diff --git a/deploy/dashboard.yaml b/deploy/dashboard.yaml index 668e9855b..17f3e8dc3 100644 --- a/deploy/dashboard.yaml +++ b/deploy/dashboard.yaml @@ -1,5 +1,5 @@ --- -# Source: polaris/templates/namespace.yaml +# Source: polaris/templates/0-namespace.yaml apiVersion: v1 kind: Namespace metadata: @@ -59,47 +59,53 @@ data: - AUDIT_WRITE --- -# Source: polaris/templates/serviceaccount.yaml +# Source: polaris/templates/dashboard.rbac.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: polaris + name: polaris-dashboard namespace: polaris labels: app: polaris - --- -# Source: polaris/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: - name: polaris + name: polaris-dashboard labels: app: polaris rules: - apiGroups: - - '' - - 'apps' - - 'admissionregistration.k8s.io' + - 'apps' + - 'extensions' resources: - - '*' + - 'deployments' verbs: - - '*' + - 'get' + - 'list' + - apiGroups: + - '' + resources: + - 'nodes' + - 'namespaces' + - 'pods' + verbs: + - 'get' + - 'list' --- -# Source: polaris/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: - name: polaris + name: polaris-dashboard labels: app: polaris roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: polaris + name: polaris-dashboard subjects: - kind: ServiceAccount - name: polaris + name: polaris-dashboard namespace: polaris --- # Source: polaris/templates/dashboard.service.yaml @@ -122,7 +128,7 @@ spec: type: ClusterIP --- # Source: polaris/templates/dashboard.deployment.yaml -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: annotations: @@ -152,7 +158,7 @@ spec: - command: - polaris - --dashboard - image: 'quay.io/reactiveops/polaris:master' + image: 'quay.io/reactiveops/polaris:0.1.0' imagePullPolicy: 'Always' name: dashboard ports: @@ -162,12 +168,12 @@ spec: path: /health port: 8080 initialDelaySeconds: 5 - periodSeconds: 5 + periodSeconds: 20 readinessProbe: httpGet: path: /health port: 8080 - initialDelaySeconds: 15 + initialDelaySeconds: 5 periodSeconds: 20 resources: limits: @@ -177,6 +183,7 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true @@ -188,12 +195,15 @@ spec: mountPath: /opt/app/config.yaml subPath: config.yaml readOnly: true - serviceAccountName: polaris + serviceAccountName: polaris-dashboard --- -# Source: polaris/templates/secret.yaml +# Source: polaris/templates/webhook.deployment.yaml --- -# Source: polaris/templates/webhook.deployment.yaml +# Source: polaris/templates/webhook.rbac.yaml + +--- +# Source: polaris/templates/webhook.secret.yaml --- # Source: polaris/templates/webhook.service.yaml diff --git a/deploy/helm/polaris/templates/namespace.yaml b/deploy/helm/polaris/templates/0-namespace.yaml similarity index 100% rename from deploy/helm/polaris/templates/namespace.yaml rename to deploy/helm/polaris/templates/0-namespace.yaml diff --git a/deploy/helm/polaris/templates/clusterrole.yaml b/deploy/helm/polaris/templates/clusterrole.yaml deleted file mode 100644 index 644d92002..000000000 --- a/deploy/helm/polaris/templates/clusterrole.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: {{ include "polaris.fullname" . }} - labels: - {{- include "polaris.labels" . | nindent 4 }} -rules: - - apiGroups: - - '' - - 'apps' - - 'admissionregistration.k8s.io' - resources: - - '*' - verbs: - - '*' -{{- end -}} diff --git a/deploy/helm/polaris/templates/clusterrolebinding.yaml b/deploy/helm/polaris/templates/clusterrolebinding.yaml deleted file mode 100644 index b4c5b8d8d..000000000 --- a/deploy/helm/polaris/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: {{ include "polaris.fullname" . }} - labels: - {{- include "polaris.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "polaris.