diff --git a/Makefile b/Makefile index 6cb375ad572..15f582e5e4a 100644 --- a/Makefile +++ b/Makefile @@ -22,7 +22,7 @@ LOG_LEVEL ?= "INFO" GENERATE_VAP ?= false GENERATE_VAPBINDING ?= false -VERSION := v3.18.0-beta.0 +VERSION := v3.18.0-rc.0 KIND_VERSION ?= 0.17.0 KIND_CLUSTER_FILE ?= test/bats/tests/kindcluster.yml diff --git a/charts/gatekeeper/Chart.yaml b/charts/gatekeeper/Chart.yaml index e42cec2b576..359e57063ef 100644 --- a/charts/gatekeeper/Chart.yaml +++ b/charts/gatekeeper/Chart.yaml @@ -4,8 +4,8 @@ name: gatekeeper icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg keywords: - open policy agent -version: 3.18.0-beta.0 +version: 3.18.0-rc.0 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.18.0-beta.0 +appVersion: v3.18.0-rc.0 diff --git a/charts/gatekeeper/README.md b/charts/gatekeeper/README.md index 7313421e175..1c24e123c0c 100644 --- a/charts/gatekeeper/README.md +++ b/charts/gatekeeper/README.md @@ -74,7 +74,7 @@ information._ | postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | | postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.18.0-beta.0` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.18.0-rc.0` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | @@ -97,7 +97,7 @@ information._ | postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | | postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | | postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.18.0-beta.0` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.18.0-rc.0` | | postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postUpgrade.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label-post-upgrade Job | `` | @@ -107,10 +107,10 @@ information._ | postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | | postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | -| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.18.0-beta.0` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.18.0-rc.0` | | preUninstall.deleteWebhookConfigurations.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhookConfigurations.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.18.0-beta.0` | +| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.18.0-rc.0` | | preUninstall.deleteWebhookConfigurations.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhookConfigurations.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.deleteWebhookConfigurations.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | @@ -132,7 +132,7 @@ information._ | auditInterval | The frequency with which audit is run | `60` | | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | | auditFromCache | Take the roster of resources to audit from the audit cache | `false` | -| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` | +| auditChunkSize | (alpha) Chunk size for listing cluster resources for audit | `500` | | auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | | disableAudit | Disable audit controller | `false` | | disableMutation | Disable mutation | `false` | @@ -164,18 +164,21 @@ information._ | mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | | mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | -| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | -| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | -| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `true` | -| defaultCreateVAPForTemplates | Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. (alpha feature) | `false` | -| defaultCreateVAPBindingForConstraints | Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. (alpha feature) | `false` | +| emitAdmissionEvents | (alpha) Emit K8s events in configurable namespace for admission violations | `false` | +| emitAuditEvents | (alpha) Emit K8s events in configurable namespace for audit violations | `false` | +| logStatsAdmission | (alpha) Log stats for admission webhook | `false` | +| logStatsAudit | (alpha) Log stats metrics for the audit run | `false` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL | `true` | +| defaultCreateVAPForTemplates | (alpha) Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. | `false` | +| defaultCreateVAPBindingForConstraints | (alpha) Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. | `false` | +| defaultWaitForVAPBGeneration | (alpha) Wait time in seconds before generating a ValidatingAdmissionPolicyBinding after a constraint CRD is created. | `30` | | auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | logDenies | Log detailed info on each deny | `false` | | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.18.0-beta.0` | +| image.release | The image release tag to use | Current release version: `v3.18.0-rc.0` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | @@ -216,6 +219,9 @@ information._ | audit.readinessTimeout | Timeout in seconds for audit's readiness probe | `1` | | audit.livenessTimeout | Timeout in seconds for the audit's liveness probe | `1` | | audit.logLevel | The minimum log level for audit, takes precedence over `logLevel` when specified | `null` | +| audit.enablePubsub | (alpha) Enabled pubsub to publish messages | `false` | +| audit.connection | (alpha) Connection name for