webhook" - DisabledBuiltinArg = "--disable-opa-builtin" + defaultGatekeeperCrName = "gatekeeper" + GatekeeperImageEnvVar = "RELATED_IMAGE_GATEKEEPER" + NamespaceFile = "v1_namespace_gatekeeper-system.yaml" + AssignCRDFile = "apiextensions.k8s.io_v1_customresourcedefinition_assign.mutations.gatekeeper.sh.yaml" + AssignMetadataCRDFile = "apiextensions.k8s.io_v1_customresourcedefinition_assignmetadata.mutations.gatekeeper.sh.yaml" + MutatorPodStatusCRDFile = "apiextensions.k8s.io_v1_customresourcedefinition_mutatorpodstatuses.status.gatekeeper.sh.yaml" + ModifySetCRDFile = "apiextensions.k8s.io_v1_customresourcedefinition_modifyset.mutations.gatekeeper.sh.yaml" + ProviderCRDFile = "apiextensions.k8s.io_v1_customresourcedefinition_providers.externaldata.gatekeeper.sh.yaml" + AuditFile = "apps_v1_deployment_gatekeeper-audit.yaml" + WebhookFile = "apps_v1_deployment_gatekeeper-controller-manager.yaml" + ClusterRoleFile = "rbac.authorization.k8s.io_v1_clusterrole_gatekeeper-manager-role.yaml" + ClusterRoleBindingFile = "rbac.authorization.k8s.io_v1_clusterrolebinding_gatekeeper-manager-rolebinding.yaml" + RoleFile = "rbac.authorization.k8s.io_v1_role_gatekeeper-manager-role.yaml" + RoleBindingFile = "rbac.authorization.k8s.io_v1_rolebinding_gatekeeper-manager-rolebinding.yaml" + ServerCertFile = "v1_secret_gatekeeper-webhook-server-cert.yaml" + ValidatingWebhookConfiguration = "admissionregistration.k8s.io_v1_validatingwebhookconfiguration_gatekeeper-validating-webhook-configuration.yaml" + MutatingWebhookConfiguration = "admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_gatekeeper-mutating-webhook-configuration.yaml" + ValidationGatekeeperWebhook = "validation.gatekeeper.sh" + CheckIgnoreLabelGatekeeperWebhook = "check-ignore-label.gatekeeper.sh" + MutationGatekeeperWebhook = "mutation.gatekeeper.sh" + AuditDeploymentName = "gatekeeper-audit" + WebhookDeploymentName = "gatekeeper-controller-manager" + managerContainer = "manager" + LogLevelArg = "--log-level" + AuditIntervalArg = "--audit-interval" + ConstraintViolationLimitArg = "--constraint-violations-limit" + AuditFromCacheArg = "--audit-from-cache" + AuditChunkSizeArg = "--audit-chunk-size" + EmitAuditEventsArg = "--emit-audit-events" + EmitAdmissionEventsArg = "--emit-admission-events" + AdmissionEventsInvolvedNamespaceArg = "--admission-events-involved-namespace" + AuditEventsInvolvedNamespaceArg = "--audit-events-involved-namespace" + ExemptNamespaceArg = "--exempt-namespace" + EnableMutationArg = "--enable-mutation" + OperationArg = "--operation" + OperationMutationStatus = "mutation-status" + OperationMutationWebhook = "mutation-webhook" + DisabledBuiltinArg = "--disable-opa-builtin" ) var ( @@ -97,6 +99,8 @@ var ( "apiextensions.k8s.io_v1_customresourcedefinition_constrainttemplatepodstatuses.status.gatekeeper.sh.yaml", "apiextensions.k8s.io_v1_customresourcedefinition_constraintpodstatuses.status.gatekeeper.sh.yaml", "apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplate.expansion.gatekeeper.sh.yaml", + "apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplatepodstatuses.status.gatekeeper.sh.yaml", + "apiextensions.k8s.io_v1_customresourcedefinition_assignimage.mutations.gatekeeper.sh.yaml", ModifySetCRDFile, ProviderCRDFile, AssignCRDFile, @@ -159,7 +163,7 @@ const ( // Cluster Scoped // +kubebuilder:rbac:groups=*,resources=*,verbs=get;list;watch -// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=core,resources=namespaces;events,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=config.gatekeeper.sh,resources=configs,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=config.gatekeeper.sh,resources=configs/status,verbs=get;update;patch @@ -174,6 +178,7 @@ const ( // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations,verbs=create;delete;get;list;patch;update;watch // +kubebuilder:rbac:groups=externaldata.gatekeeper.sh,resources=providers,verbs=create;delete;get;list;patch;update;watch +// +kubebuilder:rbac:groups=expansion.gatekeeper.sh,resources=*,verbs=create;delete;get;list;patch;update;watch // Namespace Scoped // +kubebuilder:rbac:groups=core,namespace="system",resources=secrets;serviceaccounts;services;resourcequotas,verbs=get;list;watch;create;update;patch;delete @@ -617,6 +622,9 @@ func auditOverrides(obj *unstructured.Unstructured, audit *operatorv1alpha1.Audi if err := setEmitEvents(obj, EmitAuditEventsArg, audit.EmitAuditEvents); err != nil { return err } + if err := setEventsInvolvedNamespace(obj, AuditEventsInvolvedNamespaceArg, audit.AuditEventsInvolvedNamespace); err != nil { + return err + } if err := setResources(obj, audit.Resources); err != nil { return err } @@ -629,19 +637,29 @@ func webhookOverrides(obj *unstructured.Unstructured, webhook *operatorv1alpha1. if err := setReplicas(obj, webhook.Replicas); err != nil { return err } + if err := setLogLevel(obj, webhook.LogLevel); err != nil { return err } + if err := setEmitEvents(obj, EmitAdmissionEventsArg, webhook.EmitAdmissionEvents); err != nil { return err } + + if err := setEventsInvolvedNamespace(obj, AdmissionEventsInvolvedNamespaceArg, + webhook.AdmissionEventsInvolvedNamespace); err != nil { + return err + } + if err := setResources(obj, webhook.Resources); err != nil { return err } + if err := setDisabledBuiltins(obj, webhook.DisabledBuiltins); err != nil { return err } } + return nil } @@ -858,6 +876,21 @@ func setEmitEvents(obj *unstructured.Unstructured, argName string, emitEvents *o return nil } +func setEventsInvolvedNamespace(obj *unstructured.Unstructured, + argName string, eventsInvolvedNs *operatorv1alpha1.EventsInvolvedNsMode, +) error { + if eventsInvolvedNs != nil { + emitEventsInvolvedNsArgValue := "false" + if *eventsInvolvedNs == operatorv1alpha1.EventsInvolvedNsModeEnabled { + emitEventsInvolvedNsArgValue = "true" + } + + return setContainerArg(obj, managerContainer, argName, emitEventsInvolvedNsArgValue, false) + } + + return nil +} + func setDisabledBuiltins(obj *unstructured.Unstructured, disabledBuiltins []string) error { for _, b := range disabledBuiltins { if err := setContainerArg(obj, managerContainer, DisabledBuiltinArg, b, true); err != nil { diff --git a/controllers/gatekeeper_controller_test.go b/controllers/gatekeeper_controller_test.go index 5d269f01..b58ed2a7 100644 --- a/controllers/gatekeeper_controller_test.go +++ b/controllers/gatekeeper_controller_test.go @@ -1031,6 +1031,34 @@ func TestEmitAuditEvents(t *testing.T) { expectObjContainerArgument(g, managerContainer, auditObj).To(HaveKeyWithValue(EmitAuditEventsArg, "true")) } +func TestAuditEventsInvolvedNamespace(t *testing.T) { + g := NewWithT(t) + auditInvolvedNamespace := operatorv1alpha1.EventsInvolvedNsModeEnabled + auditOverride := operatorv1alpha1.AuditConfig{ + AuditEventsInvolvedNamespace: &auditInvolvedNamespace, + } + + gatekeeper := &operatorv1alpha1.Gatekeeper{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test", + }, + } + // test default + auditObj, err := util.GetManifestObject(AuditFile) + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(auditObj).ToNot(BeNil()) + expectObjContainerArgument(g, managerContainer, auditObj).NotTo(HaveKey(AuditEventsInvolvedNamespaceArg)) + // test nil + err = crOverrides(gatekeeper, AuditFile, auditObj, namespace, false, false) + g.Expect(err).ToNot(HaveOccurred()) + expectObjContainerArgument(g, managerContainer, auditObj).NotTo(HaveKey(AuditEventsInvolvedNamespaceArg)) + // test override + gatekeeper.Spec.Audit = &auditOverride + err = crOverrides(gatekeeper, AuditFile, auditObj, namespace, false, false) + g.Expect(err).ToNot(HaveOccurred()) + expectObjContainerArgument(g, managerContainer, auditObj).To(HaveKeyWithValue(AuditEventsInvolvedNamespaceArg, "true")) +} + func TestAllAuditArgs(t *testing.T) { g := NewWithT(t) auditChunkSize := uint64(10) @@ -1041,13 +1069,16 @@ func TestAllAuditArgs(t *testing.T) { auditInterval := metav1.Duration{ Duration: time.Hour, } + auditInvolvedNamespace := operatorv1alpha1.EventsInvolvedNsModeEnabled + auditOverride := operatorv1alpha1.AuditConfig{ - AuditChunkSize: &auditChunkSize, - AuditFromCache: &auditFromCache, - ConstraintViolationLimit: &constraintViolationLimit, - EmitAuditEvents: &emitEvents, - LogLevel: &logLevel, - AuditInterval: &auditInterval, + AuditChunkSize: &auditChunkSize, + AuditFromCache: &auditFromCache, + ConstraintViolationLimit: &constraintViolationLimit, + EmitAuditEvents: &emitEvents, + LogLevel: &logLevel, + AuditInterval: &auditInterval, + AuditEventsInvolvedNamespace: &auditInvolvedNamespace, } gatekeeper := &operatorv1alpha1.Gatekeeper{ @@ -1065,6 +1096,7 @@ func TestAllAuditArgs(t *testing.T) { expectObjContainerArgument(g, managerContainer, auditObj).NotTo(HaveKey(LogLevelArg)) expectObjContainerArgument(g, managerContainer, auditObj).NotTo(HaveKey(EmitAuditEventsArg)) expectObjContainerArgument(g, managerContainer, auditObj).NotTo(HaveKey(AuditIntervalArg)) + expectObjContainerArgument(g, managerContainer, auditObj).NotTo(HaveKey(AuditEventsInvolvedNamespaceArg)) expectObjContainerArgument(g, managerContainer, auditObj).To(HaveKeyWithValue(OperationArg, OperationMutationStatus)) // test nil err = crOverrides(gatekeeper, AuditFile, auditObj, namespace, false, false) @@ -1075,6 +1107,7 @@ func TestAllAuditArgs(t *testing.T) { expectObjContainerArgument(g, managerContainer, auditObj).NotTo(HaveKey(LogLevelArg)) expectObjContainerArgument(g, managerContainer, auditObj).NotTo(HaveKey(EmitAuditEventsArg)) expectObjContainerArgument(g, managerContainer, auditObj).NotTo(HaveKey(AuditIntervalArg)) + expectObjContainerArgument(g, managerContainer, auditObj).NotTo(HaveKey(AuditEventsInvolvedNamespaceArg)) expectObjContainerArgument(g, managerContainer, auditObj).To(HaveKeyWithValue(OperationArg, OperationMutationStatus)) // test override without mutation gatekeeper.Spec.Audit = &auditOverride @@ -1086,6 +1119,7 @@ func TestAllAuditArgs(t *testing.T) { expectObjContainerArgument(g, managerContainer, auditObj).To(HaveKeyWithValue(LogLevelArg, "DEBUG")) expectObjContainerArgument(g, managerContainer, auditObj).To(HaveKeyWithValue(EmitAuditEventsArg, "true")) expectObjContainerArgument(g, managerContainer, auditObj).To(HaveKeyWithValue(AuditIntervalArg, "3600")) + expectObjContainerArgument(g, managerContainer, auditObj).To(HaveKeyWithValue(AuditEventsInvolvedNamespaceArg, "true")) expectObjContainerArgument(g, managerContainer, auditObj).To(HaveKeyWithValue(OperationArg, OperationMutationStatus)) // test override with mutation mutatingWebhook := operatorv1alpha1.WebhookEnabled @@ -1097,6 +1131,7 @@ func TestAllAuditArgs(t *testing.T) { expectObjContainerArgument(g, managerContainer, auditObj).To(HaveKeyWithValue(ConstraintViolationLimitArg, "20")) expectObjContainerArgument(g, managerContainer, auditObj).To(HaveKeyWithValue(LogLevelArg, "DEBUG")) expectObjContainerArgument(g, managerContainer, auditObj).To(HaveKeyWithValue(EmitAuditEventsArg, "true")) + expectObjContainerArgument(g, managerContainer, auditObj).To(HaveKeyWithValue(AuditEventsInvolvedNamespaceArg, "true")) expectObjContainerArgument(g, managerContainer, auditObj).To(HaveKeyWithValue(AuditIntervalArg, "3600")) expectObjContainerArgument(g, managerContainer, auditObj).To(HaveKeyWithValue(OperationArg, OperationMutationStatus)) } @@ -1129,6 +1164,34 @@ func TestEmitAdmissionEvents(t *testing.T) { expectObjContainerArgument(g, managerContainer, webhookObj).To(HaveKeyWithValue(EmitAdmissionEventsArg, "true")) } +func TestAdmissionEventsInvolvedNamespace(t *testing.T) { + g := NewWithT(t) + admissionEventsInvolvedNamespace := operatorv1alpha1.EventsInvolvedNsModeEnabled + webhookOverride := operatorv1alpha1.WebhookConfig{ + AdmissionEventsInvolvedNamespace: &admissionEventsInvolvedNamespace, + } + + gatekeeper := &operatorv1alpha1.Gatekeeper{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test", + }, + } + // test default + webhookObj, err := util.GetManifestObject(WebhookFile) + g.Expect(err).ToNot(HaveOccurred()) + g.Expect(webhookObj).ToNot(BeNil()) + expectObjContainerArgument(g, managerContainer, webhookObj).NotTo(HaveKey(AdmissionEventsInvolvedNamespaceArg)) + // test nil + err = crOverrides(gatekeeper, WebhookFile, webhookObj, namespace, false, false) + g.Expect(err).ToNot(HaveOccurred()) + expectObjContainerArgument(g, managerContainer, webhookObj).NotTo(HaveKey(AdmissionEventsInvolvedNamespaceArg)) + // test override + gatekeeper.Spec.Webhook = &webhookOverride + err = crOverrides(gatekeeper, WebhookFile, webhookObj, namespace, false, false) + g.Expect(err).ToNot(HaveOccurred()) + expectObjContainerArgument(g, managerContainer, webhookObj).To(HaveKeyWithValue(AdmissionEventsInvolvedNamespaceArg, "true")) +} + func TestWebhookLogLevel(t *testing.T) { g := NewWithT(t) logLevel := operatorv1alpha1.LogLevelDEBUG @@ -1238,9 +1301,11 @@ func TestAllWebhookArgs(t *testing.T) { g := NewWithT(t) emitEvents := operatorv1alpha1.EmitEventsEnabled logLevel := operatorv1alpha1.LogLevelDEBUG + admissionEventsInvolvedNamespace := operatorv1alpha1.EventsInvolvedNsModeEnabled webhookOverride := operatorv1alpha1.WebhookConfig{ - EmitAdmissionEvents: &emitEvents, - LogLevel: &logLevel, + EmitAdmissionEvents: &emitEvents, + LogLevel: &logLevel, + AdmissionEventsInvolvedNamespace: &admissionEventsInvolvedNamespace, } gatekeeper := &operatorv1alpha1.Gatekeeper{ @@ -1253,12 +1318,14 @@ func TestAllWebhookArgs(t *testing.T) { g.Expect(err).ToNot(HaveOccurred()) g.Expect(webhookObj).ToNot(BeNil()) expectObjContainerArgument(g, managerContainer, webhookObj).NotTo(HaveKey(EmitAdmissionEventsArg)) + expectObjContainerArgument(g, managerContainer, webhookObj).NotTo(HaveKey(AdmissionEventsInvolvedNamespaceArg)) expectObjContainerArgument(g, managerContainer, webhookObj).NotTo(HaveKey(LogLevelArg)) expectObjContainerArgument(g, managerContainer, webhookObj).NotTo(HaveKey(EnableMutationArg)) // test nil err = crOverrides(gatekeeper, WebhookFile, webhookObj, namespace, false, false) g.Expect(err).ToNot(HaveOccurred()) expectObjContainerArgument(g, managerContainer, webhookObj).NotTo(HaveKey(EmitAdmissionEventsArg)) + expectObjContainerArgument(g, managerContainer, webhookObj).NotTo(HaveKey(AdmissionEventsInvolvedNamespaceArg)) expectObjContainerArgument(g, managerContainer, webhookObj).NotTo(HaveKey(LogLevelArg)) expectObjContainerArgument(g, managerContainer, webhookObj).NotTo(HaveKey(EnableMutationArg)) // test override without mutation @@ -1266,6 +1333,7 @@ func TestAllWebhookArgs(t *testing.T) { err = crOverrides(gatekeeper, WebhookFile, webhookObj, namespace, false, false) g.Expect(err).ToNot(HaveOccurred()) expectObjContainerArgument(g, managerContainer, webhookObj).To(HaveKeyWithValue(EmitAdmissionEventsArg, "true")) + expectObjContainerArgument(g, managerContainer, webhookObj).To(HaveKeyWithValue(AdmissionEventsInvolvedNamespaceArg, "true")) expectObjContainerArgument(g, managerContainer, webhookObj).To(HaveKeyWithValue(LogLevelArg, "DEBUG")) expectObjContainerArgument(g, managerContainer, webhookObj).NotTo(HaveKey(EnableMutationArg)) // test override with mutation @@ -1274,6 +1342,7 @@ func TestAllWebhookArgs(t *testing.T) { err = crOverrides(gatekeeper, WebhookFile, webhookObj, namespace, false, false) g.Expect(err).ToNot(HaveOccurred()) expectObjContainerArgument(g, managerContainer, webhookObj).To(HaveKeyWithValue(EmitAdmissionEventsArg, "true")) + expectObjContainerArgument(g, managerContainer, webhookObj).To(HaveKeyWithValue(AdmissionEventsInvolvedNamespaceArg, "true")) expectObjContainerArgument(g, managerContainer, webhookObj).To(HaveKeyWithValue(LogLevelArg, "DEBUG")) expectObjContainerArgument(g, managerContainer, webhookObj).To(HaveKeyWithValue(OperationArg, OperationMutationWebhook)) } diff --git a/deploy/gatekeeper-operator.yaml b/deploy/gatekeeper-operator.yaml index 1911cbe6..8c4a04d9 100644 --- a/deploy/gatekeeper-operator.yaml +++ b/deploy/gatekeeper-operator.yaml @@ -1715,8 +1715,8 @@ spec: - /manager env: - name: RELATED_IMAGE_GATEKEEPER - value: openpolicyagent/gatekeeper:v3.11.1 - image: quay.io/gatekeeper/gatekeeper-operator:v3.11.1 + value: openpolicyagent/gatekeeper:v3.14.0 + image: quay.io/gatekeeper/gatekeeper-operator:v3.14.0 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/docs/upgrading-gatekeeper.md b/docs/upgrading-gatekeeper.md index 0dda501c..2d9b33fd 100644 --- a/docs/upgrading-gatekeeper.md +++ b/docs/upgrading-gatekeeper.md @@ -16,10 +16,17 @@ and skipping `v3.4.Z`. ## 1. Set desired Gatekeeper version and commit +Update ./REPLACES_VERSION and ./VERSION files. + +For example, if you want to upgrade from the current version to 3.15.0: +```shell +cat VERSION > REPLACES_VERSION +printf "3.15.0" > VERSION +``` + ```shell -GATEKEEPER_PREV_VERSION=$(awk '/^GATEKEEPER_VERSION \?= .