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ include "polaris.fullname" . }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/deploy/helm/polaris/templates/dashboard.deployment.yaml b/deploy/helm/polaris/templates/dashboard.deployment.yaml index 52f8986c2..d977296f3 100644 --- a/deploy/helm/polaris/templates/dashboard.deployment.yaml +++ b/deploy/helm/polaris/templates/dashboard.deployment.yaml @@ -1,5 +1,5 @@ {{- if .Values.dashboard.enable -}} -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: annotations: @@ -39,12 +39,12 @@ spec: path: /health port: 8080 initialDelaySeconds: 5 - periodSeconds: 5 + periodSeconds: 20 readinessProbe: httpGet: path: /health port: 8080 - initialDelaySeconds: 15 + initialDelaySeconds: 5 periodSeconds: 20 resources: limits: @@ -54,6 +54,7 @@ spec: cpu: 100m memory: 128Mi securityContext: + allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true @@ -65,5 +66,5 @@ spec: mountPath: /opt/app/config.yaml subPath: config.yaml readOnly: true - serviceAccountName: {{ include "polaris.fullname" . }} + serviceAccountName: {{ include "polaris.fullname" . }}-dashboard {{- end -}} diff --git a/deploy/helm/polaris/templates/dashboard.rbac.yaml b/deploy/helm/polaris/templates/dashboard.rbac.yaml new file mode 100644 index 000000000..ea951db49 --- /dev/null +++ b/deploy/helm/polaris/templates/dashboard.rbac.yaml @@ -0,0 +1,49 @@ +{{- if and .Values.dashboard.enable .Values.rbac.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + namespace: {{ .Release.Namespace }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + labels: + {{- include "polaris.labels" . | nindent 4 }} +rules: + - apiGroups: + - 'apps' + - 'extensions' + resources: + - 'deployments' + verbs: + - 'get' + - 'list' + - apiGroups: + - '' + resources: + - 'nodes' + - 'namespaces' + - 'pods' + verbs: + - 'get' + - 'list' +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "polaris.fullname" . }}-dashboard +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }}-dashboard + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/deploy/helm/polaris/templates/dashboard.service.yaml b/deploy/helm/polaris/templates/dashboard.service.yaml index 2d675e356..3f88346bd 100644 --- a/deploy/helm/polaris/templates/dashboard.service.yaml +++ b/deploy/helm/polaris/templates/dashboard.service.yaml @@ -1,4 +1,4 @@ -{{- if .Values.dashboard.service -}} +{{- if and .Values.dashboard.enable .Values.dashboard.service -}} apiVersion: v1 kind: Service metadata: diff --git a/deploy/helm/polaris/templates/serviceaccount.yaml b/deploy/helm/polaris/templates/serviceaccount.yaml deleted file mode 100644 index 44fa21367..000000000 --- a/deploy/helm/polaris/templates/serviceaccount.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "polaris.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "polaris.labels" . | nindent 4 }} diff --git a/deploy/helm/polaris/templates/webhook.deployment.yaml b/deploy/helm/polaris/templates/webhook.deployment.yaml index 861bd0e39..5c734ddfa 100644 --- a/deploy/helm/polaris/templates/webhook.deployment.yaml +++ b/deploy/helm/polaris/templates/webhook.deployment.yaml @@ -1,5 +1,5 @@ {{- if .Values.webhook.enable -}} -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: annotations: @@ -21,62 +21,68 @@ spec: {{- include "polaris.selectors" . | nindent 8 }} component: webhook spec: - volumes: - - name: config - configMap: - name: {{ include "polaris.fullname" . }} - - name: secret - secret: - secretName: {{ include "polaris.fullname" . }} containers: - - command: - - polaris - - --webhook - image: '{{.Values.webhook.image.repository}}:{{.Values.webhook.image.tag}}' - imagePullPolicy: '{{.Values.webhook.image.pullPolicy}}' - name: webhook - ports: - - containerPort: 9876 - # These are fairly useless readiness/liveness probes for now - # Follow this issue for potential improvements: - # https://github.com/kubernetes-sigs/controller-runtime/issues/356 - livenessProbe: - exec: - command: - - sh - - -c - - ps -ef | grep polaris - initialDelaySeconds: 5 - periodSeconds: 5 - readinessProbe: - exec: - command: - - sh - - -c - - ps -ef | grep polaris - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - volumeMounts: + - name: webhook + command: + - polaris + - --webhook + image: '{{.Values.webhook.image.repository}}:{{.Values.webhook.image.tag}}' + imagePullPolicy: '{{.Values.webhook.image.pullPolicy}}' + ports: + - containerPort: 9876 + # These are fairly useless readiness/liveness probes for now + # Follow this issue for potential improvements: + # https://github.com/kubernetes-sigs/controller-runtime/issues/356 + livenessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + - name: secret + mountPath: /opt/cert/ + readOnly: true + - name: cr-logs + mountPath: /tmp/ + readOnly: false + serviceAccountName: {{ include "polaris.fullname" . }}-webhook + volumes: - name: config - mountPath: /opt/app/config.yaml - subPath: config.yaml - readOnly: true + configMap: + name: {{ include "polaris.fullname" . }} - name: secret - mountPath: /tmp/cert/ - readOnly: true - serviceAccountName: {{ include "polaris.fullname" . }} + secret: + secretName: polaris-webhook + - name: cr-logs + emptyDir: {} {{- end -}} diff --git a/deploy/helm/polaris/templates/webhook.rbac.yaml b/deploy/helm/polaris/templates/webhook.rbac.yaml new file mode 100644 index 000000000..9ba07a2ac --- /dev/null +++ b/deploy/helm/polaris/templates/webhook.rbac.yaml @@ -0,0 +1,88 @@ +{{- if and .Values.webhook.enable .Values.rbac.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ include "polaris.fullname" . }}-webhook + labels: + {{- include "polaris.labels" . | nindent 4 }} +rules: + - apiGroups: + - 'apps' + - 'extensions' + resources: + - 'deployments' + verbs: + - 'get' + - 'list' + # required by controller-runtime code doing a cluster wide lookup + # when it seems namespace would suffice + - apiGroups: + - '' + resources: + - 'secrets' + - 'services' + verbs: + - 'get' + - 'list' + - 'watch' + - apiGroups: + - 'admissionregistration.k8s.io' + resources: + - 'validatingwebhookconfigurations' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-webhook + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "polaris.fullname" . }}-webhook +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ include "polaris.fullname" . }}-webhook + labels: + {{- include "polaris.labels" . | nindent 4 }} +rules: + # required for current controller-runtime bootstrap method + - apiGroups: + - '' + resources: + - 'secrets' + - 'services' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-webhook + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "polaris.fullname" . }}-webhook +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/deploy/helm/polaris/templates/secret.yaml b/deploy/helm/polaris/templates/webhook.secret.yaml similarity index 79% rename from deploy/helm/polaris/templates/secret.yaml rename to deploy/helm/polaris/templates/webhook.secret.yaml index 3333080ee..71f28ecbc 100644 --- a/deploy/helm/polaris/templates/secret.yaml +++ b/deploy/helm/polaris/templates/webhook.secret.yaml @@ -2,10 +2,11 @@ apiVersion: v1 kind: Secret metadata: - name: {{ include "polaris.fullname" . }} + name: polaris-webhook namespace: {{ .Release.Namespace }} labels: {{- include "polaris.labels" . | nindent 4 }} type: Opaque -data: +stringData: + cert.pem: '' {{- end -}} diff --git a/deploy/helm/polaris/templates/webhook.service.yaml b/deploy/helm/polaris/templates/webhook.service.yaml index 4bf3fa5ba..b7049a09a 100644 --- a/deploy/helm/polaris/templates/webhook.service.yaml +++ b/deploy/helm/polaris/templates/webhook.service.yaml @@ -2,18 +2,18 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "polaris.fullname" . }}-dashboard + name: polaris-webhook namespace: {{ .Release.Namespace }} labels: {{- include "polaris.labels" . | nindent 4 }} spec: ports: - - name: dashboard - port: 80 + - name: webhook + port: 443 protocol: TCP - targetPort: 8080 + targetPort: 9876 selector: {{- include "polaris.selectors" . | nindent 4 }} - component: dashboard + component: webhook type: ClusterIP {{- end -}} diff --git a/deploy/helm/polaris/values.yaml b/deploy/helm/polaris/values.yaml index b2882aa0b..ec5ddb7fb 100644 --- a/deploy/helm/polaris/values.yaml +++ b/deploy/helm/polaris/values.yaml @@ -50,7 +50,7 @@ dashboard: type: ClusterIP image: repository: quay.io/reactiveops/polaris - tag: master + tag: 0.1.0 