publishing audit violation messages | `audit-connection` | +| audit.channel | (alpha) Channel name for publishing audit violation messages | `audit-channel` | | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | | podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | | podLabels | The labels to add to the Gatekeeper pods | `{}` | diff --git a/charts/gatekeeper/crds/config-customresourcedefinition.yaml b/charts/gatekeeper/crds/config-customresourcedefinition.yaml index 11a5d922789..8a5afdeb640 100644 --- a/charts/gatekeeper/crds/config-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/config-customresourcedefinition.yaml @@ -112,7 +112,41 @@ spec: type: object status: description: ConfigStatus defines the observed state of Config. + properties: + byPod: + items: + properties: + configUID: + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. + type: string + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array type: object type: object served: true storage: true + subresources: + status: {} diff --git a/charts/gatekeeper/crds/configpodstatus-customresourcedefinition.yaml b/charts/gatekeeper/crds/configpodstatus-customresourcedefinition.yaml new file mode 100644 index 00000000000..f351b718375 --- /dev/null +++ b/charts/gatekeeper/crds/configpodstatus-customresourcedefinition.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + gatekeeper.sh/system: "yes" + name: configpodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ConfigPodStatus + listKind: ConfigPodStatusList + plural: configpodstatuses + singular: configpodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + status: + properties: + configUID: + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. + type: string + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: object + served: true + storage: true diff --git a/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml b/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml index 85942c0dbcc..9caedd58716 100644 --- a/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml @@ -50,6 +50,24 @@ spec: type: string enforced: type: boolean + enforcementPointsStatus: + items: + description: EnforcementPointStatus represents the status of a single enforcement point. + properties: + enforcementPoint: + type: string + message: + type: string + observedGeneration: + format: int64 + type: integer + state: + type: string + required: + - enforcementPoint + - state + type: object + type: array errors: items: description: Error represents a single error caught while adding a constraint to engine. diff --git a/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml b/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml index 2d4bd1c8bf2..09b0b9c64e8 100644 --- a/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml +++ b/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml @@ -73,6 +73,17 @@ spec: don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. type: string + vapGenerationStatus: + description: VAPGenerationStatus represents the status of VAP generation. + properties: + observedGeneration: + format: int64 + type: integer + state: + type: string + warning: + type: string + type: object type: object type: object served: true diff --git a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 03e2d6b97e5..c88c5b40124 100644 --- a/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -4,6 +4,7 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: + {{- include "gatekeeper.commonLabels" . | nindent 4 }} app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' control-plane: audit-controller @@ -62,15 +63,21 @@ spec: - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - --audit-from-cache={{ .Values.auditFromCache }} - - --audit-chunk-size={{ .Values.auditChunkSize }} + {{ if hasKey .Values "auditChunkSize" }}- --audit-chunk-size={{ .Values.auditChunkSize }}{{- end }} - --audit-match-kind-only={{ .Values.auditMatchKindOnly }} - - --emit-audit-events={{ .Values.emitAuditEvents }} + {{ if hasKey .Values "emitAuditEvents" }}- --emit-audit-events={{ .Values.emitAuditEvents }}{{- end }} + {{ if hasKey .Values "logStatsAudit" }}- --log-stats-audit={{ .Values.logStatsAudit }}{{- end }} - --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }} - --operation=audit - --operation=status - {{ if .Values.audit.enablePubsub}} + - --operation=generate + {{ if hasKey .Values.audit "enablePubsub" }} - --enable-pub-sub={{ .Values.audit.enablePubsub }} + {{- end }} + {{ if hasKey .Values.audit "connection" }} - --audit-connection={{ .Values.audit.connection }} + {{- end }} + {{ if hasKey .Values.audit "channel" }} - --audit-channel={{ .Values.audit.channel }} {{- end }} {{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }} @@ -98,6 +105,9 @@ spec: {{- if hasKey .Values "defaultCreateVAPBindingForConstraints"}} - --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }} {{- end }} + {{ if hasKey .Values "defaultWaitForVAPBGeneration"}} + - --default-wait-for-vapb-generation={{ .Values.defaultWaitForVAPBGeneration }} + {{- end }} command: - /manager env: diff --git a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 4f2927c1cb5..a815d3f86ec 100644 --- a/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -3,6 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: + {{- include "gatekeeper.commonLabels" . | nindent 4 }} app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' control-plane: controller-manager @@ -63,7 +64,8 @@ spec: - --prometheus-port={{ .Values.controllerManager.metricsPort }} - --logtostderr - --log-denies={{ .Values.logDenies }} - - --emit-admission-events={{ .Values.emitAdmissionEvents }} + {{ if hasKey .Values "emitAdmissionEvents" }}- --emit-admission-events={{ .Values.emitAdmissionEvents }}{{- end }} + {{ if hasKey .Values "logStatsAdmission" }}- --log-stats-admission={{ .Values.logStatsAdmission }}{{- end }} - --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }} - --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }} - --exempt-namespace={{ .Release.Namespace }} diff --git a/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml b/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml index 609270a92de..140c55f8895 100644 --- a/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml +++ b/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml @@ -1,6 +1,6 @@ --- -{{- $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} -{{- $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}} +{{ $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} +{{ $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}} apiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }} kind: PodDisruptionBudget metadata: diff --git a/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml b/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml index a6306b3a285..591d36dc566 100644 --- a/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml +++ b/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml @@ -63,6 +63,18 @@ rules: - patch - update - watch +- apiGroups: + - config.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - config.gatekeeper.sh resources: diff --git a/charts/gatekeeper/values.yaml b/charts/gatekeeper/values.yaml index ea81c083063..6ec1b5637f0 100644 --- a/charts/gatekeeper/values.yaml +++ b/charts/gatekeeper/values.yaml @@ -39,8 +39,6 @@ auditChunkSize: 500 logLevel: INFO logDenies: false logMutations: false -emitAdmissionEvents: false -emitAuditEvents: false admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true @@ -49,14 +47,14 @@ enableK8sNativeValidation: true image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.18.0-beta.0 + release: v3.18.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] preInstall: crdRepository: image: repository: null - tag: v3.18.0-beta.0 + tag: v3.18.0-rc.0 postUpgrade: labelNamespace: serviceAccount: @@ -65,7 +63,7 @@ postUpgrade: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.18.0-beta.0 + tag: v3.18.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -99,7 +97,7 @@ postInstall: extraRules: [] image: repository: openpolicyagent/gatekeeper-crds - tag: v3.18.0-beta.0 + tag: v3.18.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -143,7 +141,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.18.0-beta.0 + tag: v3.18.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] priorityClassName: "" @@ -222,16 +220,13 @@ controllerManager: extraRules: [] networkPolicy: enabled: false - ingress: { } + ingress: [] # - from: # - ipBlock: # cidr: 0.0.0.0/0 audit: serviceAccount: name: gatekeeper-admin - enablePubsub: false - connection: audit-connection - channel: audit-channel hostNetwork: false dnsPolicy: ClusterFirst metricsPort: 8888 diff --git a/cmd/build/helmify/static/Chart.yaml b/cmd/build/helmify/static/Chart.yaml index e42cec2b576..359e57063ef 100644 --- a/cmd/build/helmify/static/Chart.yaml +++ b/cmd/build/helmify/static/Chart.yaml @@ -4,8 +4,8 @@ name: gatekeeper icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg keywords: - open policy agent -version: 3.18.0-beta.0 +version: 3.18.0-rc.0 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.18.0-beta.0 +appVersion: v3.18.0-rc.0 diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 5a7e03cdc9e..1c24e123c0c 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -74,7 +74,7 @@ information._ | postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | | postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.18.0-beta.0` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.18.0-rc.0` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | @@ -97,7 +97,7 @@ information._ | postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | | postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | | postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.18.0-beta.0` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.18.0-rc.0` | | postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postUpgrade.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label-post-upgrade Job | `` | @@ -107,10 +107,10 @@ information._ | postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | | postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | -| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.18.0-beta.0` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.18.0-rc.0` | | preUninstall.deleteWebhookConfigurations.