From e63a583aeaf1b23904cf71a458e5b13ff1e72209 Mon Sep 17 00:00:00 2001 From: Dor Bareket <42929459+DorB-P@users.noreply.github.com> Date: Thu, 22 Feb 2024 04:53:11 +0200 Subject: [PATCH] feat: add disableAudit helm option (#3270) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zapdor2000@gmail.com Co-authored-by: Max Smythe Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> --- cmd/build/helmify/main.go | 4 +--- cmd/build/helmify/static/README.md | 11 ++++++----- cmd/build/helmify/static/values.yaml | 1 + manifest_staging/charts/gatekeeper/README.md | 11 ++++++----- .../templates/gatekeeper-audit-deployment.yaml | 2 ++ manifest_staging/charts/gatekeeper/values.yaml | 1 + 6 files changed, 17 insertions(+), 13 deletions(-) diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go index 45cb7649184..ea81d4772da 100644 --- a/cmd/build/helmify/main.go +++ b/cmd/build/helmify/main.go @@ -129,10 +129,8 @@ func (ks *kindSet) Write() error { } if name == "gatekeeper-audit" && kind == DeploymentKind { + obj = "{{- if not .Values.disableAudit }}\n" + obj + "{{- end }}\n" obj = strings.Replace(obj, " priorityClassName: system-cluster-critical", " {{- if .Values.audit.priorityClassName }}\n priorityClassName: {{ .Values.audit.priorityClassName }}\n {{- end }}", 1) - } - - if name == "gatekeeper-audit" && kind == DeploymentKind { obj = strings.Replace(obj, " - emptyDir: {}", " {{- if .Values.audit.writeToRAMDisk }}\n - emptyDir:\n medium: Memory\n {{ else }}\n - emptyDir: {}\n {{- end }}", 1) } diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 50c62f5f2d7..cd83920eb71 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -120,7 +120,7 @@ information._ | preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` | | preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` | | preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | -| psp.enabled | Enabled PodSecurityPolicy | `false` | +| psp.enabled | Enabled PodSecurityPolicy | `false` | | upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | | upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` | | upgradeCRDs.priorityClassName | Priority class name for gatekeeper-update-crds-hook Job | `` | @@ -134,8 +134,9 @@ information._ | auditFromCache | Take the roster of resources to audit from the audit cache | `false` | | auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` | | auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | -| disableValidatingWebhook | Disable the validating webhook | `false` | +| disableAudit | Disable audit controller | `false` | | disableMutation | Disable mutation | `false` | +| disableValidatingWebhook | Disable the validating webhook | `false` | | validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` | | validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | | validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | @@ -147,10 +148,10 @@ information._ | validatingWebhookURL | Custom URL for Kubernetes API server to use to reach the validating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | | enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` | | enableExternalData | Enable external data | `true` | -| enableGeneratorResourceExpansion | Enable generator resource expansion (beta feature) | `true` | +| enableGeneratorResourceExpansion | Enable generator resource expansion (beta feature) | `true` | | enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | | maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` | -| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opentelemetry` starting from Gatekeeper 3.15 | `["prometheus"]` | +| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opentelemetry` starting from Gatekeeper 3.15 | `["prometheus"]` | | mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` | | mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | | mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | @@ -218,7 +219,7 @@ information._ | rbac.create | Enable the creation of RBAC resources | `true` | | externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` | | externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` | -| externaldataProviderResponseCacheTTL | TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. | `3m` | +| externaldataProviderResponseCacheTTL | TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. | `3m` | ## Contributing Changes diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index eaf5a739649..9859f336772 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -5,6 +5,7 @@ metricsBackends: ["prometheus"] auditMatchKindOnly: false constraintViolationsLimit: 20 auditFromCache: false +disableAudit: false disableMutation: false disableValidatingWebhook: false validatingWebhookName: gatekeeper-validating-webhook-configuration diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 50c62f5f2d7..cd83920eb71 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -120,7 +120,7 @@ information._ | preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` | | preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` | | preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | -| psp.enabled | Enabled PodSecurityPolicy | `false` | +| psp.enabled | Enabled PodSecurityPolicy | `false` | | upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | | upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` | | upgradeCRDs.priorityClassName | Priority class name for gatekeeper-update-crds-hook Job | `` | @@ -134,8 +134,9 @@ information._ | auditFromCache | Take the roster of resources to audit from the audit cache | `false` | | auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` | | auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | -| disableValidatingWebhook | Disable the validating webhook | `false` | +| disableAudit | Disable audit controller | `false` | | disableMutation | Disable mutation | `false` | +| disableValidatingWebhook | Disable the validating webhook | `false` | | validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` | | validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | | validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | @@ -147,10 +148,10 @@ information._ | validatingWebhookURL | Custom URL for Kubernetes API server to use to reach the validating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | | enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` | | enableExternalData | Enable external data | `true` | -| enableGeneratorResourceExpansion | Enable generator resource expansion (beta feature) | `true` | +| enableGeneratorResourceExpansion | Enable generator resource expansion (beta feature) | `true` | | enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | | maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` | -| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opentelemetry` starting from Gatekeeper 3.15 | `["prometheus"]` | +| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opentelemetry` starting from Gatekeeper 3.15 | `["prometheus"]` | | mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` | | mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | | mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | @@ -218,7 +219,7 @@ information._ | rbac.create | Enable the creation of RBAC resources | `true` | | externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` | | externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` | -| externaldataProviderResponseCacheTTL | TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. | `3m` | +| externaldataProviderResponseCacheTTL | TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. | `3m` | ## Contributing Changes diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index c71fa7b8743..77da1a4531a 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.disableAudit }} apiVersion: apps/v1 kind: Deployment metadata: @@ -167,3 +168,4 @@ spec: - emptyDir: {} {{- end }} name: tmp-volume +{{- end }} diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index eaf5a739649..9859f336772 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -5,6 +5,7 @@ metricsBackends: ["prometheus"] auditMatchKindOnly: false constraintViolationsLimit: 20 auditFromCache: false +disableAudit: false disableMutation: false disableValidatingWebhook: false validatingWebhookName: gatekeeper-validating-webhook-configuration