*/ {print $3}' Makefile) -GATEKEEPER_VERSION= -sed -i "s/GATEKEEPER_VERSION ?= .*/GATEKEEPER_VERSION ?= ${GATEKEEPER_VERSION}/" Makefile +GATEKEEPER_PREV_VERSION=v$(cut -d '-' -f 1 REPLACES_VERSION) +GATEKEEPER_VERSION=v$(cut -d '-' -f 1 VERSION) sed -i "s/CHANNELS ?= .*/CHANNELS ?= stable,$(echo $GATEKEEPER_VERSION | cut -c2- | cut -d '.' -f 1-2)/" Makefile git commit -m "Set Gatekeeper version to ${GATEKEEPER_VERSION}" Makefile ``` diff --git a/pkg/bindata/bindata.go b/pkg/bindata/bindata.go index 4a26d301..d65ab007 100644 --- a/pkg/bindata/bindata.go +++ b/pkg/bindata/bindata.go @@ -3,12 +3,14 @@ // config/gatekeeper-rendered/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_gatekeeper-mutating-webhook-configuration.yaml // config/gatekeeper-rendered/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_gatekeeper-validating-webhook-configuration.yaml // config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_assign.mutations.gatekeeper.sh.yaml +// config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_assignimage.mutations.gatekeeper.sh.yaml // config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_assignmetadata.mutations.gatekeeper.sh.yaml // config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_configs.config.gatekeeper.sh.yaml // config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_constraintpodstatuses.status.gatekeeper.sh.yaml // config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_constrainttemplatepodstatuses.status.gatekeeper.sh.yaml // config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_constrainttemplates.templates.gatekeeper.sh.yaml // config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplate.expansion.gatekeeper.sh.yaml +// config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplatepodstatuses.status.gatekeeper.sh.yaml // config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_modifyset.mutations.gatekeeper.sh.yaml // config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_mutatorpodstatuses.status.gatekeeper.sh.yaml // config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_providers.externaldata.gatekeeper.sh.yaml @@ -320,7 +322,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -399,7 +401,7 @@ spec: a prefix or suffix glob. For example, ` + "`" + `name: pod-*` + "`" + ` would match both ` + "`" + `pod-a` + "`" + ` and ` + "`" + `pod-b` + "`" + `, and ` + "`" + `name: *-pod` + "`" + ` would match both ` + "`" + `a-pod` + "`" + ` and ` + "`" + `b-pod` + "`" + `.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -458,7 +460,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -667,7 +669,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -746,7 +748,7 @@ spec: a prefix or suffix glob. For example, ` + "`" + `name: pod-*` + "`" + ` would match both ` + "`" + `pod-a` + "`" + ` and ` + "`" + `pod-b` + "`" + `, and ` + "`" + `name: *-pod` + "`" + ` would match both ` + "`" + `a-pod` + "`" + ` and ` + "`" + `b-pod` + "`" + `.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -805,7 +807,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -1014,7 +1016,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -1093,7 +1095,7 @@ spec: a prefix or suffix glob. For example, ` + "`" + `name: pod-*` + "`" + ` would match both ` + "`" + `pod-a` + "`" + ` and ` + "`" + `pod-b` + "`" + `, and ` + "`" + `name: *-pod` + "`" + ` would match both ` + "`" + `a-pod` + "`" + ` and ` + "`" + `b-pod` + "`" + `.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -1152,7 +1154,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -1314,6 +1316,355 @@ func configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_assi return a, nil } +var _configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_assignimageMutationsGatekeeperShYaml = []byte(`apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + labels: + gatekeeper.sh/system: "yes" + name: assignimage.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignImage + listKind: AssignImageList + plural: assignimage + singular: assignimage + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignImage is the Schema for the assignimage API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignImageSpec defines the desired state of AssignImage. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds + a mutation will be applied to. This is necessary because every mutation + implies part of an object schema and object schemas are associated + with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should + apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: + ` + "`" + `spec.containers[name: main].image` + "`" + `.' + type: string + match: + description: Match allows the user to limit which resources get mutated. + Individual match criteria are AND-ed together. An undefined match + criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. + If defined, a constraint only applies to resources not in a + listed namespace. ExcludedNamespaces also supports a prefix + or suffix based glob. For example, ` + "`" + `excludedNamespaces: [kube-*]` + "`" + ` + matches both ` + "`" + `kube-system` + "`" + ` and ` + "`" + `kube-public` + "`" + `, and ` + "`" + `excludedNamespaces: + [*-system]` + "`" + ` matches both ` + "`" + `kube-system` + "`" + ` and ` + "`" + `gatekeeper-system` + "`" + `.' + items: + description: 'A string that supports globbing at its front or + end. Ex: "kube-*" will match "kube-system" or "kube-public", + "*-system" will match "kube-system" or "gatekeeper-system". The + asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups + and kinds fields that list the groups/kinds of