-
Notifications
You must be signed in to change notification settings - Fork 764
/
gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
122 lines (121 loc) Β· 3.45 KB
/
gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
---
{{- if not .Values.disableValidatingWebhook }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations: {{- toYaml .Values.validatingWebhookAnnotations | trim | nindent 4 }}
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: '{{ .Values.validatingWebhookName }}'
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
{{- if .Values.validatingWebhookURL }}
url: https://{{ .Values.validatingWebhookURL }}/v1/admit
{{- else }}
service:
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
path: /v1/admit
{{- end }}
failurePolicy: {{ .Values.validatingWebhookFailurePolicy }}
{{- if .Values.validatingWebhookMatchConditions }}
{{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}
matchConditions: {{ toYaml .Values.validatingWebhookMatchConditions | nindent 4 }}
{{- end }}
{{- end }}
matchPolicy: Exact
name: validation.gatekeeper.sh
namespaceSelector:
matchExpressions:
- key: admission.gatekeeper.sh/ignore
operator: DoesNotExist
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- {{ .Release.Namespace }}
{{- range $key, $value := .Values.validatingWebhookExemptNamespacesLabels}}
- key: {{ $key }}
operator: NotIn
values:
{{- range $value }}
- {{ . }}
{{- end }}
{{- end }}
objectSelector: {{ toYaml .Values.validatingWebhookObjectSelector | nindent 4 }}
rules:
{{- if .Values.validatingWebhookCustomRules }}
{{- toYaml .Values.validatingWebhookCustomRules | nindent 2 }}
{{- else }}
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
{{- if .Values.enableDeleteOperations }}
- DELETE
{{- end }}
{{- if .Values.enableConnectOperations }}
- CONNECT
{{- end }}
resources:
- '*'
# Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper).
# You can find a rough list of subresources by doing a case-sensitive search in the Kubernetes codebase for 'Subresource("'
- 'pods/ephemeralcontainers'
- 'pods/exec'
- 'pods/log'
- 'pods/eviction'
- 'pods/portforward'
- 'pods/proxy'
- 'pods/attach'
- 'pods/binding'
- 'deployments/scale'
- 'replicasets/scale'
- 'statefulsets/scale'
- 'replicationcontrollers/scale'
- 'services/proxy'
- 'nodes/proxy'
# For constraints that mitigate CVE-2020-8554
- 'services/status'
{{- end }}
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }}
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: gatekeeper-webhook-service
namespace: '{{ .Release.Namespace }}'
path: /v1/admitlabel
failurePolicy: {{ .Values.validatingWebhookCheckIgnoreFailurePolicy }}
matchPolicy: Exact
name: check-ignore-label.gatekeeper.sh
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values:
- {{ .Release.Namespace }}
rules:
- apiGroups:
- ""
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- namespaces
sideEffects: None
timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }}
{{- end }}