From cf9b5b9c2c437b52946ce57ec19be780570c9dbd Mon Sep 17 00:00:00 2001 From: Bertrand Delage Date: Thu, 16 Sep 2021 11:28:26 -0400 Subject: [PATCH 1/3] feat/support-ObjectSelectorAdmissionSkip-helm-value --- helm/portieris/templates/webhooks.yaml | 5 +++++ helm/portieris/values.yaml | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/helm/portieris/templates/webhooks.yaml b/helm/portieris/templates/webhooks.yaml index 693d812a..8518cc00 100644 --- a/helm/portieris/templates/webhooks.yaml +++ b/helm/portieris/templates/webhooks.yaml @@ -67,3 +67,8 @@ webhooks: values: - skip {{ end }} + {{ if .Values.ObjectSelectorAdmissionSkip }} + objectSelector: + matchExpressions: +{{ toYaml .Values.ObjectSelectorAdmissionSkip | indent 6 }} + {{ end }} \ No newline at end of file diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml index 7637b928..f5680d6a 100644 --- a/helm/portieris/values.yaml +++ b/helm/portieris/values.yaml @@ -81,7 +81,13 @@ affinity: # However, if this is enabled, anyone with access to annotate namespaces could bypass Portieris by # setting the annotation on their namespaces. Therefore, be careful with your RBAC policies if you # enable this option! -AllowAdmissionSkip: false +AllowAdmissionSkip: true + +ObjectSelectorAdmissionSkip: {} + # - key: xxxxx.xxxxx/xxx + # operator: NotIn + # values: + # - xxxx clusterPolicy: allowedRepositories: From d98fc29c31caf8de3fbbaeac60a57ee5659d2bc9 Mon Sep 17 00:00:00 2001 From: Bertrand Delage Date: Thu, 16 Sep 2021 11:36:45 -0400 Subject: [PATCH 2/3] set AllowAdmissionSkip back to false --- helm/portieris/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml index f5680d6a..3eb5ce68 100644 --- a/helm/portieris/values.yaml +++ b/helm/portieris/values.yaml @@ -81,7 +81,7 @@ affinity: # However, if this is enabled, anyone with access to annotate namespaces could bypass Portieris by # setting the annotation on their namespaces. Therefore, be careful with your RBAC policies if you # enable this option! -AllowAdmissionSkip: true +AllowAdmissionSkip: false ObjectSelectorAdmissionSkip: {} # - key: xxxxx.xxxxx/xxx From c78e4f84df0fbbd43283c6a9aa7c3f5612e16e5c Mon Sep 17 00:00:00 2001 From: Bertrand Delage Date: Thu, 16 Sep 2021 11:57:41 -0400 Subject: [PATCH 3/3] add matchLabels support --- helm/portieris/templates/webhooks.yaml | 1 - helm/portieris/values.yaml | 13 ++++++++----- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/helm/portieris/templates/webhooks.yaml b/helm/portieris/templates/webhooks.yaml index 8518cc00..c10a888e 100644 --- a/helm/portieris/templates/webhooks.yaml +++ b/helm/portieris/templates/webhooks.yaml @@ -69,6 +69,5 @@ webhooks: {{ end }} {{ if .Values.ObjectSelectorAdmissionSkip }} objectSelector: - matchExpressions: {{ toYaml .Values.ObjectSelectorAdmissionSkip | indent 6 }} {{ end }} \ No newline at end of file diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml index 3eb5ce68..3bc6fef6 100644 --- a/helm/portieris/values.yaml +++ b/helm/portieris/values.yaml @@ -83,11 +83,14 @@ affinity: # enable this option! AllowAdmissionSkip: false -ObjectSelectorAdmissionSkip: {} - # - key: xxxxx.xxxxx/xxx - # operator: NotIn - # values: - # - xxxx +ObjectSelectorAdmissionSkip: + # matchLabels: + # app: xxx + # matchExpressions: + # - key: xxxxx.xxxxx/xxx + # operator: NotIn + # values: + # - xxxx clusterPolicy: allowedRepositories: