From bd334c6f4cb3cdf1af900ad3fe1b7b13ada325d2 Mon Sep 17 00:00:00 2001 From: Max Falk Date: Thu, 9 Mar 2023 16:30:11 +0100 Subject: [PATCH 1/2] Fix helm chart documentation for setting audit and webhook selectors and affinity I was wondering why the helm chart did not apply any affinity or topologySpreadConstraints for the audit and webhook Pods. Turns out the documentation is outdated and we can (and need to) set `nodeSelector`, `affinity`, `topologySpreadConstraints` and `tolerations` on the `values.audit` and `values.controllerManager` level instead of just top level `values`. Signed-off-by: Max Falk --- charts/gatekeeper/README.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/charts/gatekeeper/README.md b/charts/gatekeeper/README.md index 4278419da1c..aecd3bc1dd1 100644 --- a/charts/gatekeeper/README.md +++ b/charts/gatekeeper/README.md @@ -152,10 +152,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | image.release | The image release tag to use | Current release version: `v3.12.0-beta.0` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | -| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| affinity | The node affinity to use for pod scheduling | `{}` | -| topologySpreadConstraints | The topology spread constraints to use for pod scheduling | `[]` | -| tolerations | The tolerations to use for pod scheduling | `[]` | +| controllerManager.nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| controllerManager.affinity | The node affinity to use for pod scheduling | `{}` | +| controllerManager.topologySpreadConstraints | The topology spread constraints to use for pod scheduling | `[]` | +| controllerManager.tolerations | The tolerations to use for pod scheduling | `[]` | | controllerManager.healthPort | Health port for controller manager | `9090` | | controllerManager.port | Webhook-server port for controller manager | `8443` | | controllerManager.metricsPort | Metrics port for controller manager | `8888` | @@ -171,6 +171,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` | | controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | +| audit.nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| audit.affinity | The node affinity to use for pod scheduling | `{}` | +| audit.topologySpreadConstraints | The topology spread constraints to use for pod scheduling | `[]` | +| audit.tolerations | The tolerations to use for pod scheduling | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | From 345b7779c5227b2f5d72362887332bae96072902 Mon Sep 17 00:00:00 2001 From: Max Falk Date: Sun, 19 Mar 2023 14:44:00 +0100 Subject: [PATCH 2/2] docs(helm): Fix indentation for audit and webhook pod constraints Signed-off-by: Max Falk --- charts/gatekeeper/README.md | 12 ++++-------- cmd/build/helmify/static/README.md | 9 ++++++--- manifest_staging/charts/gatekeeper/README.md | 9 ++++++--- 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/charts/gatekeeper/README.md b/charts/gatekeeper/README.md index aecd3bc1dd1..4278419da1c 100644 --- a/charts/gatekeeper/README.md +++ b/charts/gatekeeper/README.md @@ -152,10 +152,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | image.release | The image release tag to use | Current release version: `v3.12.0-beta.0` | | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | -| controllerManager.nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| controllerManager.affinity | The node affinity to use for pod scheduling | `{}` | -| controllerManager.topologySpreadConstraints | The topology spread constraints to use for pod scheduling | `[]` | -| controllerManager.tolerations | The tolerations to use for pod scheduling | `[]` | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| affinity | The node affinity to use for pod scheduling | `{}` | +| topologySpreadConstraints | The topology spread constraints to use for pod scheduling | `[]` | +| tolerations | The tolerations to use for pod scheduling | `[]` | | controllerManager.healthPort | Health port for controller manager | `9090` | | controllerManager.port | Webhook-server port for controller manager | `8443` | | controllerManager.metricsPort | Metrics port for controller manager | `8888` | @@ -171,10 +171,6 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | | controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` | | controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | -| audit.nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| audit.affinity | The node affinity to use for pod scheduling | `{}` | -| audit.topologySpreadConstraints | The topology spread constraints to use for pod scheduling | `[]` | -| audit.tolerations | The tolerations to use for pod scheduling | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index c5fbd2356fe..d7072a1e7e5 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -157,9 +157,9 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| affinity | The node affinity to use for pod scheduling | `{}` | -| topologySpreadConstraints | The topology spread constraints to use for pod scheduling | `[]` | -| tolerations | The tolerations to use for pod scheduling | `[]` | +| controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` | +| controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` | +| controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` | | controllerManager.healthPort | Health port for controller manager | `9090` | | controllerManager.port | Webhook-server port for controller manager | `8443` | | controllerManager.metricsPort | Metrics port for controller manager | `8888` | @@ -177,6 +177,9 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | | controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` | | controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` | +| audit.affinity | The node affinity to use for audit pod scheduling | `{}` | +| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` | +| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index c5fbd2356fe..d7072a1e7e5 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -157,9 +157,9 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | image.pullSecrets | Specify an array of imagePullSecrets | `[]` | | resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | | nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| affinity | The node affinity to use for pod scheduling | `{}` | -| topologySpreadConstraints | The topology spread constraints to use for pod scheduling | `[]` | -| tolerations | The tolerations to use for pod scheduling | `[]` | +| controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` | +| controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` | +| controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` | | controllerManager.healthPort | Health port for controller manager | `9090` | | controllerManager.port | Webhook-server port for controller manager | `8443` | | controllerManager.metricsPort | Metrics port for controller manager | `8888` | @@ -177,6 +177,9 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | | controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` | | controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` | +| audit.affinity | The node affinity to use for audit pod scheduling | `{}` | +| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` | +| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` | | audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | | audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} | | audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` |