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhookConfigurations.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.18.0-beta.0` | +| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.18.0-rc.0` | | preUninstall.deleteWebhookConfigurations.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhookConfigurations.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.deleteWebhookConfigurations.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | @@ -178,7 +178,7 @@ information._ | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.18.0-beta.0` | +| image.release | The image release tag to use | Current release version: `v3.18.0-rc.0` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 7d81f8a7534..6ec1b5637f0 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -47,14 +47,14 @@ enableK8sNativeValidation: true image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.18.0-beta.0 + release: v3.18.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] preInstall: crdRepository: image: repository: null - tag: v3.18.0-beta.0 + tag: v3.18.0-rc.0 postUpgrade: labelNamespace: serviceAccount: @@ -63,7 +63,7 @@ postUpgrade: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.18.0-beta.0 + tag: v3.18.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -97,7 +97,7 @@ postInstall: extraRules: [] image: repository: openpolicyagent/gatekeeper-crds - tag: v3.18.0-beta.0 + tag: v3.18.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -141,7 +141,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.18.0-beta.0 + tag: v3.18.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] priorityClassName: "" diff --git a/config/crd/bases/gvkmanifest.gatekeeper.sh_gvkmanifests.yaml b/config/crd/bases/gvkmanifest.gatekeeper.sh_gvkmanifests.yaml new file mode 100644 index 00000000000..07e9ee1019f --- /dev/null +++ b/config/crd/bases/gvkmanifest.gatekeeper.sh_gvkmanifests.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: gvkmanifests.gvkmanifest.gatekeeper.sh +spec: + group: gvkmanifest.gatekeeper.sh + names: + kind: GVKManifest + listKind: GVKManifestList + plural: gvkmanifests + singular: gvkmanifest + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GVKManifest is the Schema for the GVKManifest API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + groups: + additionalProperties: + additionalProperties: + items: + type: string + type: array + type: object + type: object + type: object + type: object + served: true + storage: true diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 1835e9d2b2a..8bffb9b693e 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -56,7 +56,7 @@ spec: - "--operation=webhook" - "--operation=mutation-webhook" - "--disable-opa-builtin={http.send}" - image: openpolicyagent/gatekeeper:v3.18.0-beta.0 + image: openpolicyagent/gatekeeper:v3.18.0-rc.0 imagePullPolicy: Always name: manager ports: @@ -150,7 +150,7 @@ spec: - --disable-cert-rotation command: - /manager - image: openpolicyagent/gatekeeper:v3.18.0-beta.0 + image: openpolicyagent/gatekeeper:v3.18.0-rc.0 env: # used by Gatekeeper - name: POD_NAMESPACE diff --git a/deploy/gatekeeper.yaml b/deploy/gatekeeper.yaml index fe375e4eb43..b7e988df552 100644 --- a/deploy/gatekeeper.yaml +++ b/deploy/gatekeeper.yaml @@ -2387,6 +2387,78 @@ spec: --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + labels: + gatekeeper.sh/system: "yes" + name: configpodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ConfigPodStatus + listKind: ConfigPodStatusList + plural: configpodstatuses + singular: configpodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + status: + properties: + configUID: + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. + type: string + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 @@ -2498,10 +2570,44 @@ spec: type: object status: description: ConfigStatus defines the observed state of Config. + properties: + byPod: + items: + properties: + configUID: + description: |- + UID is a type that holds unique ID values, including UUIDs. Because we + don't ONLY use UUIDs, this is an alias to string. Being a type captures + intent and helps make sure that UIDs and names do not get conflated. + type: string + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array type: object type: object served: true storage: true + subresources: + status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2554,6 +2660,24 @@ spec: type: string enforced: type: boolean + enforcementPointsStatus: + items: + description: EnforcementPointStatus represents the status of a single enforcement point. + properties: + enforcementPoint: + type: string + message: + type: string + observedGeneration: + format: int64 + type: integer + state: + type: string + required: + - enforcementPoint + - state + type: object + type: array errors: items: description: Error represents a single error caught while adding a constraint to engine. @@ -2657,6 +2781,17 @@ spec: don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. type: string + vapGenerationStatus: + description: VAPGenerationStatus represents the status of VAP generation. + properties: + observedGeneration: + format: int64 + type: integer + state: + type: string + warning: + type: string + type: object type: object type: object served: true @@ -4720,6 +4855,18 @@ rules: - patch - update - watch +- apiGroups: + - config.