From ea71114e420be6c092ad8834a71cc4aca460c38a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Tue, 11 May 2021 19:26:49 +0200 Subject: [PATCH] feat: Upgrade to 3.1.0 Introduce the denyOnError feature --- charts/admission-controller/Chart.yaml | 4 ++-- charts/admission-controller/README.md | 1 + .../templates/webhook/admissionregistration.yaml | 4 ++++ charts/admission-controller/templates/webhook/configmap.yaml | 1 + charts/admission-controller/values.yaml | 2 ++ 5 files changed, 10 insertions(+), 2 deletions(-) diff --git a/charts/admission-controller/Chart.yaml b/charts/admission-controller/Chart.yaml index 1cb9ee07e..ed084f57f 100644 --- a/charts/admission-controller/Chart.yaml +++ b/charts/admission-controller/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: admission-controller description: Sysdig Admission Controller using Sysdig Secure inline image scanner type: application -version: 0.3.0 -appVersion: 3.0.0 +version: 0.4.0 +appVersion: 3.1.0 home: https://sysdiglabs.github.io/admission-controller/ icon: https://478h5m1yrfsa3bbe262u7muv-wpengine.netdna-ssl.com/wp-content/uploads/2019/02/Shovel_600px.png maintainers: diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md index 38fac6e78..750bc8865 100644 --- a/charts/admission-controller/README.md +++ b/charts/admission-controller/README.md @@ -58,6 +58,7 @@ Controller chart and their default values: | `webhook.nodeSelector` | Configure nodeSelector for scheduling for webhook | `{}` | | `webhook.tolerations` | Tolerations for scheduling for webhook | `[]` | | `webhook.affinity` | Configure affinity rules for webhook | `{}` | +| `webhook.denyOnError` | Deny request when an error happened evaluating request | `false` | | `scanner.enabled` | Deploy the Inline Scanner Service | `true` | | `scanner.name` | Service name for Scanner deployment | `scanner` | | `scanner.replicaCount` | Amount of replicas for scanner | `1` | diff --git a/charts/admission-controller/templates/webhook/admissionregistration.yaml b/charts/admission-controller/templates/webhook/admissionregistration.yaml index 321c71752..9970e1458 100644 --- a/charts/admission-controller/templates/webhook/admissionregistration.yaml +++ b/charts/admission-controller/templates/webhook/admissionregistration.yaml @@ -27,7 +27,11 @@ webhooks: admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 15 + {{- if .Values.webhook.denyOnError }} + failurePolicy: Fail + {{- else }} failurePolicy: Ignore + {{- end }} {{- if .Values.features.k8sAuditDetections }} - name: audit.secure.sysdig.com matchPolicy: Equivalent diff --git a/charts/admission-controller/templates/webhook/configmap.yaml b/charts/admission-controller/templates/webhook/configmap.yaml index bd6f50c7a..83d987e28 100644 --- a/charts/admission-controller/templates/webhook/configmap.yaml +++ b/charts/admission-controller/templates/webhook/configmap.yaml @@ -15,3 +15,4 @@ data: PUBLISH_ON_EVENT_FEED: "{{ .Values.features.publishOnSecureEventFeed }}" VERIFY_SSL: "{{ .Values.verifySSL }}" K8S_AUDIT_DETECTIONS: "{{ .Values.features.k8sAuditDetections }}" + DENY_ON_ERROR: "{{ .Values.webhook.denyOnError }}" diff --git a/charts/admission-controller/values.yaml b/charts/admission-controller/values.yaml index ceaaea918..55f5b6205 100644 --- a/charts/admission-controller/values.yaml +++ b/charts/admission-controller/values.yaml @@ -76,6 +76,8 @@ webhook: affinity: {} + denyOnError: false + # inline scanner configuration scanner: enabled: true