Skip to content

Commit

Permalink
feat(helm): matchConditions added in Validating & MutatingWebhookConf…
Browse files Browse the repository at this point in the history 
…iguration (#3343)

Signed-off-by: leewoobin789 <leewoobin789@gmail.com>
  • Loading branch information
@leewoobin789
leewoobin789 committed Apr 2, 2024
1 parent 71b7dca commit a2e5e29
Show file tree
Hide file tree
Showing 9 changed files with 26 additions and 2 deletions.
2 changes: 2 additions & 0 deletions cmd/build/helmify/kustomize-for-helm.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,6 +255,7 @@ webhooks:
objectSelector: HELMSUBST_MUTATING_WEBHOOK_OBJECT_SELECTOR
sideEffects: None
timeoutSeconds: HELMSUBST_MUTATING_WEBHOOK_TIMEOUT
matchConditions: HELMSUBST_MUTATING_WEBHOOK_MATCH_CONDITIONS
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
Expand All @@ -281,6 +282,7 @@ webhooks:
failurePolicy: HELMSUBST_VALIDATING_WEBHOOK_FAILURE_POLICY
rules:
- HELMSUBST_VALIDATING_WEBHOOK_OPERATION_RULES
matchConditions: HELMSUBST_VALIDATING_WEBHOOK_MATCH_CONDITIONS
- clientConfig:
service:
name: gatekeeper-webhook-service
Expand Down
8 changes: 6 additions & 2 deletions cmd/build/helmify/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,12 +108,16 @@ func (ks *kindSet) Write() error {
fileName := fmt.Sprintf("%s-%s.yaml", strings.ToLower(name), strings.ToLower(kind))

if name == "validation.gatekeeper.sh" {
obj = "{{- if not .Values.disableValidatingWebhook }}\n" + obj + end + "\n"
matchConditions := " matchConditions: {{ toYaml .Values.validatingWebhookMatchConditions | nindent 4 }}"
replace := fmt.Sprintf(" {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}\n%s\n {{- end }}", matchConditions)
obj = "{{- if not .Values.disableValidatingWebhook }}\n" + strings.Replace(obj, matchConditions, replace, 1) + end + "\n"
fileName = fmt.Sprintf("gatekeeper-validating-webhook-configuration-%s.yaml", strings.ToLower(kind))
}

if name == "mutation.gatekeeper.sh" {
obj = "{{- if not .Values.disableMutation }}\n" + obj + end + "\n"
matchConditions := " matchConditions: {{ toYaml .Values.mutatingWebhookMatchConditions | nindent 4 }}"
replace := fmt.Sprintf(" {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}\n%s\n {{- end }}", matchConditions)
obj = "{{- if not .Values.disableMutation }}\n" + strings.Replace(obj, matchConditions, replace, 1) + end + "\n"
fileName = fmt.Sprintf("gatekeeper-mutating-webhook-configuration-%s.yaml", strings.ToLower(kind))
}

Expand Down
4 changes: 4 additions & 0 deletions cmd/build/helmify/replacements.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,8 @@ var replacements = map[string]string{
path: /v1/mutate
{{- end }}`,

"HELMSUBST_VALIDATING_WEBHOOK_MATCH_CONDITIONS": `{{ toYaml .Values.validatingWebhookMatchConditions | nindent 4 }}`,

"HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT": `{{ .Values.validatingWebhookTimeoutSeconds }}`,

"HELMSUBST_VALIDATING_WEBHOOK_FAILURE_POLICY": `{{ .Values.validatingWebhookFailurePolicy }}`,
Expand Down Expand Up @@ -217,6 +219,8 @@ var replacements = map[string]string{
- 'services/status'
{{- end }}`,

"HELMSUBST_MUTATING_WEBHOOK_MATCH_CONDITIONS": `{{ toYaml .Values.mutatingWebhookMatchConditions | nindent 4 }}`,

