diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index a760cc2895f..53fa00ac508 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -104,10 +104,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` | | controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | -| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `Default` | +| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | -| audit.dnsPolicy | Set the dnsPolicy for audit pods | `Default` | +| audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` | | audit.healthPort | Health port for audit | `9090` | | audit.metricsPort | Metrics port for audit | `8888` | | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index eac2fe0e92c..81fdfe575d4 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -41,7 +41,7 @@ controllerManager: exemptNamespaces: [] exemptNamespacePrefixes: [] hostNetwork: false - dnsPolicy: Default + dnsPolicy: ClusterFirst port: 8443 metricsPort: 8888 healthPort: 9090 @@ -69,7 +69,7 @@ controllerManager: memory: 256Mi audit: hostNetwork: false - dnsPolicy: Default + dnsPolicy: ClusterFirst metricsPort: 8888 healthPort: 9090 priorityClassName: system-cluster-critical diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index a760cc2895f..53fa00ac508 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -104,10 +104,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` | | controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` | | controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | -| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `Default` | +| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | -| audit.dnsPolicy | Set the dnsPolicy for audit pods | `Default` | +| audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` | | audit.healthPort | Health port for audit | `9090` | | audit.metricsPort | Metrics port for audit | `8888` | | replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index eac2fe0e92c..81fdfe575d4 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -41,7 +41,7 @@ controllerManager: exemptNamespaces: [] exemptNamespacePrefixes: [] hostNetwork: false - dnsPolicy: Default + dnsPolicy: ClusterFirst port: 8443 metricsPort: 8888 healthPort: 9090 @@ -69,7 +69,7 @@ controllerManager: memory: 256Mi audit: hostNetwork: false - dnsPolicy: Default + dnsPolicy: ClusterFirst metricsPort: 8888 healthPort: 9090 priorityClassName: system-cluster-critical diff --git a/pkg/audit/manager.go b/pkg/audit/manager.go index 7a62430d67d..ec439bf3ed2 100644 --- a/pkg/audit/manager.go +++ b/pkg/audit/manager.go @@ -290,7 +290,7 @@ func (am *Manager) auditResources( } } - var errs opa.Errors + var errs []error nsCache := newNSCache() matchedKinds := make(map[string]bool) @@ -426,8 +426,9 @@ func (am *Manager) auditResources( } } } + if len(errs) > 0 { - return errs + return mergeErrors(errs) } return nil } @@ -437,7 +438,7 @@ func (am *Manager) reviewObjects(ctx context.Context, kind string, folderCount i totalViolationsPerConstraint map[util.KindVersionResource]int64, totalViolationsPerEnforcementAction map[util.EnforcementAction]int64, timestamp string) error { - var errs opa.Errors + var errs []error for i := 0; i < folderCount; i++ { // cache directory structure: // apiCacheDir/kind_folderIndex/fileIndex @@ -490,7 +491,7 @@ func (am *Manager) reviewObjects(ctx context.Context, kind string, folderCount i } } if len(errs) > 0 { - return errs + return mergeErrors(errs) } return nil } @@ -958,3 +959,16 @@ func getViolationRef(gkNamespace, rkind, rname, rnamespace, ckind, cname, cnames Namespace: gkNamespace, } } + +// mergeErrors concatenates errs into a single error. None of the original errors +// may be extracted from the result. +func mergeErrors(errs []error) error { + sb := strings.Builder{} + for i, err := range errs { + if i != 0 { + sb.WriteString("\n") + sb.WriteString(err.Error()) + } + } + return errors.New(sb.String()) +} diff --git a/website/docs/install.md b/website/docs/install.md index e7aa3b49ddf..eacf2f65d10 100644 --- a/website/docs/install.md +++ b/website/docs/install.md @@ -69,7 +69,7 @@ A basic Helm chart exists in `charts/gatekeeper`. If you have Helm installed, yo ```sh helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts -helm install gatekeeper/gatekeeper --generate-name +helm install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system --create-namespace ``` If you are using the older Gatekeeper Helm repo location and Helm v3.3.2+, then use `force-update` to override the default behavior to update the existing repo. @@ -103,7 +103,7 @@ If you used `make` to deploy, then run the following to uninstall Gatekeeper: If you used `helm` to deploy, then run the following to uninstall Gatekeeper: ```sh -helm delete +helm delete gatekeeper --namespace gatekeeper-system ``` Helm v3 will not cleanup Gatekeeper installed CRDs. Run the following to uninstall Gatekeeper CRDs: diff --git a/website/versioned_docs/version-v3.6.x/install.md b/website/versioned_docs/version-v3.6.x/install.md index e7aa3b49ddf..eacf2f65d10 100644 --- a/website/versioned_docs/version-v3.6.x/install.md +++ b/website/versioned_docs/version-v3.6.x/install.md @@ -69,7 +69,7 @@ A basic Helm chart exists in `charts/gatekeeper`. If you have Helm installed, yo ```sh helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts -helm install gatekeeper/gatekeeper --generate-name +helm install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system --create-namespace ``` If you are using the older Gatekeeper Helm repo location and Helm v3.3.2+, then use `force-update` to override the default behavior to update the existing repo. @@ -103,7 +103,7 @@ If you used `make` to deploy, then run the following to uninstall Gatekeeper: If you used `helm` to deploy, then run the following to uninstall Gatekeeper: ```sh -helm delete +helm delete gatekeeper --namespace gatekeeper-system ``` Helm v3 will not cleanup Gatekeeper installed CRDs. Run the following to uninstall Gatekeeper CRDs: diff --git a/website/versioned_docs/version-v3.7.x/install.md b/website/versioned_docs/version-v3.7.x/install.md index e7aa3b49ddf..eacf2f65d10 100644 --- a/website/versioned_docs/version-v3.7.x/install.md +++ b/website/versioned_docs/version-v3.7.x/install.md @@ -69,7 +69,7 @@ A basic Helm chart exists in `charts/gatekeeper`. If you have Helm installed, yo ```sh helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts -helm install gatekeeper/gatekeeper --generate-name +helm install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system --create-namespace ``` If you are using the older Gatekeeper Helm repo location and Helm v3.3.2+, then use `force-update` to override the default behavior to update the existing repo. @@ -103,7 +103,7 @@ If you used `make` to deploy, then run the following to uninstall Gatekeeper: If you used `helm` to deploy, then run the following to uninstall Gatekeeper: ```sh -helm delete +helm delete gatekeeper --namespace gatekeeper-system ``` Helm v3 will not cleanup Gatekeeper installed CRDs. Run the following to uninstall Gatekeeper CRDs: