Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(helm): matchConditions added in Validating & MutatingWebhookConfiguration #3100

Closed
wants to merge 86 commits into from
Closed

feat(helm): matchConditions added in Validating & MutatingWebhookConfiguration #3100

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
86 commits
Select commit Hold shift + click to select a range
58a5d3a
feat(helm): matchConditions added in Validating & MutatingWebhookConf…
Oct 23, 2023
ff4c6b4
chore: replacements used
Oct 23, 2023
a0cf7b0
chore: values added
Oct 23, 2023
56e018e
Merge branch 'open-policy-agent:master' into master
leewoobin789 Nov 22, 2023
5e9945f
Merge branch 'master' into master
leewoobin789 Nov 30, 2023
982d3a5
fix: log panic in am (#3174)
acpana Nov 30, 2023
9cf91f9
chore: auto tagging after release pr is merged (#3135)
JaydipGabani Dec 1, 2023
7dc61f8
docs: automate installation docs to point to tag (#3178)
sozercan Dec 1, 2023
bd75c0c
chore: bump the all group with 5 updates (#3182)
dependabot[bot] Dec 2, 2023
7fed17f
fix: disable psp as default (#3179)
ritazh Dec 5, 2023
5a0b9e8
chore: bump golang from `26c7537` to `fe69f48` in /build/tooling (#3148)
dependabot[bot] Dec 13, 2023
49cca3b
chore: bump golang from `26c7537` to `fe69f48` in /test/image (#3150)
dependabot[bot] Dec 13, 2023
bd3992d
docs: Update install.md (#3191)
Asya-kawai Dec 29, 2023
31319be
docs: update repo env var (#3203)
ritazh Jan 3, 2024
6228648
chore: fix golanglint, checkout prior to setup-go (#3206)
apeabody Jan 6, 2024
28e64df
chore: bump the all group with 5 updates (#3207)
dependabot[bot] Jan 8, 2024
a904e90
chore: bump golang.org/x/crypto from 0.14.0 to 0.17.0 (#3197)
dependabot[bot] Jan 8, 2024
10802d3
test: bump dapr to 1.12 (#3108)
sozercan Jan 9, 2024
54c57c1
chore: bump golang from `fe69f48` to `ca78a56` in /test/image (#3196)
dependabot[bot] Jan 9, 2024
54246ea
chore: bump golang from `fe69f48` to `ca78a56` in /build/tooling (#3194)
dependabot[bot] Jan 9, 2024
5ab7e03
chore: bump github.com/containerd/containerd from 1.7.6 to 1.7.11 (#3…
dependabot[bot] Jan 9, 2024
5bae9e2
chore: bump kubectl from v1.28.3 to v1.29.0 (#3193)
dependabot[bot] Jan 9, 2024
8fa5ae8
chore: bump follow-redirects from 1.14.9 to 1.15.4 in /website (#3208)
dependabot[bot] Jan 9, 2024
baa4d81
chore: bump cloud.google.com/go/trace from 1.10.2 to 1.10.4 (#3149)
dependabot[bot] Jan 9, 2024
f14d243
chore: bump github.com/docker/docker from 24.0.6+incompatible to 24.0…
dependabot[bot] Jan 9, 2024
9a9cad3
chore: bump clsx from 1.2.1 to 2.1.0 in /website (#3204)
dependabot[bot] Jan 9, 2024
b7d0959
chore: bump the k8s group with 3 updates (#3209)
dependabot[bot] Jan 11, 2024
b5ae5cf
chore: bump framework to 18fa1fc7dc06 (#3211)
ritazh Jan 12, 2024
a7035b8
docs: syncset docs (#3202)
acpana Jan 15, 2024
5e1903d
chore: moving to otel from opencensus (#3011)
JaydipGabani Jan 18, 2024
352f7a5
chore: bump golang from `1e3c713` to `6ac4c35` in /build/tooling (#3221)
dependabot[bot] Jan 18, 2024
3189d28
chore: bump golang from `1e3c713` to `6ac4c35` in /test/image (#3220)
dependabot[bot] Jan 18, 2024
6e41ddd
chore: bump the k8s group with 2 updates (#3226)
dependabot[bot] Jan 18, 2024
faa11d2
chore: bump kubectl from v1.29.0 to v1.29.1 (#3232)
dependabot[bot] Jan 22, 2024
d00d450
chore: bump golang from `6ac4c35` to `adf7ccb` in /build/tooling (#3233)
dependabot[bot] Jan 22, 2024
54ec9db
chore: bump golang from `6ac4c35` to `adf7ccb` in /test/image (#3231)
dependabot[bot] Jan 22, 2024
9bc7851
chore: bump golang from `adf7ccb` to `47fa179` in /build/tooling (#3238)
dependabot[bot] Jan 29, 2024
bda7bbd
chore: bump golang from `adf7ccb` to `47fa179` in /test/image (#3236)
dependabot[bot] Jan 29, 2024
5fbaef6
docs: add docs on how to contribute templates (#3242)
salaxander Jan 29, 2024
4c86a8f
chore: Setting pubsub annotations using --set in makefile (#3160)
JaydipGabani Jan 31, 2024
f3c8613
fix: fixing panic in debug log (#3244)
JaydipGabani Jan 31, 2024
b0fdea4
fix: fixing panic in error log (#3246)
JaydipGabani Jan 31, 2024
6252275
docs: add request input struct (#3234)
salaxander Feb 1, 2024
132500e
feat: Update audit and controller manager with pod labels (#3240)
Feb 6, 2024
6a4abac
ci: removing auto tagging workflow (#3257)
JaydipGabani Feb 7, 2024
3991add
chore: Prepare v3.16.0-beta.0 release (#3256)
github-actions[bot] Feb 7, 2024
