-
Notifications
You must be signed in to change notification settings - Fork 100
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Install webhooks in main operator deployment
The original reason for splitting the webhook out from the main deployment (b432ee4) was that the cert-manager deployment was unreliable. The problem was fixed (ec596ff) but the webhook remained separate so that installing cert-manager would be optional. This change brings the webhook back into the main deployment. Cert-manager is now required. The functionality provided by the webhook - profile bindings and profile recordings - are core features of the operator and should not be optional. Since this operator is still in an alpha state, relying on a third-party tool should be an acceptable tradeoff for providing the full breadth of functionality with a consistent, minimal deployment experience. We can reevaluate how to manage webhook certs further down the road as this operator gains more user adoption.
- Loading branch information
1 parent
30bd1ef
commit 301267a
Showing
26 changed files
with
2,020 additions
and
549 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,242 @@ | ||
|
||
--- | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
controller-gen.kubebuilder.io/version: v0.5.0 | ||
creationTimestamp: null | ||
name: seccompprofiles.security-profiles-operator.x-k8s.io | ||
spec: | ||
group: security-profiles-operator.x-k8s.io | ||
names: | ||
kind: SeccompProfile | ||
listKind: SeccompProfileList | ||
plural: seccompprofiles | ||
shortNames: | ||
- sp | ||
singular: seccompprofile | ||
scope: Namespaced | ||
versions: | ||
- additionalPrinterColumns: | ||
- jsonPath: .status.status | ||
name: Status | ||
type: string | ||
- jsonPath: .metadata.creationTimestamp | ||
name: Age | ||
type: date | ||
- jsonPath: .status.localhostProfile | ||
name: LocalhostProfile | ||
priority: 10 | ||
type: string | ||
name: v1alpha1 | ||
schema: | ||
openAPIV3Schema: | ||
description: SeccompProfile is a cluster level specification for a seccomp | ||
profile. See https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#seccomp | ||
properties: | ||
apiVersion: | ||
description: 'APIVersion defines the versioned schema of this representation | ||
of an object. Servers should convert recognized schemas to the latest | ||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
type: string | ||
kind: | ||
description: 'Kind is a string value representing the REST resource this | ||
object represents. Servers may infer this from the endpoint the client | ||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
type: string | ||
metadata: | ||
type: object | ||
spec: | ||
description: SeccompProfileSpec defines the desired state of SeccompProfile. | ||
properties: | ||
architectures: | ||
description: the architecture used for system calls | ||
items: | ||
enum: | ||
- SCMP_ARCH_NATIVE | ||
- SCMP_ARCH_X86 | ||
- SCMP_ARCH_X86_64 | ||
- SCMP_ARCH_X32 | ||
- SCMP_ARCH_ARM | ||
- SCMP_ARCH_AARCH64 | ||
- SCMP_ARCH_MIPS | ||
- SCMP_ARCH_MIPS64 | ||
- SCMP_ARCH_MIPS64N32 | ||
- SCMP_ARCH_MIPSEL | ||
- SCMP_ARCH_MIPSEL64 | ||
- SCMP_ARCH_MIPSEL64N32 | ||
- SCMP_ARCH_PPC | ||
- SCMP_ARCH_PPC64 | ||
- SCMP_ARCH_PPC64LE | ||
- SCMP_ARCH_S390 | ||
- SCMP_ARCH_S390X | ||
- SCMP_ARCH_PARISC | ||
- SCMP_ARCH_PARISC64 | ||
- SCMP_ARCH_RISCV64 | ||
type: string | ||
type: array | ||
baseProfileName: | ||
description: name of base profile (in the same namespace) what will | ||
be unioned into this profile | ||
type: string | ||
defaultAction: | ||
description: the default action for seccomp | ||
enum: | ||
- SCMP_ACT_KILL | ||
- SCMP_ACT_KILL_PROCESS | ||
- SCMP_ACT_KILL_THREAD | ||
- SCMP_ACT_TRAP | ||
- SCMP_ACT_ERRNO | ||
- SCMP_ACT_TRACE | ||
- SCMP_ACT_ALLOW | ||
- SCMP_ACT_LOG | ||
type: string | ||
flags: | ||
description: list of flags to use with seccomp(2) | ||
items: | ||
enum: | ||
- SECCOMP_FILTER_FLAG_TSYNC | ||
- SECCOMP_FILTER_FLAG_LOG | ||
- SECCOMP_FILTER_FLAG_SPEC_ALLOW | ||
type: string | ||
type: array | ||
syscalls: | ||
description: match a syscall in seccomp. While this property is OPTIONAL, | ||
some values of defaultAction are not useful without syscalls entries. | ||
For example, if defaultAction is SCMP_ACT_KILL and syscalls is empty | ||
or unset, the kernel will kill the container process on its first | ||
syscall | ||
items: | ||
description: Syscall defines a syscall in seccomp. | ||
properties: | ||
action: | ||
description: the action for seccomp rules | ||
enum: | ||
- SCMP_ACT_KILL | ||
- SCMP_ACT_KILL_PROCESS | ||
- SCMP_ACT_KILL_THREAD | ||
- SCMP_ACT_TRAP | ||
- SCMP_ACT_ERRNO | ||
- SCMP_ACT_TRACE | ||
- SCMP_ACT_ALLOW | ||
- SCMP_ACT_LOG | ||
type: string | ||
args: | ||
description: the specific syscall in seccomp | ||
items: | ||
description: Arg defines the specific syscall in seccomp. | ||
properties: | ||
index: | ||
description: the index for syscall arguments in seccomp | ||