pullPolicy: Always webhook: @@ -58,7 +58,7 @@ webhook: replicas: 1 image: repository: quay.io/reactiveops/polaris - tag: master + tag: 0.1.0 pullPolicy: Always rbac: diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml index b227e00d9..8ccd4696f 100644 --- a/deploy/webhook.yaml +++ b/deploy/webhook.yaml @@ -1,20 +1,21 @@ --- -# Source: polaris/templates/namespace.yaml +# Source: polaris/templates/0-namespace.yaml apiVersion: v1 kind: Namespace metadata: name: polaris --- -# Source: polaris/templates/secret.yaml +# Source: polaris/templates/webhook.secret.yaml apiVersion: v1 kind: Secret metadata: - name: polaris + name: polaris-webhook namespace: polaris labels: app: polaris type: Opaque -data: +stringData: + cert.pem: '' --- # Source: polaris/templates/configmap.yaml apiVersion: v1 @@ -70,89 +71,115 @@ data: - AUDIT_WRITE --- -# Source: polaris/templates/serviceaccount.yaml +# Source: polaris/templates/webhook.rbac.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: polaris + name: polaris-webhook namespace: polaris labels: app: polaris - --- -# Source: polaris/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: - name: polaris + name: polaris-webhook labels: app: polaris rules: - apiGroups: - - '' - - 'apps' - - 'admissionregistration.k8s.io' + - 'apps' + - 'extensions' resources: - - '*' + - 'deployments' + verbs: + - 'get' + - 'list' + # required by controller-runtime code doing a cluster wide lookup + # when it seems namespace would suffice + - apiGroups: + - '' + resources: + - 'secrets' + - 'services' + verbs: + - 'get' + - 'list' + - 'watch' + - apiGroups: + - 'admissionregistration.k8s.io' + resources: + - 'validatingwebhookconfigurations' verbs: - '*' --- -# Source: polaris/templates/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: - name: polaris + name: polaris-webhook labels: app: polaris roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: polaris + name: polaris-webhook subjects: - kind: ServiceAccount - name: polaris + name: polaris-webhook namespace: polaris --- -# Source: polaris/templates/dashboard.service.yaml -apiVersion: v1 -kind: Service +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role metadata: - name: polaris-dashboard - namespace: polaris + name: polaris-webhook labels: app: polaris -spec: - ports: - - name: dashboard - port: 80 - protocol: TCP - targetPort: 8080 - selector: +rules: + # required for current controller-runtime bootstrap method + - apiGroups: + - '' + resources: + - 'secrets' + - 'services' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: polaris-webhook + labels: app: polaris - component: dashboard - type: ClusterIP +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: polaris-webhook +subjects: + - kind: ServiceAccount + name: polaris-webhook + namespace: polaris --- # Source: polaris/templates/webhook.service.yaml apiVersion: v1 kind: Service metadata: - name: polaris-dashboard + name: polaris-webhook namespace: polaris labels: app: polaris spec: ports: - - name: dashboard - port: 80 + - name: webhook + port: 443 protocol: TCP - targetPort: 8080 + targetPort: 9876 selector: app: polaris - component: dashboard + component: webhook type: ClusterIP --- # Source: polaris/templates/webhook.deployment.yaml -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: annotations: @@ -174,64 +201,76 @@ spec: app: polaris component: webhook spec: - volumes: - - name: config - configMap: - name: polaris - - name: secret - secret: - secretName: polaris containers: - - command: - - polaris - - --webhook - image: 'quay.io/reactiveops/polaris:master' - imagePullPolicy: 'Always' - name: webhook - ports: - - containerPort: 9876 - # These are fairly useless readiness/liveness probes for now - # Follow this issue for potential improvements: - # https://github.com/kubernetes-sigs/controller-runtime/issues/356 - livenessProbe: - exec: - command: - - sh - - -c - - ps -ef | grep polaris - initialDelaySeconds: 5 - periodSeconds: 5 - readinessProbe: - exec: - command: - - sh - - -c - - ps -ef | grep polaris - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - volumeMounts: + - name: webhook + command: + - polaris + - --webhook + image: 'quay.io/reactiveops/polaris:0.1.0' + imagePullPolicy: 'Always' + ports: + - containerPort: 9876 + # These are fairly useless readiness/liveness probes for now + # Follow this issue for potential improvements: + # https://github.com/kubernetes-sigs/controller-runtime/issues/356 + livenessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + - name: secret + mountPath: /opt/cert/ + readOnly: true + - name: cr-logs + mountPath: /tmp/ + readOnly: false + serviceAccountName: polaris-webhook + volumes: - name: config - mountPath: /opt/app/config.yaml - subPath: config.yaml - readOnly: true + configMap: + name: polaris - name: secret - mountPath: /tmp/cert/ - readOnly: true - serviceAccountName: polaris + secret: + secretName: polaris-webhook + - name: cr-logs + emptyDir: {} --- # Source: polaris/templates/dashboard.deployment.yaml +--- +# Source: polaris/templates/dashboard.rbac.yaml + +--- +# Source: polaris/templates/dashboard.service.yaml + diff --git a/examples/failing-deployment.yaml b/examples/failing-deployment.yaml new file mode 100644 index 000000000..c27d14167 --- /dev/null +++ b/examples/failing-deployment.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: polaris-failing-deployment + labels: + app: polaris-failing-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: polaris-failing-deployment + template: + metadata: + labels: + app: polaris-failing-deployment + spec: + containers: + - name: this-will-fail + image: 'alpine' + command: [ "/bin/sh", "-c", "--" ] + args: [ "while true; do sleep 30; done;" ] + securityContext: + privileged: true + allowPrivilegeEscalation: true + readOnlyRootFilesystem: false + runAsNonRoot: false + capabilities: + add: + - ALL diff --git a/main.go b/main.go index 276adace8..07a8a28e5 100644 --- a/main.go +++ b/main.go @@ -33,6 +33,7 @@ import ( "github.com/sirupsen/logrus" "gopkg.in/yaml.v2" appsv1 "k8s.io/api/apps/v1" + extensionsv1beta1 "k8s.io/api/extensions/v1beta1" apitypes "k8s.io/apimachinery/pkg/types" _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" "sigs.k8s.io/controller-runtime/pkg/client/config" @@ -131,7 +132,8 @@ func startWebhookServer(c conf.Configuration, disableWebhookConfigInstaller bool os.Exit(1) } - polarisResourceName := "polaris" + polarisAppName := "polaris" + polarisResourceName := "polaris-webhook" polarisNamespaceBytes, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace") if err != nil { @@ -148,7 +150,7 @@ func startWebhookServer(c conf.Configuration, disableWebhookConfigInstaller bool logrus.Info("Setting up webhook server") as, err := webhook.NewServer(polarisResourceName, mgr, webhook.ServerOptions{ Port: int32(port), - CertDir: "/tmp/cert", + CertDir: "/opt/cert", DisableWebhookConfigInstaller: &disableWebhookConfigInstaller, BootstrapOptions: &webhook.BootstrapOptions{ ValidatingWebhookConfigName: polarisResourceName, @@ -163,7 +165,8 @@ func startWebhookServer(c conf.Configuration, disableWebhookConfigInstaller bool // Selectors should select the pods that runs this webhook server. Selectors: map[string]string{ - "app": polarisResourceName, + "app": polarisAppName, + "component": "webhook", }, }, }, @@ -176,9 +179,10 @@ func startWebhookServer(c conf.Configuration, disableWebhookConfigInstaller bool logrus.Infof("Polaris webhook server listening on port %d", port) - d := fwebhook.NewWebhook("deploy", mgr, fwebhook.Validator{Config: c}, &appsv1.Deployment{}) + d1 := fwebhook.NewWebhook("deployments", mgr, fwebhook.Validator{Config: c}, &appsv1.Deployment{}) + d2 := fwebhook.NewWebhook("deployments-ext", mgr, fwebhook.Validator{Config: c}, &extensionsv1beta1.Deployment{}) logrus.Debug("Registering webhooks to the webhook server") - if err = as.Register(d); err != nil { + if err = as.Register(d1, d2); err != nil { logrus.Debugf("Unable to register webhooks in the admission server: %v", err) os.Exit(1) }