"HELMSUBST_PDB_CONTROLLER_MANAGER_MINAVAILABLE": `{{ .Values.pdb.controllerManager.minAvailable }}`,

`HELMSUBST_AUDIT_CONTROLLER_MANAGER_DEPLOYMENT_IMAGE_RELEASE: ""`: `{{- if .Values.image.release }}
Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/static/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,7 @@ information._
| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` |
| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` |
| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| validatingWebhookMatchConditions | The match conditions written in CEL to further refine which resources will be selected by the webhook. All match conditions must evaluate to true for the webhook to be called | `[]` |
| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` |
| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
Expand All @@ -158,6 +159,7 @@ information._
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| mutatingWebhookMatchConditions | The match conditions written in CEL to further refine which resources will be selected by the webhook. All match conditions must evaluate to true for the webhook to be called | `[]` |
| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` |
| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/static/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ validatingWebhookFailurePolicy: Ignore
validatingWebhookAnnotations: {}
validatingWebhookExemptNamespacesLabels: {}
validatingWebhookObjectSelector: {}
validatingWebhookMatchConditions: []
validatingWebhookCheckIgnoreFailurePolicy: Fail
validatingWebhookCustomRules: {}
validatingWebhookURL: null
Expand All @@ -28,6 +29,7 @@ mutatingWebhookReinvocationPolicy: Never
mutatingWebhookAnnotations: {}
mutatingWebhookExemptNamespacesLabels: {}
mutatingWebhookObjectSelector: {}
mutatingWebhookMatchConditions: []
mutatingWebhookTimeoutSeconds: 1
mutatingWebhookCustomRules: {}
mutatingWebhookURL: null
Expand Down
2 changes: 2 additions & 0 deletions manifest_staging/charts/gatekeeper/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,7 @@ information._
| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` |
| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` |
| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| validatingWebhookMatchConditions | The match conditions written in CEL to further refine which resources will be selected by the webhook. All match conditions must evaluate to true for the webhook to be called | `[]` |
| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` |
| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
Expand All @@ -158,6 +159,7 @@ information._
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| mutatingWebhookMatchConditions | The match conditions written in CEL to further refine which resources will be selected by the webhook. All match conditions must evaluate to true for the webhook to be called | `[]` |
| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` |
| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
Expand Down
3 changes: 3 additions & 0 deletions ...per/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ webhooks:
path: /v1/mutate
{{- end }}
failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }}
{{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}
matchConditions: {{ toYaml .Values.mutatingWebhookMatchConditions | nindent 4 }}
{{- end }}
matchPolicy: Exact
name: mutation.gatekeeper.sh
namespaceSelector:
Expand Down
3 changes: 3 additions & 0 deletions ...templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ webhooks:
path: /v1/admit
{{- end }}
failurePolicy: {{ .Values.validatingWebhookFailurePolicy }}
{{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}
matchConditions: {{ toYaml .Values.validatingWebhookMatchConditions | nindent 4 }}
{{- end }}
matchPolicy: Exact
name: validation.gatekeeper.sh
namespaceSelector:
Expand Down
2 changes: 2 additions & 0 deletions manifest_staging/charts/gatekeeper/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ validatingWebhookFailurePolicy: Ignore
validatingWebhookAnnotations: {}
validatingWebhookExemptNamespacesLabels: {}
validatingWebhookObjectSelector: {}
validatingWebhookMatchConditions: []
validatingWebhookCheckIgnoreFailurePolicy: Fail
validatingWebhookCustomRules: {}
validatingWebhookURL: null
Expand All @@ -28,6 +29,7 @@ mutatingWebhookReinvocationPolicy: Never
mutatingWebhookAnnotations: {}
mutatingWebhookExemptNamespacesLabels: {}
mutatingWebhookObjectSelector: {}
mutatingWebhookMatchConditions: []
mutatingWebhookTimeoutSeconds: 1
mutatingWebhookCustomRules: {}
mutatingWebhookURL: null
Expand Down

0 comments on commit a2e5e29

Please sign in to comment.