minimum: 0 | ||
type: integer | ||
op: | ||
description: the operator for syscall arguments in seccomp | ||
enum: | ||
- SCMP_CMP_NE | ||
- SCMP_CMP_LT | ||
- SCMP_CMP_LE | ||
- SCMP_CMP_EQ | ||
- SCMP_CMP_GE | ||
- SCMP_CMP_GT | ||
- SCMP_CMP_MASKED_EQ | ||
type: string | ||
value: | ||
description: the value for syscall arguments in seccomp | ||
format: int64 | ||
minimum: 0 | ||
type: integer | ||
valueTwo: | ||
description: the value for syscall arguments in seccomp | ||
format: int64 | ||
minimum: 0 | ||
type: integer | ||
required: | ||
- index | ||
- op | ||
type: object | ||
maxItems: 6 | ||
type: array | ||
errnoRet: | ||
description: the errno return code to use. Some actions like | ||
SCMP_ACT_ERRNO and SCMP_ACT_TRACE allow to specify the errno | ||
code to return | ||
type: string | ||
names: | ||
description: the names of the syscalls | ||
items: | ||
type: string | ||
type: array | ||
required: | ||
- action | ||
- names | ||
type: object | ||
type: array | ||
required: | ||
- defaultAction | ||
type: object | ||
status: | ||
description: SeccompProfileStatus contains status of the deployed SeccompProfile. | ||
properties: | ||
activeWorkloads: | ||
items: | ||
type: string | ||
type: array | ||
conditions: | ||
description: Conditions of the resource. | ||
items: | ||
description: A Condition that may apply to a resource. | ||
properties: | ||
lastTransitionTime: | ||
description: LastTransitionTime is the last time this condition | ||
transitioned from one status to another. | ||
format: date-time | ||
type: string | ||
message: | ||
description: A Message containing details about this condition's | ||
last transition from one status to another, if any. | ||
type: string | ||
reason: | ||
description: A Reason for this condition's last transition from | ||
one status to another. | ||
type: string | ||
status: | ||
description: Status of this condition; is it currently True, | ||
False, or Unknown? | ||
type: string | ||
type: | ||
description: Type of this condition. At most one of each condition | ||
type may apply to a resource at any point in time. | ||
type: string | ||
required: | ||
- lastTransitionTime | ||
- reason | ||
- status | ||
- type | ||
type: object | ||
type: array | ||
localhostProfile: | ||
description: The path that should be provided to the `securityContext.seccompProfile.localhostProfile` | ||
field of a Pod or container spec | ||
type: string | ||
path: | ||
type: string | ||
status: | ||
description: ProfileState defines the state that the profile is in. | ||
A profile in this context refers to a SeccompProfile or a SELinux | ||
profile, the states are shared between them as well as the management | ||
API. | ||
type: string | ||
type: object | ||
type: object | ||
served: true | ||
storage: true | ||
subresources: | ||
status: {} | ||
status: | ||
acceptedNames: | ||
kind: "" | ||
plural: "" | ||
conditions: [] | ||
storedVersions: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
|
||
--- | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
controller-gen.kubebuilder.io/version: v0.5.0 | ||
creationTimestamp: null | ||
name: securityprofilenodestatuses.security-profiles-operator.x-k8s.io | ||
spec: | ||
group: security-profiles-operator.x-k8s.io | ||
names: | ||
kind: SecurityProfileNodeStatus | ||
listKind: SecurityProfileNodeStatusList | ||
plural: securityprofilenodestatuses | ||
shortNames: | ||
- spns | ||
singular: securityprofilenodestatus | ||
scope: Namespaced | ||
versions: | ||
- additionalPrinterColumns: | ||
- jsonPath: .status | ||
name: Status | ||
type: string | ||
- jsonPath: .metadata.creationTimestamp | ||
name: Age | ||
type: date | ||
- jsonPath: .nodeName | ||
name: Node | ||
priority: 10 | ||
type: string | ||
name: v1alpha1 | ||
schema: | ||
openAPIV3Schema: | ||
description: SecurityProfileNodeStatus is a per-node status of a security | ||
profile | ||
properties: | ||
apiVersion: | ||
description: 'APIVersion defines the versioned schema of this representation | ||
of an object. Servers should convert recognized schemas to the latest | ||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
type: string | ||
kind: | ||
description: 'Kind is a string value representing the REST resource this | ||
object represents. Servers may infer this from the endpoint the client | ||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
type: string | ||
metadata: | ||
type: object | ||
nodeName: | ||
type: string | ||
status: | ||
description: ProfileState defines the state that the profile is in. A | ||
profile in this context refers to a SeccompProfile or a SELinux profile, | ||
the states are shared between them as well as the management API. | ||
type: string | ||
required: | ||
- nodeName | ||
type: object | ||
served: true | ||
storage: true | ||
subresources: {} | ||
status: | ||
acceptedNames: | ||
kind: "" | ||
plural: "" | ||
conditions: [] | ||
storedVersions: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.