diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go index eabd76dd642..0bb8157b825 100644 --- a/cmd/build/helmify/main.go +++ b/cmd/build/helmify/main.go @@ -142,11 +142,15 @@ func (ks *kindSet) Write() error { } if name == "gatekeeper-controller-manager" && kind == "PodDisruptionBudget" { - obj = strings.Replace(obj, "apiVersion: policy/v1beta1", "{{- if .Capabilities.APIVersions.Has \"policy/v1\" }}\napiVersion: policy/v1\n{{ else }}\napiVersion: policy/v1beta1\n{{ end -}}", 1) + obj = strings.Replace(obj, "apiVersion: policy/v1beta1", "{{- $v1 := .Capabilities.APIVersions.Has \"policy/v1/PodDisruptionBudget\" -}}\n{{- $v1beta1 := .Capabilities.APIVersions.Has \"policy/v1beta1/PodDisruptionBudget\" -}}\napiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}", 1) } if name == "gatekeeper-admin" && kind == "PodSecurityPolicy" { - obj = "{{- if .Values.psp.enabled }}\n" + obj + "{{- end }}\n" + obj = "{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has \"policy/v1beta1/PodSecurityPolicy\") }}\n" + obj + "{{- end }}\n" + } + + if name == "gatekeeper-manager-role" && kind == "ClusterRole" { + obj = strings.Replace(obj, "- apiGroups:\n - policy\n resourceNames:\n - gatekeeper-admin\n resources:\n - podsecuritypolicies\n verbs:\n - use\n", "{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has \"policy/v1beta1/PodSecurityPolicy\") }}\n- apiGroups:\n - policy\n resourceNames:\n - gatekeeper-admin\n resources:\n - podsecuritypolicies\n verbs:\n - use\n{{- end }}\n", 1) } if err := os.WriteFile(destFile, []byte(obj), 0o600); err != nil { diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-podsecuritypolicy.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-podsecuritypolicy.yaml index eee2ac964d5..398b1460077 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-podsecuritypolicy.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-podsecuritypolicy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.psp.enabled }} +{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml index 4bece56bf53..424f6a67c44 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml @@ -1,8 +1,6 @@ -{{- if .Capabilities.APIVersions.Has "policy/v1" }} -apiVersion: policy/v1 -{{ else }} -apiVersion: policy/v1beta1 -{{ end -}} +{{- $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} +{{- $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}} +apiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }} kind: PodDisruptionBudget metadata: labels: diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml index 2ccd9f0671e..8b32f96014b 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml @@ -99,6 +99,7 @@ rules: - patch - update - watch +{{- if and .Values.psp.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} - apiGroups: - policy resourceNames: @@ -107,6 +108,7 @@ rules: - podsecuritypolicies verbs: - use +{{- end }} - apiGroups: - status.gatekeeper.sh resources: diff --git a/website/docs/mutation.md b/website/docs/mutation.md index de12418378c..51ae0a6671f 100644 --- a/website/docs/mutation.md +++ b/website/docs/mutation.md @@ -25,6 +25,7 @@ metadata: spec: match: scope: Namespaced + name: nginx-* kinds: - apiGroups: ["*"] kinds: ["Pod"] @@ -73,6 +74,7 @@ The `match` section is common to all mutators. It supports the following match c - namespaces - list of allowed namespaces, only resources in listed namespaces will be mutated - namespaceSelector - filters resources by namespace selector - excludedNamespaces - list of excluded namespaces, resources in listed namespaces will not be mutated +- name - the name of an object. If defined, it matches against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` matches both `pod-a` and `pod-b`. Note that any empty/undefined match criteria are inclusive: they match any object. diff --git a/website/versioned_docs/version-v3.7.x/mutation.md b/website/versioned_docs/version-v3.7.x/mutation.md index da71544bbc7..bd5cfb1cd35 100644 --- a/website/versioned_docs/version-v3.7.x/mutation.md +++ b/website/versioned_docs/version-v3.7.x/mutation.md @@ -25,6 +25,7 @@ metadata: spec: match: scope: Namespaced + name: nginx-* kinds: - apiGroups: ["*"] kinds: ["Pod"] @@ -73,6 +74,7 @@ The `match` section is common to all mutators. It supports the following match c - namespaces - list of allowed namespaces, only resources in listed namespaces will be mutated - namespaceSelector - filters resources by namespace selector - excludedNamespaces - list of excluded namespaces, resources in listed namespaces will not be mutated +- name - the name of an object. If defined, it matches against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` matches both `pod-a` and `pod-b`. Note that any empty/undefined match criteria are inclusive: they match any object. diff --git a/website/versioned_docs/version-v3.8.x/mutation.md b/website/versioned_docs/version-v3.8.x/mutation.md index de12418378c..51ae0a6671f 100644 --- a/website/versioned_docs/version-v3.8.x/mutation.md +++ b/website/versioned_docs/version-v3.8.x/mutation.md @@ -25,6 +25,7 @@ metadata: spec: match: scope: Namespaced + name: nginx-* kinds: - apiGroups: ["*"] kinds: ["Pod"] @@ -73,6 +74,7 @@ The `match` section is common to all mutators. It supports the following match c - namespaces - list of allowed namespaces, only resources in listed namespaces will be mutated - namespaceSelector - filters resources by namespace selector - excludedNamespaces - list of excluded namespaces, resources in listed namespaces will not be mutated +- name - the name of an object. If defined, it matches against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` matches both `pod-a` and `pod-b`. Note that any empty/undefined match criteria are inclusive: they match any object. diff --git a/website/versioned_docs/version-v3.9.x/mutation.md b/website/versioned_docs/version-v3.9.x/mutation.md index de12418378c..51ae0a6671f 100644 --- a/website/versioned_docs/version-v3.9.x/mutation.md +++ b/website/versioned_docs/version-v3.9.x/mutation.md @@ -25,6 +25,7 @@ metadata: spec: match: scope: Namespaced + name: nginx-* kinds: - apiGroups: ["*"] kinds: ["Pod"] @@ -73,6 +74,7 @@ The `match` section is common to all mutators. It supports the following match c - namespaces - list of allowed namespaces, only resources in listed namespaces will be mutated - namespaceSelector - filters resources by namespace selector - excludedNamespaces - list of excluded namespaces, resources in listed namespaces will not be mutated +- name - the name of an object. If defined, it matches against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` matches both `pod-a` and `pod-b`. Note that any empty/undefined match criteria are inclusive: they match any object.