objects to + which the mutation will apply. If multiple groups/kinds objects + are specified, only one match is needed for the resource to + be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong + to. '*' is all groups. If '*' is present, the length of + the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional + fields: ` + "`" + `matchLabels` + "`" + ` and ` + "`" + `matchExpressions` + "`" + `. These two fields + provide different methods of selecting or excluding k8s objects + based on the label keys and values included in object metadata. All + selection expressions from both sections are ANDed to determine + if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will + match against objects with the specified name. Name also supports + a prefix or suffix glob. For example, ` + "`" + `name: pod-*` + "`" + ` would match + both ` + "`" + `pod-a` + "`" + ` and ` + "`" + `pod-b` + "`" + `, and ` + "`" + `name: *-pod` + "`" + ` would match both + ` + "`" + `a-pod` + "`" + ` and ` + "`" + `b-pod` + "`" + `.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an + object's containing namespace or the object itself, if the object + is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, + a constraint only applies to resources in a listed namespace. Namespaces + also supports a prefix or suffix based glob. For example, ` + "`" + `namespaces: + [kube-*]` + "`" + ` matches both ` + "`" + `kube-system` + "`" + ` and ` + "`" + `kube-public` + "`" + `, and + ` + "`" + `namespaces: [*-system]` + "`" + ` matches both ` + "`" + `kube-system` + "`" + ` and ` + "`" + `gatekeeper-system` + "`" + `.' + items: + description: 'A string that supports globbing at its front or + end. Ex: "kube-*" will match "kube-system" or "kube-public", + "*-system" will match "kube-system" or "gatekeeper-system". The + asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped + resources are matched. Accepts ` + "`" + `*` + "`" + `, ` + "`" + `Cluster` + "`" + `, or ` + "`" + `Namespaced` + "`" + `. + (defaults to ` + "`" + `*` + "`" + `) + type: string + source: + description: Source determines whether generated or original resources + are matched. Accepts ` + "`" + `Generated` + "`" + `|` + "`" + `Original` + "`" + `|` + "`" + `All` + "`" + ` (defaults + to ` + "`" + `All` + "`" + `). A value of ` + "`" + `Generated` + "`" + ` will only match generated + resources, while ` + "`" + `Original` + "`" + ` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assignDomain: + description: AssignDomain sets the domain component on an image + string. The trailing slash should not be included. + type: string + assignPath: + description: AssignPath sets the domain component on an image + string. + type: string + assignTag: + description: AssignImage sets the image component on an image + string. It must start with a ` + "`" + `:` + "`" + ` or ` + "`" + `@` + "`" + `. + type: string + pathTests: + items: + description: "PathTest allows the user to customize how the + mutation works if parent paths are missing. It traverses the + list in order. All sub paths are tested against the provided + condition, if the test fails, the mutation is not applied. + All ` + "`" + `subPath` + "`" + ` entries must be a prefix of ` + "`" + `location` + "`" + `. Any + glob characters will take on the same value as was used to + expand the matching glob in ` + "`" + `location` + "`" + `. \n Available Tests: + * MustExist - the path must exist or do not mutate * MustNotExist + - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either + MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignImageStatus defines the observed state of AssignImage. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of + MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught + while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error + for use by controller code. If not present, the error + should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, + such as when a mutator has been recreated after its CRD was + deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} +`) + +func configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_assignimageMutationsGatekeeperShYamlBytes() ([]byte, error) { + return _configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_assignimageMutationsGatekeeperShYaml, nil +} + +func configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_assignimageMutationsGatekeeperShYaml() (*asset, error) { + bytes, err := configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_assignimageMutationsGatekeeperShYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_assignimage.mutations.gatekeeper.sh.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_assignmetadataMutationsGatekeeperShYaml = []byte(`apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1360,7 +1711,7 @@ spec: location: type: string match: - description: Match selects objects to apply mutations to. + description: Match selects which objects are in scope. properties: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. @@ -1374,7 +1725,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -1453,7 +1804,7 @@ spec: a prefix or suffix glob. For example, ` + "`" + `name: pod-*` + "`" + ` would match both ` + "`" + `pod-a` + "`" + ` and ` + "`" + `pod-b` + "`" + `, and ` + "`" + `name: *-pod` + "`" + ` would match both ` + "`" + `a-pod` + "`" + ` and ` + "`" + `b-pod` + "`" + `.