Merge branch 'master' into helmcurl

cmd/build/helmify/main.go

@@ -142,11 +142,15 @@ func (ks *kindSet) Write() error {
 			}
 
 			if name == "gatekeeper-controller-manager" && kind == "PodDisruptionBudget" {
-				obj = strings.Replace(obj, "apiVersion: policy/v1beta1", "{{- if .Capabilities.APIVersions.Has \"policy/v1\" }}\napiVersion: policy/v1\n{{ else }}\napiVersion: policy/v1beta1\n{{ end -}}", 1)
+				obj = strings.Replace(obj, "apiVersion: policy/v1beta1", "{{- $v1 := .Capabilities.APIVersions.Has \"policy/v1/PodDisruptionBudget\" -}}\n{{- $v1beta1 := .Capabilities.APIVersions.Has \"policy/v1beta1/PodDisruptionBudget\" -}}\napiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}", 1)
 			}
 
 			if name == "gatekeeper-admin" && kind == "PodSecurityPolicy" {
-				obj = "{{- if .Values.psp.enabled }}\n" + obj + "{{- end }}\n"
+				obj = "{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has \"policy/v1beta1/PodSecurityPolicy\") }}\n" + obj + "{{- end }}\n"
+			}
+
+			if name == "gatekeeper-manager-role" && kind == "ClusterRole" {
+				obj = strings.Replace(obj, "- apiGroups:\n  - policy\n  resourceNames:\n  - gatekeeper-admin\n  resources:\n  - podsecuritypolicies\n  verbs:\n  - use\n", "{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has \"policy/v1beta1/PodSecurityPolicy\") }}\n- apiGroups:\n  - policy\n  resourceNames:\n  - gatekeeper-admin\n  resources:\n  - podsecuritypolicies\n  verbs:\n  - use\n{{- end }}\n", 1)
 			}
 
 			if err := os.WriteFile(destFile, []byte(obj), 0o600); err != nil {

manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-podsecuritypolicy.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.psp.enabled }}
+{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml

@@ -1,8 +1,6 @@
-{{- if .Capabilities.APIVersions.Has "policy/v1" }}
-apiVersion: policy/v1
-{{ else }}
-apiVersion: policy/v1beta1
-{{ end -}}
+{{- $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
+{{- $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}}
+apiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}
 kind: PodDisruptionBudget
 metadata:
   labels:

manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml

@@ -99,6 +99,7 @@ rules:
   - patch
   - update
   - watch
+{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
 - apiGroups:
   - policy
   resourceNames:
@@ -107,6 +108,7 @@ rules:
   - podsecuritypolicies
   verbs:
   - use
+{{- end }}
 - apiGroups:
   - status.gatekeeper.sh
   resources:

website/docs/mutation.md

@@ -25,6 +25,7 @@ metadata:
 spec:
   match:
     scope: Namespaced
+    name: nginx-*
     kinds:
     - apiGroups: ["*"]
       kinds: ["Pod"]
@@ -73,6 +74,7 @@ The `match` section is common to all mutators. It supports the following match c
 - namespaces - list of allowed namespaces, only resources in listed namespaces will be mutated
 - namespaceSelector - filters resources by namespace selector
 - excludedNamespaces - list of excluded namespaces, resources in listed namespaces will not be mutated
+- name - the name of an object.  If defined, it matches against objects with the specified name.  Name also supports a prefix-based glob.  For example, `name: pod-*` matches both `pod-a` and `pod-b`.
 
 Note that any empty/undefined match criteria are inclusive: they match any object.
 

website/versioned_docs/version-v3.7.x/mutation.md

@@ -25,6 +25,7 @@ metadata:
 spec:
   match:
     scope: Namespaced
+    name: nginx-*
     kinds:
     - apiGroups: ["*"]
       kinds: ["Pod"]
@@ -73,6 +74,7 @@ The `match` section is common to all mutators. It supports the following match c
 - namespaces - list of allowed namespaces, only resources in listed namespaces will be mutated
 - namespaceSelector - filters resources by namespace selector
 - excludedNamespaces - list of excluded namespaces, resources in listed namespaces will not be mutated
+- name - the name of an object.  If defined, it matches against objects with the specified name.  Name also supports a prefix-based glob.  For example, `name: pod-*` matches both `pod-a` and `pod-b`.
 
 Note that any empty/undefined match criteria are inclusive: they match any object.
 

website/versioned_docs/version-v3.8.x/mutation.md

@@ -25,6 +25,7 @@ metadata:
 spec:
   match:
     scope: Namespaced
+    name: nginx-*
     kinds:
     - apiGroups: ["*"]
       kinds: ["Pod"]
@@ -73,6 +74,7 @@ The `match` section is common to all mutators. It supports the following match c
 - namespaces - list of allowed namespaces, only resources in listed namespaces will be mutated
 - namespaceSelector - filters resources by namespace selector
 - excludedNamespaces - list of excluded namespaces, resources in listed namespaces will not be mutated
+- name - the name of an object.  If defined, it matches against objects with the specified name.  Name also supports a prefix-based glob.  For example, `name: pod-*` matches both `pod-a` and `pod-b`.
 
 Note that any empty/undefined match criteria are inclusive: they match any object.
 

website/versioned_docs/version-v3.9.x/mutation.md

@@ -25,6 +25,7 @@ metadata:
 spec:
   match:
     scope: Namespaced
+    name: nginx-*
     kinds:
     - apiGroups: ["*"]
       kinds: ["Pod"]
@@ -73,6 +74,7 @@ The `match` section is common to all mutators. It supports the following match c
 - namespaces - list of allowed namespaces, only resources in listed namespaces will be mutated
 - namespaceSelector - filters resources by namespace selector
 - excludedNamespaces - list of excluded namespaces, resources in listed namespaces will not be mutated
+- name - the name of an object.  If defined, it matches against objects with the specified name.  Name also supports a prefix-based glob.  For example, `name: pod-*` matches both `pod-a` and `pod-b`.
 
 Note that any empty/undefined match criteria are inclusive: they match any object.