Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add disableAudit helm option #3270

Merged
merged 3 commits into from
Feb 22, 2024
Merged

feat: add disableAudit helm option #3270

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fc0ad5e
Add helm flag to disable Audit
DorB-P Feb 18, 2024
1c0e378
Merge branch 'master' into master
maxsmythe Feb 22, 2024
314d54f
Merge branch 'master' into master
sozercan Feb 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 1 addition & 3 deletions cmd/build/helmify/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,10 +129,8 @@ func (ks *kindSet) Write() error {
}

if name == "gatekeeper-audit" && kind == DeploymentKind {
obj = "{{- if not .Values.disableAudit }}\n" + obj + "{{- end }}\n"
obj = strings.Replace(obj, " priorityClassName: system-cluster-critical", " {{- if .Values.audit.priorityClassName }}\n priorityClassName: {{ .Values.audit.priorityClassName }}\n {{- end }}", 1)
}

if name == "gatekeeper-audit" && kind == DeploymentKind {
obj = strings.Replace(obj, " - emptyDir: {}", " {{- if .Values.audit.writeToRAMDisk }}\n - emptyDir:\n medium: Memory\n {{ else }}\n - emptyDir: {}\n {{- end }}", 1)
}

Expand Down
11 changes: 6 additions & 5 deletions cmd/build/helmify/static/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ information._
| preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` |
| preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` |
| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| psp.enabled | Enabled PodSecurityPolicy | `false` |
| psp.enabled | Enabled PodSecurityPolicy | `false` |
| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` |
| upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` |
| upgradeCRDs.priorityClassName | Priority class name for gatekeeper-update-crds-hook Job | `` |
Expand All @@ -134,8 +134,9 @@ information._
| auditFromCache | Take the roster of resources to audit from the audit cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` |
| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` |
| disableValidatingWebhook | Disable the validating webhook | `false` |
| disableAudit | Disable audit controller | `false` |
| disableMutation | Disable mutation | `false` |
| disableValidatingWebhook | Disable the validating webhook | `false` |
| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` |
| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` |
| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` |
Expand All @@ -147,10 +148,10 @@ information._
| validatingWebhookURL | Custom URL for Kubernetes API server to use to reach the validating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
| enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` |
| enableExternalData | Enable external data | `true` |
| enableGeneratorResourceExpansion | Enable generator resource expansion (beta feature) | `true` |
| enableGeneratorResourceExpansion | Enable generator resource expansion (beta feature) | `true` |
| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` |
| maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` |
| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opentelemetry` starting from Gatekeeper 3.15 | `["prometheus"]` |
| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opentelemetry` starting from Gatekeeper 3.15 | `["prometheus"]` |
| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` |
| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` |
| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` |
Expand Down Expand Up @@ -218,7 +219,7 @@ information._
| rbac.create | Enable the creation of RBAC resources | `true` |
| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` |
| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` |
| externaldataProviderResponseCacheTTL | TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. | `3m` |
| externaldataProviderResponseCacheTTL | TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. | `3m` |

## Contributing Changes

Expand Down
1 change: 1 addition & 0 deletions cmd/build/helmify/static/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ metricsBackends: ["prometheus"]
auditMatchKindOnly: false
constraintViolationsLimit: 20
auditFromCache: false
disableAudit: false
disableMutation: false
disableValidatingWebhook: false
validatingWebhookName: gatekeeper-validating-webhook-configuration
Expand Down