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -1512,7 +1863,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -1659,7 +2010,7 @@ spec: location: type: string match: - description: Match selects objects to apply mutations to. + description: Match selects which objects are in scope. properties: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. @@ -1673,7 +2024,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -1752,7 +2103,7 @@ spec: a prefix or suffix glob. For example, ` + "`" + `name: pod-*` + "`" + ` would match both ` + "`" + `pod-a` + "`" + ` and ` + "`" + `pod-b` + "`" + `, and ` + "`" + `name: *-pod` + "`" + ` would match both ` + "`" + `a-pod` + "`" + ` and ` + "`" + `b-pod` + "`" + `.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -1811,7 +2162,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -1958,7 +2309,7 @@ spec: location: type: string match: - description: Match selects objects to apply mutations to. + description: Match selects which objects are in scope. properties: excludedNamespaces: description: 'ExcludedNamespaces is a list of namespace names. @@ -1972,7 +2323,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -2051,7 +2402,7 @@ spec: a prefix or suffix glob. For example, ` + "`" + `name: pod-*` + "`" + ` would match both ` + "`" + `pod-a` + "`" + ` and ` + "`" + `pod-b` + "`" + `, and ` + "`" + `name: *-pod` + "`" + ` would match both ` + "`" + `a-pod` + "`" + ` and ` + "`" + `b-pod` + "`" + `.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -2110,7 +2461,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -2300,7 +2651,7 @@ spec: or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array processes: @@ -2576,7 +2927,8 @@ var _configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_cons kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 + creationTimestamp: null labels: gatekeeper.sh/system: "yes" name: constrainttemplates.templates.gatekeeper.sh @@ -2640,6 +2992,27 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. + "Rego" can only be specified in one place (either here or + in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: + "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -2743,6 +3116,27 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. + "Rego" can only be specified in one place (either here or + in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: + "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -2846,6 +3240,27 @@ spec: targets: items: properties: + code: + description: The source code options for the constraint template. + "Rego" can only be specified in one place (either here or + in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: + "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map libs: items: type: string @@ -2999,9 +3414,158 @@ spec: generators, this is usually spec.template type: string type: object + status: + description: ExpansionTemplateStatus defines the observed state of ExpansionTemplate. + properties: + byPod: + items: + description: ExpansionTemplatePodStatusStatus defines the observed + state of ExpansionTemplatePodStatus. + properties: + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after + modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including + UUIDs. Because we don't ONLY use UUIDs, this is an alias + to string. Being a type captures intent and helps make sure + that UIDs and names do not get conflated. + type: string + type: object + type: array + type: object type: object served: true storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ExpansionTemplate is the Schema for the ExpansionTemplate API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds + of generator resources which will be expanded. + items: + description: ApplyTo determines what GVKs items the mutation should + apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + enforcementAction: + description: EnforcementAction specifies the enforcement action to + be used for resources matching the ExpansionTemplate. Specifying + an empty value will use the enforcement action specified by the + Constraint in violation. + type: string + generatedGVK: + description: GeneratedGVK specifies the GVK of the resources which + the generator resource creates. + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + templateSource: + description: TemplateSource specifies the source field on the generator + resource to use as the base for expanded resource. For Pod-creating + generators, this is usually spec.template + type: string + type: object + status: + description: ExpansionTemplateStatus defines the observed state of ExpansionTemplate. + properties: + byPod: + items: + description: ExpansionTemplatePodStatusStatus defines the observed + state of ExpansionTemplatePodStatus. + properties: + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after + modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including + UUIDs. Because we don't ONLY use UUIDs, this is an alias + to string. Being a type captures intent and helps make sure + that UIDs and names do not get conflated. + type: string + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} `) func configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_expansiontemplateExpansionGatekeeperShYamlBytes() ([]byte, error) { @@ -3019,6 +3583,96 @@ func configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_expa return a, nil } +var _configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_expansiontemplatepodstatusesStatusGatekeeperShYaml = []byte(`apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + labels: + gatekeeper.sh/system: "yes" + name: expansiontemplatepodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ExpansionTemplatePodStatus + listKind: ExpansionTemplatePodStatusList + plural: expansiontemplatepodstatuses + singular: expansiontemplatepodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ExpansionTemplatePodStatus is the Schema for the expansiontemplatepodstatuses + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: ExpansionTemplatePodStatusStatus defines the observed state + of ExpansionTemplatePodStatus. + properties: + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying + this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including + UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being + a type captures intent and helps make sure that UIDs and names do + not get conflated. + type: string + type: object + type: object + served: true + storage: true +`) + +func configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_expansiontemplatepodstatusesStatusGatekeeperShYamlBytes() ([]byte, error) { + return _configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_expansiontemplatepodstatusesStatusGatekeeperShYaml, nil +} + +func configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_expansiontemplatepodstatusesStatusGatekeeperShYaml() (*asset, error) { + bytes, err := configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_expansiontemplatepodstatusesStatusGatekeeperShYamlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplatepodstatuses.status.gatekeeper.sh.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + var _configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_modifysetMutationsGatekeeperShYaml = []byte(`apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -3107,7 +3761,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -3186,7 +3840,7 @@ spec: a prefix or suffix glob. For example, ` + "`" + `name: pod-*` + "`" + ` would match both ` + "`" + `pod-a` + "`" + ` and ` + "`" + `pod-b` + "`" + `, and ` + "`" + `name: *-pod` + "`" + ` would match both ` + "`" + `a-pod` + "`" + ` and ` + "`" + `b-pod` + "`" + `.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -3245,7 +3899,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -3420,7 +4074,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -3499,7 +4153,7 @@ spec: a prefix or suffix glob. For example, ` + "`" + `name: pod-*` + "`" + ` would match both ` + "`" + `pod-a` + "`" + ` and ` + "`" + `pod-b` + "`" + `, and ` + "`" + `name: *-pod` + "`" + ` would match both ` + "`" + `a-pod` + "`" + ` and ` + "`" + `b-pod` + "`" + `.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -3558,7 +4212,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -3733,7 +4387,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array kinds: @@ -3812,7 +4466,7 @@ spec: a prefix or suffix glob. For example, ` + "`" + `name: pod-*` + "`" + ` would match both ` + "`" + `pod-a` + "`" + ` and ` + "`" + `pod-b` + "`" + `, and ` + "`" + `name: *-pod` + "`" + ` would match both ` + "`" + `a-pod` + "`" + ` and ` + "`" + `b-pod` + "`" + `.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string namespaceSelector: description: NamespaceSelector is a label selector against an @@ -3871,7 +4525,7 @@ spec: end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ type: string type: array scope: @@ -4094,7 +4748,7 @@ var _configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_prov kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.11.3 creationTimestamp: null labels: gatekeeper.sh/system: "yes" @@ -4142,12 +4796,12 @@ spec: type: integer url: description: URL is the url for the provider. URL is prefixed with - http:// or https://. + https://. type: string type: object type: object served: true - storage: true + storage: false - name: v1beta1 schema: openAPIV3Schema: @@ -4178,12 +4832,12 @@ spec: type: integer url: description: URL is the url for the provider. URL is prefixed with - http:// or https://. + https://. type: string type: object type: object served: true - storage: false + storage: true `) func configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_providersExternaldataGatekeeperShYamlBytes() ([]byte, error) { @@ -4251,7 +4905,7 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager - image: openpolicyagent/gatekeeper:v3.11.1 + image: openpolicyagent/gatekeeper:v3.14.0 imagePullPolicy: Always livenessProbe: httpGet: @@ -4385,7 +5039,7 @@ spec: fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager - image: openpolicyagent/gatekeeper:v3.11.1 + image: openpolicyagent/gatekeeper:v3.14.0 imagePullPolicy: Always livenessProbe: httpGet: @@ -4494,6 +5148,13 @@ metadata: gatekeeper.sh/system: "yes" name: gatekeeper-manager-role rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch - apiGroups: - '*' resources: @@ -4558,6 +5219,18 @@ rules: - patch - update - watch +- apiGroups: + - expansion.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - externaldata.gatekeeper.sh resources: @@ -4970,12 +5643,14 @@ var _bindata = map[string]func() (*asset, error){ "config/gatekeeper-rendered/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_gatekeeper-mutating-webhook-configuration.yaml": configGatekeeperRenderedAdmissionregistrationK8sIo_v1_mutatingwebhookconfiguration_gatekeeperMutatingWebhookConfigurationYaml, "config/gatekeeper-rendered/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_gatekeeper-validating-webhook-configuration.yaml": configGatekeeperRenderedAdmissionregistrationK8sIo_v1_validatingwebhookconfiguration_gatekeeperValidatingWebhookConfigurationYaml, "config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_assign.mutations.gatekeeper.sh.yaml": configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_assignMutationsGatekeeperShYaml, + "config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_assignimage.mutations.gatekeeper.sh.yaml": configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_assignimageMutationsGatekeeperShYaml, "config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_assignmetadata.mutations.gatekeeper.sh.yaml": configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_assignmetadataMutationsGatekeeperShYaml, "config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_configs.config.gatekeeper.sh.yaml": configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_configsConfigGatekeeperShYaml, "config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_constraintpodstatuses.status.gatekeeper.sh.yaml": configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_constraintpodstatusesStatusGatekeeperShYaml, "config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_constrainttemplatepodstatuses.status.gatekeeper.sh.yaml": configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_constrainttemplatepodstatusesStatusGatekeeperShYaml, "config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_constrainttemplates.templates.gatekeeper.sh.yaml": configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_constrainttemplatesTemplatesGatekeeperShYaml, "config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplate.expansion.gatekeeper.sh.yaml": configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_expansiontemplateExpansionGatekeeperShYaml, + "config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplatepodstatuses.status.gatekeeper.sh.yaml": configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_expansiontemplatepodstatusesStatusGatekeeperShYaml, "config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_modifyset.mutations.gatekeeper.sh.yaml": configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_modifysetMutationsGatekeeperShYaml, "config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_mutatorpodstatuses.status.gatekeeper.sh.yaml": configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_mutatorpodstatusesStatusGatekeeperShYaml, "config/gatekeeper-rendered/apiextensions.k8s.io_v1_customresourcedefinition_providers.externaldata.gatekeeper.sh.yaml": configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_providersExternaldataGatekeeperShYaml, @@ -5041,12 +5716,14 @@ var _bintree = &bintree{nil, map[string]*bintree{ "admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_gatekeeper-mutating-webhook-configuration.yaml": {configGatekeeperRenderedAdmissionregistrationK8sIo_v1_mutatingwebhookconfiguration_gatekeeperMutatingWebhookConfigurationYaml, map[string]*bintree{}}, "admissionregistration.k8s.io_v1_validatingwebhookconfiguration_gatekeeper-validating-webhook-configuration.yaml": {configGatekeeperRenderedAdmissionregistrationK8sIo_v1_validatingwebhookconfiguration_gatekeeperValidatingWebhookConfigurationYaml, map[string]*bintree{}}, "apiextensions.k8s.io_v1_customresourcedefinition_assign.mutations.gatekeeper.sh.yaml": {configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_assignMutationsGatekeeperShYaml, map[string]*bintree{}}, + "apiextensions.k8s.io_v1_customresourcedefinition_assignimage.mutations.gatekeeper.sh.yaml": {configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_assignimageMutationsGatekeeperShYaml, map[string]*bintree{}}, "apiextensions.k8s.io_v1_customresourcedefinition_assignmetadata.mutations.gatekeeper.sh.yaml": {configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_assignmetadataMutationsGatekeeperShYaml, map[string]*bintree{}}, "apiextensions.k8s.io_v1_customresourcedefinition_configs.config.gatekeeper.sh.yaml": {configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_configsConfigGatekeeperShYaml, map[string]*bintree{}}, "apiextensions.k8s.io_v1_customresourcedefinition_constraintpodstatuses.status.gatekeeper.sh.yaml": {configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_constraintpodstatusesStatusGatekeeperShYaml, map[string]*bintree{}}, "apiextensions.k8s.io_v1_customresourcedefinition_constrainttemplatepodstatuses.status.gatekeeper.sh.yaml": {configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_constrainttemplatepodstatusesStatusGatekeeperShYaml, map[string]*bintree{}}, "apiextensions.k8s.io_v1_customresourcedefinition_constrainttemplates.templates.gatekeeper.sh.yaml": {configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_constrainttemplatesTemplatesGatekeeperShYaml, map[string]*bintree{}}, "apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplate.expansion.gatekeeper.sh.yaml": {configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_expansiontemplateExpansionGatekeeperShYaml, map[string]*bintree{}}, + "apiextensions.k8s.io_v1_customresourcedefinition_expansiontemplatepodstatuses.status.gatekeeper.sh.yaml": {configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_expansiontemplatepodstatusesStatusGatekeeperShYaml, map[string]*bintree{}}, "apiextensions.k8s.io_v1_customresourcedefinition_modifyset.mutations.gatekeeper.sh.yaml": {configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_modifysetMutationsGatekeeperShYaml, map[string]*bintree{}}, "apiextensions.k8s.io_v1_customresourcedefinition_mutatorpodstatuses.status.gatekeeper.sh.yaml": {configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_mutatorpodstatusesStatusGatekeeperShYaml, map[string]*bintree{}}, "apiextensions.k8s.io_v1_customresourcedefinition_providers.externaldata.gatekeeper.sh.yaml": {configGatekeeperRenderedApiextensionsK8sIo_v1_customresourcedefinition_providersExternaldataGatekeeperShYaml, map[string]*bintree{}},