6f0c3d9
ci: running ci with gatekeeper debug logs (#3260)
JaydipGabani Feb 7, 2024
7faf4c9
fix: Remove validation of constraint template rego (#3262)
mzkhan Feb 14, 2024
88ecb8c
ci: bump k8s matrix (#3267)
sozercan Feb 15, 2024
188ce2c
chore: bump kubectl from v1.29.1 to v1.29.2 (#3273)
dependabot[bot] Feb 21, 2024
644319b
chore: Upgrade controller-runtime to 0.17.2, remove fork (#3278)
maxsmythe Feb 22, 2024
5a8b71e
ci: fix license lint (#3279)
sozercan Feb 22, 2024
4db1662
fix #3261 Sort constraint status audit results (#3277)
prachirp Feb 22, 2024
0d430f2
chore: bump the k8s group with 4 updates (#3280)
dependabot[bot] Feb 22, 2024
69d6800
chore: bump oras.land/oras-go from 1.2.4 to 1.2.5 (#3239)
dependabot[bot] Feb 22, 2024
a4d077a
chore: bump the all group with 10 updates (#3281)
dependabot[bot] Feb 22, 2024
d390e3c
feat: add disableAudit helm option (#3270)
DorB-P Feb 22, 2024
08329ee
chore: bump cloud.google.com/go/trace from 1.10.4 to 1.10.5 (#3254)
dependabot[bot] Feb 22, 2024
79c3fa5
feat: vap generation (#3266)
ritazh Feb 26, 2024
04c97ea
ci: pointing to correct versioned yaml on website creation (#3258)
JaydipGabani Feb 28, 2024
68b2046
chore: bump the all group with 4 updates (#3292)
dependabot[bot] Feb 28, 2024
39c0eaa
docs: document constraint match.source (#3291)
sozercan Feb 29, 2024
73bfe89
fix: update unit test for vap generation; add custom assets for envte…
ritazh Feb 29, 2024
6879bb4
chore: bump github.com/golang/protobuf from 1.5.3 to 1.5.4 (#3301)
dependabot[bot] Mar 12, 2024
d998928
fix: fixing metrics views (#3307)
JaydipGabani Mar 15, 2024
8e99326
chore: bump kubectl from v1.29.2 to v1.29.3 (#3317)
dependabot[bot] Mar 18, 2024
376ef1f
chore: bump the k8s group with 4 updates (#3318)
dependabot[bot] Mar 18, 2024
8f2f418
chore: bump the all group with 4 updates (#3313)
dependabot[bot] Mar 18, 2024
960d2f8
chore: bump follow-redirects from 1.15.4 to 1.15.6 in /website (#3316)
dependabot[bot] Mar 18, 2024
2952590
chore: bump google.golang.org/grpc from 1.61.0 to 1.61.1 (#3285)
dependabot[bot] Mar 18, 2024
c78b647
chore: Prepare v3.16.0-beta.1 release (#3306)
github-actions[bot] Mar 19, 2024
2428c63
fix: store constraint status audit results in sorted order (#3293)
prachirp Mar 20, 2024
0a5ae29
chore: bump github.com/docker/docker from 25.0.1+incompatible to 25.0…
dependabot[bot] Mar 20, 2024
7daf00a
chore: bump cloud.google.com/go/trace from 1.10.5 to 1.10.6 (#3319)
dependabot[bot] Mar 20, 2024
7b9dd70
chore: bump frameworks to 359cf1b (#3326)
sozercan Mar 20, 2024
62525f2
chore: bump github.com/docker/docker from 25.0.2+incompatible to 25.0…
dependabot[bot] Mar 20, 2024
c92d19d
docs: fix go install gator (#3325)
sozercan Mar 22, 2024
2ea9a6b
chore: bump webpack-dev-middleware from 5.3.1 to 5.3.4 in /website (#…
dependabot[bot] Mar 26, 2024
b5eedf4
chore: bump express from 4.18.1 to 4.19.2 in /website (#3334)
dependabot[bot] Mar 26, 2024
b67b5f6
feat: enable vap in helm (#3329)
ritazh Mar 26, 2024
08526ce
docs: update opa version in readme (#3330)
ritazh Mar 26, 2024
d5a4c65
fix: over-restrictive validation of wildcard match patterns (#3310)
bencouture Mar 27, 2024
dae7514
chore: bump to go 1.22 bookworm (#3323)
sozercan Mar 27, 2024
1dd8ed1
chore: update lint (#3338)
sozercan Mar 28, 2024
95c9861
feat: Enable toggling of deferring to VAP (#3335)
maxsmythe Mar 28, 2024
50e0ce7
feat(helm): matchConditions added in Validating & MutatingWebhookConf…
Oct 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions cmd/build/helmify/kustomize-for-helm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,7 @@ webhooks:
objectSelector: HELMSUBST_MUTATING_WEBHOOK_OBJECT_SELECTOR
sideEffects: None
timeoutSeconds: HELMSUBST_MUTATING_WEBHOOK_TIMEOUT
matchConditions: HELMSUBST_MUTATING_WEBHOOK_MATCH_CONDITIONS
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
Expand All @@ -279,6 +280,7 @@ webhooks:
failurePolicy: HELMSUBST_VALIDATING_WEBHOOK_FAILURE_POLICY
rules:
- HELMSUBST_VALIDATING_WEBHOOK_OPERATION_RULES
matchConditions: HELMSUBST_VALIDATING_WEBHOOK_MATCH_CONDITIONS
- clientConfig:
service:
name: gatekeeper-webhook-service
Expand Down
8 changes: 6 additions & 2 deletions cmd/build/helmify/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,12 +105,16 @@ func (ks *kindSet) Write() error {
fileName := fmt.Sprintf("%s-%s.yaml", strings.ToLower(name), strings.ToLower(kind))

if name == "validation.gatekeeper.sh" {
obj = "{{- if not .Values.disableValidatingWebhook }}\n" + obj + "{{- end }}\n"
matchConditions := " matchConditions: " + replacements["HELMSUBST_VALIDATING_WEBHOOK_MATCH_CONDITIONS"]
replace := fmt.Sprintf(" {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}\n%s\n {{- end }}", matchConditions)
obj = "{{- if not .Values.disableValidatingWebhook }}\n" + strings.Replace(obj, matchConditions, replace, 1) + "{{- end }}\n"
fileName = fmt.Sprintf("gatekeeper-validating-webhook-configuration-%s.yaml", strings.ToLower(kind))
}

if name == "mutation.gatekeeper.sh" {
obj = "{{- if not .Values.disableMutation }}\n" + obj + "{{- end }}\n"
matchConditions := " matchConditions: " + replacements["HELMSUBST_MUTATING_WEBHOOK_MATCH_CONDITIONS"]
replace := fmt.Sprintf(" {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}\n%s\n {{- end }}", matchConditions)
obj = "{{- if not .Values.disableMutation }}\n" + strings.Replace(obj, matchConditions, replace, 1) + "{{- end }}\n"
fileName = fmt.Sprintf("gatekeeper-mutating-webhook-configuration-%s.yaml", strings.ToLower(kind))
}

Expand Down
4 changes: 4 additions & 0 deletions cmd/build/helmify/replacements.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,8 @@ var replacements = map[string]string{
path: /v1/mutate
{{- end }}`,

"HELMSUBST_VALIDATING_WEBHOOK_MATCH_CONDITIONS": `{{ toYaml .Values.validatingWebhookMatchConditions | nindent 4 }}`,

"HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT": `{{ .Values.validatingWebhookTimeoutSeconds }}`,

