From a2e5e297accea809f2f5a4ae5fcad6010851eb15 Mon Sep 17 00:00:00 2001 From: leewoobin789 <38491025+leewoobin789@users.noreply.github.com> Date: Tue, 2 Apr 2024 16:30:19 +0200 Subject: [PATCH] feat(helm): matchConditions added in Validating & MutatingWebhookConfiguration (#3343) Signed-off-by: leewoobin789 --- cmd/build/helmify/kustomize-for-helm.yaml | 2 ++ cmd/build/helmify/main.go | 8 ++++++-- cmd/build/helmify/replacements.go | 4 ++++ cmd/build/helmify/static/README.md | 2 ++ cmd/build/helmify/static/values.yaml | 2 ++ manifest_staging/charts/gatekeeper/README.md | 2 ++ ...ebhook-configuration-mutatingwebhookconfiguration.yaml | 3 +++ ...hook-configuration-validatingwebhookconfiguration.yaml | 3 +++ manifest_staging/charts/gatekeeper/values.yaml | 2 ++ 9 files changed, 26 insertions(+), 2 deletions(-) diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 6a336e57b37..b4ed423e095 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -255,6 +255,7 @@ webhooks: objectSelector: HELMSUBST_MUTATING_WEBHOOK_OBJECT_SELECTOR sideEffects: None timeoutSeconds: HELMSUBST_MUTATING_WEBHOOK_TIMEOUT + matchConditions: HELMSUBST_MUTATING_WEBHOOK_MATCH_CONDITIONS --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -281,6 +282,7 @@ webhooks: failurePolicy: HELMSUBST_VALIDATING_WEBHOOK_FAILURE_POLICY rules: - HELMSUBST_VALIDATING_WEBHOOK_OPERATION_RULES + matchConditions: HELMSUBST_VALIDATING_WEBHOOK_MATCH_CONDITIONS - clientConfig: service: name: gatekeeper-webhook-service diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go index 0b91174162c..b64858f876b 100644 --- a/cmd/build/helmify/main.go +++ b/cmd/build/helmify/main.go @@ -108,12 +108,16 @@ func (ks *kindSet) Write() error { fileName := fmt.Sprintf("%s-%s.yaml", strings.ToLower(name), strings.ToLower(kind)) if name == "validation.gatekeeper.sh" { - obj = "{{- if not .Values.disableValidatingWebhook }}\n" + obj + end + "\n" + matchConditions := " matchConditions: {{ toYaml .Values.validatingWebhookMatchConditions | nindent 4 }}" + replace := fmt.Sprintf(" {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}\n%s\n {{- end }}", matchConditions) + obj = "{{- if not .Values.disableValidatingWebhook }}\n" + strings.Replace(obj, matchConditions, replace, 1) + end + "\n" fileName = fmt.Sprintf("gatekeeper-validating-webhook-configuration-%s.yaml", strings.ToLower(kind)) } if name == "mutation.gatekeeper.sh" { - obj = "{{- if not .Values.disableMutation }}\n" + obj + end + "\n" + matchConditions := " matchConditions: {{ toYaml .Values.mutatingWebhookMatchConditions | nindent 4 }}" + replace := fmt.Sprintf(" {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }}\n%s\n {{- end }}", matchConditions) + obj = "{{- if not .Values.disableMutation }}\n" + strings.Replace(obj, matchConditions, replace, 1) + end + "\n" fileName = fmt.Sprintf("gatekeeper-mutating-webhook-configuration-%s.yaml", strings.ToLower(kind)) } diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index a47238dbd64..ea67b886896 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -146,6 +146,8 @@ var replacements = map[string]string{ path: /v1/mutate {{- end }}`, + "HELMSUBST_VALIDATING_WEBHOOK_MATCH_CONDITIONS": `{{ toYaml .Values.validatingWebhookMatchConditions | nindent 4 }}`, + "HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT": `{{ .Values.validatingWebhookTimeoutSeconds }}`, "HELMSUBST_VALIDATING_WEBHOOK_FAILURE_POLICY": `{{ .Values.validatingWebhookFailurePolicy }}`, @@ -217,6 +219,8 @@ var replacements = map[string]string{ - 'services/status' {{- end }}`, + "HELMSUBST_MUTATING_WEBHOOK_MATCH_CONDITIONS": `{{ toYaml .Values.mutatingWebhookMatchConditions | nindent 4 }}`, + "HELMSUBST_PDB_CONTROLLER_MANAGER_MINAVAILABLE": `{{ .Values.pdb.controllerManager.minAvailable }}`, `HELMSUBST_AUDIT_CONTROLLER_MANAGER_DEPLOYMENT_IMAGE_RELEASE: ""`: `{{- if .Values.image.release }} diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index dacd51240ba..1a010d7a60f 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -142,6 +142,7 @@ information._ | validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | | validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | | validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| validatingWebhookMatchConditions | The match conditions written in CEL to further refine which resources will be selected by the webhook. All match conditions must evaluate to true for the webhook to be called | `[]` | | validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | | validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | | validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | @@ -158,6 +159,7 @@ information._ | mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | | mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | | mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| mutatingWebhookMatchConditions | The match conditions written in CEL to further refine which resources will be selected by the webhook. All match conditions must evaluate to true for the webhook to be called | `[]` | | mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | | mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index b5c09987127..b80b6189f46 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -14,6 +14,7 @@ validatingWebhookFailurePolicy: Ignore validatingWebhookAnnotations: {} validatingWebhookExemptNamespacesLabels: {} validatingWebhookObjectSelector: {} +validatingWebhookMatchConditions: [] validatingWebhookCheckIgnoreFailurePolicy: Fail validatingWebhookCustomRules: {} validatingWebhookURL: null @@ -28,6 +29,7 @@ mutatingWebhookReinvocationPolicy: Never mutatingWebhookAnnotations: {} mutatingWebhookExemptNamespacesLabels: {} mutatingWebhookObjectSelector: {} +mutatingWebhookMatchConditions: [] mutatingWebhookTimeoutSeconds: 1 mutatingWebhookCustomRules: {} mutatingWebhookURL: null diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index dacd51240ba..1a010d7a60f 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -142,6 +142,7 @@ information._ | validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | | validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | | validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| validatingWebhookMatchConditions | The match conditions written in CEL to further refine which resources will be selected by the webhook. All match conditions must evaluate to true for the webhook to be called | `[]` | | validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | | validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | | validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | @@ -158,6 +159,7 @@ information._ | mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | | mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | | mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| mutatingWebhookMatchConditions | The match conditions written in CEL to further refine which resources will be selected by the webhook. All match conditions must evaluate to true for the webhook to be called | `[]` | | mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | | mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml index 5705f56796a..c3cc122851a 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -24,6 +24,9 @@ webhooks: path: /v1/mutate {{- end }} failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }} + {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }} + matchConditions: {{ toYaml .Values.mutatingWebhookMatchConditions | nindent 4 }} + {{- end }} matchPolicy: Exact name: mutation.gatekeeper.sh namespaceSelector: diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index 9b65cebd2f7..c8dbc8f0daa 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -24,6 +24,9 @@ webhooks: path: /v1/admit {{- end }} failurePolicy: {{ .Values.validatingWebhookFailurePolicy }} + {{- if ge (int .Capabilities.KubeVersion.Minor) 28 }} + matchConditions: {{ toYaml .Values.validatingWebhookMatchConditions | nindent 4 }} + {{- end }} matchPolicy: Exact name: validation.gatekeeper.sh namespaceSelector: diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index b5c09987127..b80b6189f46 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -14,6 +14,7 @@ validatingWebhookFailurePolicy: Ignore validatingWebhookAnnotations: {} validatingWebhookExemptNamespacesLabels: {} validatingWebhookObjectSelector: {} +validatingWebhookMatchConditions: [] validatingWebhookCheckIgnoreFailurePolicy: Fail validatingWebhookCustomRules: {} validatingWebhookURL: null @@ -28,6 +29,7 @@ mutatingWebhookReinvocationPolicy: Never mutatingWebhookAnnotations: {} mutatingWebhookExemptNamespacesLabels: {} mutatingWebhookObjectSelector: {} +mutatingWebhookMatchConditions: [] mutatingWebhookTimeoutSeconds: 1 mutatingWebhookCustomRules: {} mutatingWebhookURL: null