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - config.gatekeeper.sh resources: @@ -4961,7 +5108,7 @@ spec: value: manager - name: OTEL_RESOURCE_ATTRIBUTES value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) - image: openpolicyagent/gatekeeper:v3.18.0-beta.0 + image: openpolicyagent/gatekeeper:v3.18.0-rc.0 imagePullPolicy: Always livenessProbe: httpGet: @@ -5080,7 +5227,7 @@ spec: value: manager - name: OTEL_RESOURCE_ATTRIBUTES value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) - image: openpolicyagent/gatekeeper:v3.18.0-beta.0 + image: openpolicyagent/gatekeeper:v3.18.0-rc.0 imagePullPolicy: Always livenessProbe: httpGet: diff --git a/manifest_staging/charts/gatekeeper/Chart.yaml b/manifest_staging/charts/gatekeeper/Chart.yaml index e42cec2b576..359e57063ef 100644 --- a/manifest_staging/charts/gatekeeper/Chart.yaml +++ b/manifest_staging/charts/gatekeeper/Chart.yaml @@ -4,8 +4,8 @@ name: gatekeeper icon: https://open-policy-agent.github.io/gatekeeper/website/img/logo.svg keywords: - open policy agent -version: 3.18.0-beta.0 +version: 3.18.0-rc.0 home: https://github.com/open-policy-agent/gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git -appVersion: v3.18.0-beta.0 +appVersion: v3.18.0-rc.0 diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 5a7e03cdc9e..1c24e123c0c 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -74,7 +74,7 @@ information._ | postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | | postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | | postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.18.0-beta.0` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.18.0-rc.0` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | @@ -97,7 +97,7 @@ information._ | postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | | postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | | postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.18.0-beta.0` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.18.0-rc.0` | | postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | postUpgrade.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label-post-upgrade Job | `` | @@ -107,10 +107,10 @@ information._ | postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | | postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | -| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.18.0-beta.0` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.18.0-rc.0` | | preUninstall.deleteWebhookConfigurations.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhookConfigurations.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.18.0-beta.0` | +| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.18.0-rc.0` | | preUninstall.deleteWebhookConfigurations.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhookConfigurations.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.deleteWebhookConfigurations.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | @@ -178,7 +178,7 @@ information._ | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | | image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.18.0-beta.0` | +| image.release | The image release tag to use | Current release version: `v3.18.0-rc.0` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 7d81f8a7534..6ec1b5637f0 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -47,14 +47,14 @@ enableK8sNativeValidation: true image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds - release: v3.18.0-beta.0 + release: v3.18.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] preInstall: crdRepository: image: repository: null - tag: v3.18.0-beta.0 + tag: v3.18.0-rc.0 postUpgrade: labelNamespace: serviceAccount: @@ -63,7 +63,7 @@ postUpgrade: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.18.0-beta.0 + tag: v3.18.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -97,7 +97,7 @@ postInstall: extraRules: [] image: repository: openpolicyagent/gatekeeper-crds - tag: v3.18.0-beta.0 + tag: v3.18.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] @@ -141,7 +141,7 @@ preUninstall: enabled: false image: repository: openpolicyagent/gatekeeper-crds - tag: v3.18.0-beta.0 + tag: v3.18.0-rc.0 pullPolicy: IfNotPresent pullSecrets: [] priorityClassName: "" diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index b98798f1955..b7e988df552 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -5108,7 +5108,7 @@ spec: value: manager - name: OTEL_RESOURCE_ATTRIBUTES value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) - image: openpolicyagent/gatekeeper:v3.18.0-beta.0 + image: openpolicyagent/gatekeeper:v3.18.0-rc.0 imagePullPolicy: Always livenessProbe: httpGet: @@ -5227,7 +5227,7 @@ spec: value: manager - name: OTEL_RESOURCE_ATTRIBUTES value: k8s.pod.name=$(POD_NAME),k8s.namespace.name=$(NAMESPACE),k8s.container.name=$(CONTAINER_NAME) - image: openpolicyagent/gatekeeper:v3.18.0-beta.0 + image: openpolicyagent/gatekeeper:v3.18.0-rc.0 imagePullPolicy: Always livenessProbe: httpGet: