diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index d296b16d7c5..8f14c40e5b5 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -79,6 +79,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | `60` | | postInstall.probeWebhook.httpTimeout | HTTP client timeout | `2` | | postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | `false` | +| postInstall.affinity | The affinity to use for pod scheduling in postInstall hook jobs | `{}` | +| postInstall.tolerations | The tolerations to use for pod scheduling in postInstall hook jobs | `[]` | +| postInstall.nodeSelector | The node selector to use for pod scheduling in postInstall hook jobs | `kubernetes.io/os: linux` | +| postInstall.resources | The resource request/limits for the container image in postInstall hook jobs | `{}` | | postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | `false` | | postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | @@ -86,6 +90,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.10.0-beta.0` | | postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` +| postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` | +| postUpgrade.tolerations | The tolerations to use for pod scheduling in postUpgrade hook jobs | `[]` | +| postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` | +| postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | | postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | @@ -93,10 +101,18 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.deleteWebhooks.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | +| preUninstall.affinity | The affinity to use for pod scheduling in preUninstall hook jobs | `{}` | +| preUninstall.tolerations | The tolerations to use for pod scheduling in preUninstall hook jobs | `[]` | +| preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` | +| preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` | | preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | psp.enabled | Enabled PodSecurityPolicy | `true` | | upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | | upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` | +| crds.affinity | The affinity to use for pod scheduling in crds hook jobs | `{}` | +| crds.tolerations | The tolerations to use for pod scheduling in crds hook jobs | `[]` | +| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` | +| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` | | crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | | auditInterval | The frequency with which audit is run | `60` | | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | diff --git a/cmd/build/helmify/static/templates/_helpers.tpl b/cmd/build/helmify/static/templates/_helpers.tpl index 6b3dab7102a..f9a9d84a5c2 100644 --- a/cmd/build/helmify/static/templates/_helpers.tpl +++ b/cmd/build/helmify/static/templates/_helpers.tpl @@ -65,6 +65,8 @@ Output post install webhook probe container entry {{- end }} - "-v" - "https://gatekeeper-webhook-service.{{ .Release.Namespace }}.svc/v1/admitlabel?timeout=2s" + resources: + {{- toYaml .Values.postInstall.resources | nindent 4 }} securityContext: {{- toYaml .Values.postInstall.securityContext | nindent 4 }} volumeMounts: diff --git a/cmd/build/helmify/static/templates/namespace-post-install.yaml b/cmd/build/helmify/static/templates/namespace-post-install.yaml index 0b157213942..c6da34d306d 100644 --- a/cmd/build/helmify/static/templates/namespace-post-install.yaml +++ b/cmd/build/helmify/static/templates/namespace-post-install.yaml @@ -32,8 +32,6 @@ spec: {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} {{- end }} serviceAccount: gatekeeper-update-namespace-label - nodeSelector: - kubernetes.io/os: linux {{- if .Values.postInstall.probeWebhook.enabled }} volumes: {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} @@ -56,12 +54,22 @@ spec: - {{ . }} {{- end }} - --overwrite + resources: + {{- toYaml .Values.postInstall.resources | nindent 12 }} securityContext: {{- if .Values.enableRuntimeDefaultSeccompProfile }} seccompProfile: type: RuntimeDefault {{- end }} {{- toYaml .Values.postInstall.securityContext | nindent 12 }} + {{- with .Values.postInstall }} + nodeSelector: + {{- toYaml .nodeSelector | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + tolerations: + {{- toYaml .tolerations | nindent 8 }} + {{- end }} --- apiVersion: v1 kind: ServiceAccount diff --git a/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml b/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml index 45e5130f4ac..403021956fa 100644 --- a/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml +++ b/cmd/build/helmify/static/templates/namespace-post-upgrade.yaml @@ -30,8 +30,6 @@ spec: {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} {{- end }} serviceAccount: gatekeeper-update-namespace-label-post-upgrade - nodeSelector: - kubernetes.io/os: linux containers: - name: kubectl-label image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}" @@ -48,8 +46,18 @@ spec: - {{ . }} {{- end }} - --overwrite + resources: + {{- toYaml .Values.postUpgrade.resources | nindent 12 }} securityContext: {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} + {{- with .Values.postUpgrade }} + affinity: + {{- toYaml .affinity | nindent 8 }} + tolerations: + {{- toYaml .tolerations | nindent 8 }} + nodeSelector: + {{- toYaml .nodeSelector | nindent 8 }} + {{- end }} --- apiVersion: v1 kind: ServiceAccount diff --git a/cmd/build/helmify/static/templates/probe-webhook-post-install.yaml b/cmd/build/helmify/static/templates/probe-webhook-post-install.yaml index 61bb8947454..5a140d31ce0 100644 --- a/cmd/build/helmify/static/templates/probe-webhook-post-install.yaml +++ b/cmd/build/helmify/static/templates/probe-webhook-post-install.yaml @@ -32,11 +32,17 @@ spec: imagePullSecrets: {{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }} {{- end }} - nodeSelector: - kubernetes.io/os: linux volumes: {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} containers: {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} + {{- with .Values.postInstall }} + affinity: + {{- toYaml .affinity | nindent 8 }} + tolerations: + {{- toYaml .tolerations | nindent 8 }} + nodeSelector: + {{- toYaml .nodeSelector | nindent 8 }} + {{- end }} {{- end }} {{- end }} diff --git a/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml b/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml index 16c84b6e621..cd57573f37a 100644 --- a/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml +++ b/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml @@ -111,10 +111,12 @@ spec: type: RuntimeDefault {{- end }} {{- toYaml .Values.crds.securityContext | nindent 10 }} + {{- with .Values.crds }} affinity: - {{- toYaml .Values.upgradeCRDs.affinity | nindent 8 }} - nodeSelector: - kubernetes.io/os: linux + {{- toYaml .affinity | nindent 8 }} tolerations: - {{- toYaml .Values.upgradeCRDs.tolerations | nindent 8 }} + {{- toYaml .tolerations | nindent 8 }} + nodeSelector: + {{- toYaml .nodeSelector | nindent 8 }} + {{- end }} {{- end }} diff --git a/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml b/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml index 1a54d30f949..d610394de36 100644 --- a/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml +++ b/cmd/build/helmify/static/templates/webhook-configs-pre-delete.yaml @@ -32,8 +32,6 @@ spec: {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }} {{- end }} serviceAccount: gatekeeper-delete-webhook-configs - nodeSelector: - kubernetes.io/os: linux containers: - name: kubectl-delete image: "{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}" @@ -46,12 +44,22 @@ spec: {{- if not .Values.disableMutation }} - mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration {{- end }} + resources: + {{- toYaml .Values.preUninstall.resources | nindent 10 }} securityContext: {{- if .Values.enableRuntimeDefaultSeccompProfile }} seccompProfile: type: RuntimeDefault {{- end }} {{- toYaml .Values.preUninstall.securityContext | nindent 10 }} + {{- with .Values.preUninstall }} + nodeSelector: + {{- toYaml .nodeSelector | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + tolerations: + {{- toYaml .tolerations | nindent 8 }} + {{- end }} --- apiVersion: v1 kind: ServiceAccount diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 1d4968fb6f0..418ed1b7c80 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -44,6 +44,10 @@ postUpgrade: "pod-security.kubernetes.io/warn-version=latest", "pod-security.kubernetes.io/enforce=restricted", "pod-security.kubernetes.io/enforce-version=v1.24"] + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} securityContext: allowPrivilegeEscalation: false capabilities: @@ -55,8 +59,8 @@ postUpgrade: runAsUser: 1000 postInstall: labelNamespace: - extraRules: [] enabled: true + extraRules: [] image: repository: openpolicyagent/gatekeeper-crds tag: v3.10.0-beta.0 @@ -79,6 +83,9 @@ postInstall: waitTimeout: 60 httpTimeout: 2 insecureHTTPS: false + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} securityContext: allowPrivilegeEscalation: false capabilities: @@ -97,6 +104,10 @@ preUninstall: tag: v3.10.0-beta.0 pullPolicy: IfNotPresent pullSecrets: [] + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} securityContext: allowPrivilegeEscalation: false capabilities: @@ -173,7 +184,6 @@ audit: affinity: {} tolerations: [] nodeSelector: {kubernetes.io/os: linux} - writeToRAMDisk: false resources: limits: cpu: 1000m @@ -194,8 +204,12 @@ audit: fsGroup: 999 supplementalGroups: - 999 + writeToRAMDisk: false extraRules: [] crds: + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} resources: {} securityContext: allowPrivilegeEscalation: false @@ -215,7 +229,6 @@ psp: enabled: true upgradeCRDs: enabled: true - tolerations: [] extraRules: [] rbac: create: true diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index d296b16d7c5..8f14c40e5b5 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -79,6 +79,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | `60` | | postInstall.probeWebhook.httpTimeout | HTTP client timeout | `2` | | postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | `false` | +| postInstall.affinity | The affinity to use for pod scheduling in postInstall hook jobs | `{}` | +| postInstall.tolerations | The tolerations to use for pod scheduling in postInstall hook jobs | `[]` | +| postInstall.nodeSelector | The node selector to use for pod scheduling in postInstall hook jobs | `kubernetes.io/os: linux` | +| postInstall.resources | The resource request/limits for the container image in postInstall hook jobs | `{}` | | postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | `false` | | postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | @@ -86,6 +90,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.10.0-beta.0` | | postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` +| postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` | +| postUpgrade.tolerations | The tolerations to use for pod scheduling in postUpgrade hook jobs | `[]` | +| postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` | +| postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | | postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | | preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | @@ -93,10 +101,18 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | | preUninstall.deleteWebhooks.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | +| preUninstall.affinity | The affinity to use for pod scheduling in preUninstall hook jobs | `{}` | +| preUninstall.tolerations | The tolerations to use for pod scheduling in preUninstall hook jobs | `[]` | +| preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` | +| preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` | | preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | psp.enabled | Enabled PodSecurityPolicy | `true` | | upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | | upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` | +| crds.affinity | The affinity to use for pod scheduling in crds hook jobs | `{}` | +| crds.tolerations | The tolerations to use for pod scheduling in crds hook jobs | `[]` | +| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` | +| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` | | crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | | auditInterval | The frequency with which audit is run | `60` | | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | diff --git a/manifest_staging/charts/gatekeeper/templates/_helpers.tpl b/manifest_staging/charts/gatekeeper/templates/_helpers.tpl index 6b3dab7102a..f9a9d84a5c2 100644 --- a/manifest_staging/charts/gatekeeper/templates/_helpers.tpl +++ b/manifest_staging/charts/gatekeeper/templates/_helpers.tpl @@ -65,6 +65,8 @@ Output post install webhook probe container entry {{- end }} - "-v" - "https://gatekeeper-webhook-service.{{ .Release.Namespace }}.svc/v1/admitlabel?timeout=2s" + resources: + {{- toYaml .Values.postInstall.resources | nindent 4 }} securityContext: {{- toYaml .Values.postInstall.securityContext | nindent 4 }} volumeMounts: diff --git a/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml b/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml index 0b157213942..c6da34d306d 100644 --- a/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml +++ b/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml @@ -32,8 +32,6 @@ spec: {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} {{- end }} serviceAccount: gatekeeper-update-namespace-label - nodeSelector: - kubernetes.io/os: linux {{- if .Values.postInstall.probeWebhook.enabled }} volumes: {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} @@ -56,12 +54,22 @@ spec: - {{ . }} {{- end }} - --overwrite + resources: + {{- toYaml .Values.postInstall.resources | nindent 12 }} securityContext: {{- if .Values.enableRuntimeDefaultSeccompProfile }} seccompProfile: type: RuntimeDefault {{- end }} {{- toYaml .Values.postInstall.securityContext | nindent 12 }} + {{- with .Values.postInstall }} + nodeSelector: + {{- toYaml .nodeSelector | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + tolerations: + {{- toYaml .tolerations | nindent 8 }} + {{- end }} --- apiVersion: v1 kind: ServiceAccount diff --git a/manifest_staging/charts/gatekeeper/templates/namespace-post-upgrade.yaml b/manifest_staging/charts/gatekeeper/templates/namespace-post-upgrade.yaml index 45e5130f4ac..403021956fa 100644 --- a/manifest_staging/charts/gatekeeper/templates/namespace-post-upgrade.yaml +++ b/manifest_staging/charts/gatekeeper/templates/namespace-post-upgrade.yaml @@ -30,8 +30,6 @@ spec: {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} {{- end }} serviceAccount: gatekeeper-update-namespace-label-post-upgrade - nodeSelector: - kubernetes.io/os: linux containers: - name: kubectl-label image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}" @@ -48,8 +46,18 @@ spec: - {{ . }} {{- end }} - --overwrite + resources: + {{- toYaml .Values.postUpgrade.resources | nindent 12 }} securityContext: {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} + {{- with .Values.postUpgrade }} + affinity: + {{- toYaml .affinity | nindent 8 }} + tolerations: + {{- toYaml .tolerations | nindent 8 }} + nodeSelector: + {{- toYaml .nodeSelector | nindent 8 }} + {{- end }} --- apiVersion: v1 kind: ServiceAccount diff --git a/manifest_staging/charts/gatekeeper/templates/probe-webhook-post-install.yaml b/manifest_staging/charts/gatekeeper/templates/probe-webhook-post-install.yaml index 61bb8947454..5a140d31ce0 100644 --- a/manifest_staging/charts/gatekeeper/templates/probe-webhook-post-install.yaml +++ b/manifest_staging/charts/gatekeeper/templates/probe-webhook-post-install.yaml @@ -32,11 +32,17 @@ spec: imagePullSecrets: {{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }} {{- end }} - nodeSelector: - kubernetes.io/os: linux volumes: {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} containers: {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} + {{- with .Values.postInstall }} + affinity: + {{- toYaml .affinity | nindent 8 }} + tolerations: + {{- toYaml .tolerations | nindent 8 }} + nodeSelector: + {{- toYaml .nodeSelector | nindent 8 }} + {{- end }} {{- end }} {{- end }} diff --git a/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml b/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml index 16c84b6e621..cd57573f37a 100644 --- a/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml +++ b/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml @@ -111,10 +111,12 @@ spec: type: RuntimeDefault {{- end }} {{- toYaml .Values.crds.securityContext | nindent 10 }} + {{- with .Values.crds }} affinity: - {{- toYaml .Values.upgradeCRDs.affinity | nindent 8 }} - nodeSelector: - kubernetes.io/os: linux + {{- toYaml .affinity | nindent 8 }} tolerations: - {{- toYaml .Values.upgradeCRDs.tolerations | nindent 8 }} + {{- toYaml .tolerations | nindent 8 }} + nodeSelector: + {{- toYaml .nodeSelector | nindent 8 }} + {{- end }} {{- end }} diff --git a/manifest_staging/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml b/manifest_staging/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml index 1a54d30f949..d610394de36 100644 --- a/manifest_staging/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml +++ b/manifest_staging/charts/gatekeeper/templates/webhook-configs-pre-delete.yaml @@ -32,8 +32,6 @@ spec: {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }} {{- end }} serviceAccount: gatekeeper-delete-webhook-configs - nodeSelector: - kubernetes.io/os: linux containers: - name: kubectl-delete image: "{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}" @@ -46,12 +44,22 @@ spec: {{- if not .Values.disableMutation }} - mutatingwebhookconfiguration/gatekeeper-mutating-webhook-configuration {{- end }} + resources: + {{- toYaml .Values.preUninstall.resources | nindent 10 }} securityContext: {{- if .Values.enableRuntimeDefaultSeccompProfile }} seccompProfile: type: RuntimeDefault {{- end }} {{- toYaml .Values.preUninstall.securityContext | nindent 10 }} + {{- with .Values.preUninstall }} + nodeSelector: + {{- toYaml .nodeSelector | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + tolerations: + {{- toYaml .tolerations | nindent 8 }} + {{- end }} --- apiVersion: v1 kind: ServiceAccount diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 1d4968fb6f0..418ed1b7c80 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -44,6 +44,10 @@ postUpgrade: "pod-security.kubernetes.io/warn-version=latest", "pod-security.kubernetes.io/enforce=restricted", "pod-security.kubernetes.io/enforce-version=v1.24"] + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} securityContext: allowPrivilegeEscalation: false capabilities: @@ -55,8 +59,8 @@ postUpgrade: runAsUser: 1000 postInstall: labelNamespace: - extraRules: [] enabled: true + extraRules: [] image: repository: openpolicyagent/gatekeeper-crds tag: v3.10.0-beta.0 @@ -79,6 +83,9 @@ postInstall: waitTimeout: 60 httpTimeout: 2 insecureHTTPS: false + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} securityContext: allowPrivilegeEscalation: false capabilities: @@ -97,6 +104,10 @@ preUninstall: tag: v3.10.0-beta.0 pullPolicy: IfNotPresent pullSecrets: [] + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} securityContext: allowPrivilegeEscalation: false capabilities: @@ -173,7 +184,6 @@ audit: affinity: {} tolerations: [] nodeSelector: {kubernetes.io/os: linux} - writeToRAMDisk: false resources: limits: cpu: 1000m @@ -194,8 +204,12 @@ audit: fsGroup: 999 supplementalGroups: - 999 + writeToRAMDisk: false extraRules: [] crds: + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} resources: {} securityContext: allowPrivilegeEscalation: false @@ -215,7 +229,6 @@ psp: enabled: true upgradeCRDs: enabled: true - tolerations: [] extraRules: [] rbac: create: true