"HELMSUBST_VALIDATING_WEBHOOK_FAILURE_POLICY": `{{ .Values.validatingWebhookFailurePolicy }}`,
Expand Down Expand Up @@ -217,6 +219,8 @@ var replacements = map[string]string{
- 'services/status'
{{- end }}`,

"HELMSUBST_MUTATING_WEBHOOK_MATCH_CONDITIONS": `{{ toYaml .Values.mutatingWebhookMatchConditions | nindent 4 }}`,

"HELMSUBST_PDB_CONTROLLER_MANAGER_MINAVAILABLE": `{{ .Values.pdb.controllerManager.minAvailable }}`,

`HELMSUBST_AUDIT_CONTROLLER_MANAGER_DEPLOYMENT_IMAGE_RELEASE: ""`: `{{- if .Values.image.release }}
Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/static/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ information._
| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` |
| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` |
| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| validatingWebhookMatchConditions | The match conditions written in CEL to further refine which resources will be selected by the webhook. All match conditions must evaluate to true for the webhook to be called | `{}` |
| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` |
| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
Expand All @@ -157,6 +158,7 @@ information._
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| mutatingWebhookMatchConditions | The match conditions written in CEL to further refine which resources will be selected by the webhook. All match conditions must evaluate to true for the webhook to be called | `{}` |
| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` |
| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/static/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ validatingWebhookFailurePolicy: Ignore
validatingWebhookAnnotations: {}
validatingWebhookExemptNamespacesLabels: {}
validatingWebhookObjectSelector: {}
validatingWebhookMatchConditions: {}
validatingWebhookCheckIgnoreFailurePolicy: Fail
validatingWebhookCustomRules: {}
validatingWebhookURL: null
Expand All @@ -27,6 +28,7 @@ mutatingWebhookReinvocationPolicy: Never
mutatingWebhookAnnotations: {}
mutatingWebhookExemptNamespacesLabels: {}
mutatingWebhookObjectSelector: {}
mutatingWebhookMatchConditions: {}
mutatingWebhookTimeoutSeconds: 1
mutatingWebhookCustomRules: {}
mutatingWebhookURL: null
Expand Down
2 changes: 2 additions & 0 deletions manifest_staging/charts/gatekeeper/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ information._
| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` |
| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` |
| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| validatingWebhookMatchConditions | The match conditions written in CEL to further refine which resources will be selected by the webhook. All match conditions must evaluate to true for the webhook to be called | `{}` |
| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` |
| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
Expand All @@ -157,6 +158,7 @@ information._
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| mutatingWebhookMatchConditions | The match conditions written in CEL to further refine which resources will be selected by the webhook. All match conditions must evaluate to true for the webhook to be called | `{}` |
| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` |
| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
Expand Down
3 changes: 3 additions & 0 deletions ...per/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ webhooks:
path: /v1/mutate
{{- end }}
failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }}
{{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}
matchConditions: {{ toYaml .Values.mutatingWebhookMatchConditions | nindent 4 }}
{{- end }}
matchPolicy: Exact
name: mutation.gatekeeper.sh
namespaceSelector:
Expand Down
3 changes: 3 additions & 0 deletions ...templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ webhooks:
path: /v1/admit
{{- end }}
failurePolicy: {{ .Values.validatingWebhookFailurePolicy }}
{{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}
matchConditions: {{ toYaml .Values.validatingWebhookMatchConditions | nindent 4 }}
{{- end }}
matchPolicy: Exact
name: validation.gatekeeper.sh
namespaceSelector:
Expand Down
2 changes: 2 additions & 0 deletions manifest_staging/charts/gatekeeper/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ validatingWebhookFailurePolicy: Ignore
validatingWebhookAnnotations: {}
validatingWebhookExemptNamespacesLabels: {}
validatingWebhookObjectSelector: {}
validatingWebhookMatchConditions: {}
validatingWebhookCheckIgnoreFailurePolicy: Fail
validatingWebhookCustomRules: {}
validatingWebhookURL: null
Expand All @@ -27,6 +28,7 @@ mutatingWebhookReinvocationPolicy: Never
mutatingWebhookAnnotations: {}
mutatingWebhookExemptNamespacesLabels: {}
mutatingWebhookObjectSelector: {}
mutatingWebhookMatchConditions: {}
mutatingWebhookTimeoutSeconds: 1
mutatingWebhookCustomRules: {}
mutatingWebhookURL: null
Expand Down
Loading